From: Bob Vickers (bobv@cs.rhul.ac.uk)
Date: Thu May 29 2003 - 05:19:07 EDT
Dear All,
Thanks go to Dr Thomas Blinn, Iain Barker, Chris Ruhnke, Ken Kleiner and
especially to Denise Dumas of the T64 security team who sends sincere
apologies on their behalf and says we should expect to see the patch
reissued. She believes the 4.0F patch probably has the same problem.
The replies are tricky to summarise but here are a few salient points:
(1) a couple of people suggested baselining the system, but this does
*not* work in this particular situation because the baselining part of
dupatch does not regard these files as being of unknown origin. If you
want to use baselining you have to delete the files first which is a
fairly hairy process.
(2) Many security related "Early Release Patches" *are* released as CSPs
(3) Some people suggested removing the older patches. This is certainly
possible, but I have been unable to convince myself that they have been
fully superceded by later patches.
(4) As usual the good Dr Thomas Blinn provided excellent insight some of
which I pass on:
The terminology is somewhat confusing. The "SSRT" kits which contain
"Early Release Patches" (things that will be in the next patch kit, if
there ever is one, and one is in testing now for V4.0G and should be
out by this summer) are produced using exactly the same tools as the
Customer Specific Patch (CSP) kits.
My suspicion is that the newer Patch C 00296.00 - V40G.BL17 CSP for
SSRT2373 and SSRT2374 -- contains some of the same files that were in an
older security patch (Patch C 00103.04 and Patch C 00103.01) that you did
install, but that the older patch doesn't have as good a label on it as
the newer one. In any case, presumably the new patch supercedes the
older patch, and it's safe to remove the (two) older patch(es) and apply
the new one. You need to go find the documentation for the two patches
it's complaining about and make sure that all the files they replaced are
being replaced again. That should have been done in making the newer
patch, I don't know (personally) whether it was or not.
Anyway I'm now going to wait for HP to do that checking and hope that a
new patch arrives soon.
Bob
---------- Original message ----------
Date: Wed, 28 May 2003 12:35:53 +0100 (BST)
From: Bob Vickers <bobv@cs.rhul.ac.uk>
Reply-To: Bob Vickers <R.Vickers@cs.rhul.ac.uk>
To: Tru64 Unix Managers <tru64-unix-managers@ornl.gov>
Subject: Dependency problems with Tru64 patches
Dear Managers,
Once again I am trying to install a security patch and it is failing to
install because dupatch alleges that I have installed a customer specific
patch which interferes.
An online manual defines a customer specific patch as:
Any patch that is developed and made available to resolve a problem for a
specific customer. A Customer-Specific patch is developed with prior
knowledge of that customer's unique hardware and software configuration
and environment. Customer-Specific patches may not be useful for another
customer's system.
I have never installed such a patch on Tru64 4.0G, I have only installed
official patch kits and publicly announced patches to security problems.
It seems to me that in the past Compaq have erroneously marked some
patches as CSP and this prevents future patches being installed.
I am reluctant to remove the older so-called CSPs because this may bring
back a security problem. What is the simplest safe way out of this mess?
Here are the messages from dupatch:
Problem installing:
- Tru64_UNIX_V4.0G / Security Related Patches:
Patch C 00296.00 - V40G.BL17 CSP for SSRT2373 and SSRT2374 (Shared
Libra
./usr/dt/lib/libDtSvc.so:
is installed by Customer Specific Patch (CSP):
- Tru64_UNIX_V4.0G:
Patch C 00103.04
and can not be replaced by this patch. To install this
patch,
you must first remove the CSP using dupatch. Before
performing
this action, you should contact your Compaq Service
Representative to determine if this patch kit contains the
CSP. If it does not, you may need to obtain a new CSP from
Compaq in order to install the patch kit and retain the
CSP fix.
This patch will not be installed.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Problem installing:
- Tru64_UNIX_V4.0G / Security Related Patches:
Patch C 00297.00 - V40G.BL17 CSP for SSRT2415
./usr/dt/bin/dtsession:
is installed by Customer Specific Patch (CSP):
- Tru64_UNIX_V4.0G:
Patch C 00103.01
and can not be replaced by this patch. To install this
patch,
you must first remove the CSP using dupatch. Before
performing
this action, you should contact your Compaq Service
Representative to determine if this patch kit contains the
CSP. If it does not, you may need to obtain a new CSP from
Compaq in order to install the patch kit and retain the
CSP fix.
This patch will not be installed.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Problem installing:
- Tru64_UNIX_V4.0G / Security Related Patches:
Patch C 00299.00 - V40G.BL17 CSP for SSRT2373 and SSRT2374 (Static
Libra
./usr/dt/lib/libDtSvc.a:
is installed by Customer Specific Patch (CSP):
- Tru64_UNIX_V4.0G:
Patch C 00103.01
and can not be replaced by this patch. To install this
patch,
you must first remove the CSP using dupatch. Before
performing
this action, you should contact your Compaq Service
Representative to determine if this patch kit contains the
CSP. If it does not, you may need to obtain a new CSP from
Compaq in order to install the patch kit and retain the
CSP fix.
This patch will not be installed.
Regards,
Bob
==============================================================
Bob Vickers R.Vickers@cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:20 EDT