Release Notes for HPE TCP/IP Services for OpenVMS Version 5.7 ECO 5 - Patch for BIND, FTP, NTP, IMAP and POP services ________________________________________________________________ (C) Copyright 2016 Hewlett Packard Enterprise Development LP. Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group. Microsoft is a US registered trademark of Microsoft Corporation. --------------------------------------------------------------------------- Installation Note --------------------------------------------------------------------------- This patch kit is a maintenance update for the product HPE TCP/IP Services for OpenVMS Version 5.7 ECO 5. This kit is not compatible with any other ECO releases of TCP/IP. Installation of this patch kit is mandatory for systems which have the HPE SSL1 kit (HP-I64VMS-SSL1-V0100-2C-1 / HP-AXPVMS-SSL1-V0100-2C-1, or higher version) installed, to ensure compatibility between SSL1 and the TCPIP components (BIND, FTP, NTP, IMAP and POP). Before installing this patch, please make sure the following 3 PCSI kits are installed in the system: TCPIP V5.7 ECO5 kit (HP-I64VMS-TCPIP-V0507-13ECO5-1 or DEC-AXPVMS-TCPIP-V0507-13ECO5-1) TCPIP Telnet patch V5.7 ECO5A (HP-I64VMS-TELNET_PAT-V0507-13ECO5A-4 or DEC-AXPVMS-TELNET_PAT-V0507-13ECO5A-4) SSL1 kit (HP-I64VMS-SSL1-V0100-2C-1 or HP-AXPVMS-SSL1-V0100-2C-1) Please note that in order to make use of the new image(s), the following services must be restarted after patch installation: - BIND server - FTP server and client - NTP server - IMAP server - POP server The user can either restart these services one by one, or restart the entire TCPIP service. (For details on restarting services, please refer the manual TCP/IP Services for OpenVMS - Management) Problems addressed in this kit are listed below. --------------------------------------------------------------------------- Support for HPE-SSL V1.0-2C kit. --------------------------------------------------------------------------- 1.1 BIND, FTP, NTP, IMAP and POP are not compatible with HPE SSL1 kit 9-NOV-2015 Integrity servers and Alpha Problem: BIND, FTP, NTP, IMAP and POP in TCPIP are not compatible with the HPE SSL1 kit. Changes have been made to address this problem. Please note that in HPE SSL1 release, the following logicals and image names have been updated: SSL$CERTS to SSL1$CERTS SSL$KEYS to SSL1$KEYS SSL$LIBCRYPTO_SHR32.EXE to SSL1$LIBCRYPTO_SHR32.EXE SSL$LIBSSL_SHR.EXE to SSL1$LIBSSL_SHR.EXE Kindly make note of the aforementioned changes while referring the TCPIP documentation. For more details, please refer HPE SSL1 release notes. Deliverables: [SYSMGR]TCPIP$BIND_STARTUP.COM [SYSEXE]TCPIP$BIND_SERVER.EXE [SYSEXE]TCPIP$DIG.EXE [SYSEXE]TCPIP$NSUPDATE.EXE [SYSEXE]TCPIP$BIND-CHECKCONF.EXE [SYSEXE]TCPIP$BIND-CHECKZONE.EXE [SYSEXE]TCPIP$DNSSEC-KEYGEN.EXE [SYSEXE]TCPIP$DNSSEC-SIGNZONE.EXE [SYSEXE]TCPIP$HOST.EXE [SYSEXE]TCPIP$RNDC-CONFGEN.EXE [SYSEXE]TCPIP$RNDC.EXE [SYSEXE]TCPIP$FTP_CLIENT.EXE [SYSEXE]TCPIP$FTP_CHILD.EXE [SYSEXE]TCPIP$FTP_SERVER.EXE [SYSEXE]TCPIP$NTP_RES_CHILD.EXE [SYSEXE]TCPIP$NTP.EXE [SYSEXE]TCPIP$NTPDATE.EXE [SYSEXE]TCPIP$NTPDC.EXE [SYSEXE]TCPIP$NTPQ.EXE [SYSEXE]TCPIP$NTP_KEYGEN.EXE [SYSMGR]TCPIP$POP_STARTUP.COM [SYSEXE]TCPIP$POP_SERVER.EXE [SYSEXE]TCPIP$POP_V57_ROLLOVER.EXE [SYSEXE]TCPIP$IMAP_SERVER.EXE [SYSEXE]TCPIP$IMAP_STOP.EXE --------------------------------------------------------------------------- Poodle vulnerability in FTP, IMAP & POP --------------------------------------------------------------------------- 2.1 POODLE vulnerability in OpenVMS TCP/IP components - FTP, IMAP & POP. 22-APR-2015 Integrity servers and Alpha Problem: The POODLE vulnerability (CVE-2014-3566) has been addressed in this release. Deliverables: [SYSEXE]TCPIP$FTP_CLIENT.EXE [SYSEXE]TCPIP$FTP_CHILD.EXE [SYSEXE]TCPIP$FTP_SERVER.EXE [SYSEXE]TCPIP$POP_SERVER.EXE [SYSEXE]TCPIP$POP_V57_ROLLOVER.EXE [SYSEXE]TCPIP$IMAP_SERVER.EXE [SYSEXE]TCPIP$IMAP_STOP.EXE Reference: PTR 75-117-369 --------------------------------------------------------------------------- Corrections for BIND --------------------------------------------------------------------------- 3.1 Vulnerabilities in BIND Server 30-Sept-2015 Integrity servers and Alpha Problem: Following CVEs for BIND Server have been addressed: CVE-2012-1667 CVE-2012-5166 CVE-2012-4244 CVE-2007-0493 CVE-2007-0494 CVE-2009-4022 CVE-2010-0097 CVE-2015-5477 Deliverables: [SYSEXE]TCPIP$BIND_SERVER.EXE Reference: QXCM1001436461, QXCM1001434254, QXCM1001392881 --------------------------------------------------------------------------- Corrections for NTP --------------------------------------------------------------------------- 4.1 Vulnerabilities in NTP 7-AUG-2015 Integrity servers and Alpha Problem: Following CVEs for NTP have been addressed: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2013-5211 Deliverables: [SYSEXE]TCPIP$NTP_RES_CHILD.EXE [SYSEXE]TCPIP$NTP.EXE [SYSEXE]TCPIP$NTPDATE.EXE [SYSEXE]TCPIP$NTPDC.EXE [SYSEXE]TCPIP$NTPQ.EXE [SYSEXE]TCPIP$NTP_KEYGEN.EXE Reference: SSRT101942 --------------------------------------------------------------------------- Corrections for POP --------------------------------------------------------------------------- 5.1 POP server startup incorrectly logs a warning message 7-AUG-2015 Integrity servers and Alpha Problem: The POP server is expected to report the following error, if the option "Ignore-Mail11-Headers" is set and SMTP option "TOP_HEADERS" is not set: Warning! You have not configured SMTP /OPTION=TOP_HEADERS and at the same time you have configured POP to ignore mail11 headers. This combination of options is not acceptable. Either turn on SMTP top headers or don't turn on POP ignore mail11 headers. For this run the POP server will *not* ignore mail11 headers. However, in some rare cases, the POP server might log this message while starting TCPIP service, even if both options are set correctly. This issue of raising false alarm has been addressed. Deliverables: [SYSEXE]TCPIP$POP_SERVER.EXE Reference: QXCM1001372391