[Info-vax] Security, support and VMS, was: Re: A new VMS?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Mon May 3 15:51:43 EDT 2021 

On 2021-05-03 16:28:32 +0000, Simon Clubley said:

> On 2021-05-03, David Turner <dturner at islandco.com> wrote:
>> Well I was talking more about simple support. Not patching etc
>> There are a lot of customers out there happy and content with their 
>> current status.
>> They just need a hand held when something goes wrong I would say that 
>> goes for the majority of users out there.
>> 
> 
> Huh ??? The majority of VMS users don't care about keeping their 
> systems up to date and fully patched ???
> 
> I am having a hard time believing that...

Whether or not the folks care, it is commonplace to encounter old 
versions both internally, and publicly-exposed.

Yes, there are OpenVMS servers that are actively maintained. And 
OpenVMS servers that are not actively mantained.

Old OpenVMS and old network-facing LP versions are commonplace, 
including on publicly-exposed OpenVMS boxes.

There are OpenVMS servers on internal networks that are also not 
current on versions and patches.

Some OpenVMS servers do get upgraded secondary to an external 
requirement; a security audit, encryption requirement, or otherwise.

Others, not so much.

As of today, I see 223 publicly-visible OpenVMS Apache servers, many 
(most?) of which are down-revision.

That's out of 1112 publicly-visible OpenVMS servers.

Version details from the first few spots on the list of 
publicly-visible OpenVMS servers:

Apache HTTP Server 1.3.26 / OpenSSL 0.9.7d
Apache HTTP Server 2.0.52 / OpenSSL 0.9.7d
Apache HTTP Server 2.4.12 / OpenSSL 1.0.2n / PHP 5.6.10
Apache HTTP Server 2.0.65 / OpenSSL 0.9.8zb
Apache HTTP Server 2.0.63 / PHP 5.2.13

VSI Apache 2.4.38 is current for OpenVMS, while Apache HTTP Server 
2.4.46 is current.

VSI SSL111 V1.1.1g is current for OpenVMS, while OpenSSL 1.1.1k is current.

PHP 7.4.18 and PHP 8.0.5 are current. I haven't looked at what VSI is 
offering for PHP on OpenVMS.

I don't know the OpenVMS versions running on these servers; whether 
OpenVMS is as stale as these products.

And no, I'm not going to try to access and verify these OpenVMS 
servers, though the domains and IP addresses involved are widely 
available.

There are 56 OpenVMS servers running SMTP. I'd expect some selection of 
those are running the TCP/IP Services SMTP server, which ~lacks 
connection encryption.

Most of a hundred OpenVMS servers are active on Amazon AWS across 
India, Sweden, and Canada.  Presumably, those are running as emulated 
guests.



-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list