TCPware Version 5.9 Release Notes November 2009 This document contains a list of new features and bug fixes that have been made since TCPware V5.8-2. Revision/Update Information: This document supercedes the TCPware V5.8-2 Release Notes. Operating System and Version: VAX/VMS V5.5-2 or later; OpenVMS Alpha V6.2 or later; OpenVMS I64 V8.2 or later. ________________________ November 2009 __________ Copyright ©Copyright 2009 by Process Software LLC No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specif- ically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Alpha AXP, AXP, MicroVAX, OpenVMS, Open- VMS I64, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Intel and Itanium are trademarks or registered trademarks of Intel Corporation. Portions of TCPWare have the following third party copy- rights: Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright © 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. iii 3. All advertising materials mentioning features or use of this software must display the following acknowl- edgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IM- PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICU- LAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, IN- DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB- STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to iv all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT v LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence TCPware is a registered trademark of Process Software. UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. Copyright ©1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. Copyright ©2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Process Software, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. vi Contents________________________________________________________ Chapter_1__Introduction_________________________________________ 1.1 Typographical Conventions.............................1-2 1.2 Obtaining Technical Support...........................1-2 1.2.1 Before Contacting Technical Support.........1-3 1.2.2 Sending Electronic Mail.....................1-4 1.2.3 Calling Technical Support...................1-5 1.2.4 Contacting Technical Support by Fax.........1-5 1.3 Obtaining Online Help.................................1-6 1.4 TCPware Frequently Asked Questions (FAQs) List........1-6 1.5 Accessing the TCPware Public Mailing List.............1-6 1.6 Process Software World Wide Web Server................1-7 1.7 Obtaining Software Patches over the Internet..........1-7 1.8 Documentation Comments................................1-8 1.9 CD-ROM Contents.......................................1-9 1.9.1 Online Documentation........................1-9 1.9.1.1 PDF Format............................1-9 1.9.1.2 Using Acrobat Reader.................1-10 1.9.1.3 Using XPDF...........................1-11 Chapter_2__CHANGES_AND_ENHANCEMENTS_____________________________ 2.1 Installation Disk Space Requirements..................2-1 2.2 New Features..........................................2-1 2.2.1 BIND9 Updates...............................2-1 2.2.2 DNS Resolver................................2-2 2.2.3 Drivers.....................................2-2 2.2.4 FTP.........................................2-3 2.2.5 IMAP........................................2-3 2.2.6 IPS - Intrusion Prevention System...........2-3 2.2.7 NETCU.......................................2-4 2.2.8 OpenSSL.....................................2-4 iii 2.2.9 SNMP Updates................................2-4 2.2.10 TFTP Server Update..........................2-4 2.3 Fixes in this Release.................................2-4 2.3.1 Drivers.....................................2-4 2.3.2 Filter Logging..............................2-5 2.3.3 FTP.........................................2-5 2.3.4 NETCU.......................................2-6 2.3.5 NTP.........................................2-6 2.3.6 SFTP........................................2-6 2.3.7 SMTP........................................2-7 2.3.8 SSH.........................................2-7 2.4 Known Issues..........................................2-8 Chapter_3__Documentation_Notes__________________________________ 3.1 General Documentation Enhancements....................3-1 3.2 HELP Files............................................3-1 3.3 NETCU online help.....................................3-1 iv Chapter__1______________________________________________________ Introduction These Release Notes describe the changes and enhancements made to the TCPware product in version 5.9. This chapter describes conventions used in the TCPware documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in TCPware v5.9, refer to Chapter 2. o For information about changes to the documentation set, refer to Chapter 3. Introduction 1-1 1.1 Typographical Conventions Examples in these release notes use the following conven- tions: _____________________________________________________________ Convention________Example___________Meaning__________________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you hold with a slash down the key labeled or while simultaneously pressing another key; in this example, the "A" key. Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the ____________________________________item_is_a_single_element. 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained TCPware from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1. Verify that your Maintenance Service Agreement is current. 2. Read the online Release Notes completely. 3. Have the following information available: o Your Name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o TCPware layered products and versions 4. Have complete information about your configuration, error messages that appeared, and problem specifics. 5. Be prepared to let a development engineer connect to your system, either with TELNET, SSH, or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, TCPware version, and layered products with the NETCU SHOW VERSION/ALL command. Execute the following command on a fully loaded system and email the output to support@process.com: $ NETCU SHOW VERSION/ALL TCPware(R) V5.9-2 Copyright (c) 2009 Process Software OpenVMS version V8.2 booted on 28-AUG-2009 21:03:30.00, running on a HP rx2600 (1.30GHz/3.0MB). MAS number: 12345 Introduction 1-3 In this example: The machine or system architecture is I64. The OpenVMS version is V8.2. The TCPware version is V5.9. Use the following table as a template to record the relevant information about your system: _____________________________________________________________ Required_Information_______Your_System_Information___________ Your name Company name Your email address Your voice and fax telephone numbers System architecture Vax, Alpha, or I64 OpenVMS Version TCPware_Version______________________________________________ Please provide information about installed TCPware applica- tions and patch kits, by sending a copy of TCPWARE:TCPWARE_ VERSION.; file. 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the informa- tion listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. 1-4 Introduction Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m. United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than 5 minutes. If you can wait for a Speciallist to take your call, please take advantage of our automatic call logging feature by sending email to support@process.com (See the Section on Sending Electronic Mail). 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. Introduction 1-5 1.3 Obtaining Online Help Extensive information about TCPware is provided in the TCPware help library. For more information, enter the following command: $ HELP TCPWARE 1.4 TCPware Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about Process Software products from the Process Software home page located at http://www.process.com. Choose the Service & Support link to access useful informa- tion on FAQs and patch ECOs. 1.5 Accessing the TCPware Public Mailing List Process Software maintains two public mailing lists for TCPware customers: o Info-TCPware@process.com o TCPware-Announce@process.com The Info-TCPware@process.com mailing list is a forum for discussion among TCPware system managers and programmers. Questions and problems regarding TCPware can be posted for a response by any of the subscribers. To subscribe to Info- TCPware, send a mail message with the word SUBSCRIBE in the body to Info-TCPware-request@process.com. The information exchanged over Info-TCPware is also available via the USENET newsgroup vmsnet.networks.tcp-ip.tcpware. You can retrieve the Info-TCPware archives by anonymous FTP to ftp.tcpware.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO-TCPWARE]. The TCPware-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to TCPware (patch releases, product releases, etc.). To subscribe to TCPware-Announce, send a mail message with the word SUBSCRIBE in the body to TCPware- Announce-request@process.com. 1-6 Introduction 1.6 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select Service & Support). 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.tcpware.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the following commands: $ FTP FTP.TCPWARE.PROCESS.COM ANONYMOUS password where password is your email address. A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP>CD [.SUPPORT.xx_x] FTP>GET update_filename In these commands: xxx is the version of TCPware you want to transfer update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. Introduction 1-7 o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD-SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX, Alpha and I64 for decompressing ZIP archives in the [SUPPORT] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your TCPware system with the software patch. 1.8 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. 1-8 Introduction 1.9 CD-ROM Contents The directory structure on the CD is as follows: [TCPWARE059] TCPware Kit [Documentation] PDF format (.pdf) HTML format (.htm) Release Notes [XPDF] [XPDF.AXP] for Alpha images [XPDF.VAX] for VAX images [LYNX] [LYNX.AXP] for Alpha images [LYNX.VAX] for VAX images [VAX55_DECC_RTL] 1.9.1 Online Documentation The TCPware documentation set is available on the product CD in HTML and PDF format. The Release Notes are available on the product CD in text format. 1.9.1.1 PDF Format The TCPware documentation set has the following PDF files: o INSTALL.PDF (Installation and Configuration Guide) o MANAGE.PDF (Management Guide) o NETCU.PDF (NETCU Command Reference) o PROGRAM.PDF (Programmer's Guide) o USER.PDF (User's Guide) The PDF format is readable from a PC, a VAX or an Alpha system. There is a PDF reader for the VAX and Alpha platforms on the TCPware CD. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Acrobat Reader free from Adobe Systems' Website: www.adobe.com. Introduction 1-9 o Use the XPDF Reader (found in the [XPDF] directory) to read the PDF files from a VAX or Alpha system. The [XPDF.AXP] directory contains the Alpha architecture reader, and the [XPDF.VAX] directory contains the VAX architecture reader. Note The XPDF Reader does not work on a PC. PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the MultiNet CD directly to a PC. Load them to your VAX, Alpha or I64 machine, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf In addition, Process Software has included LYNX, the character-cell Web browser for VMS. It is in the [LYNX] directory. 1.9.1.2 Using Acrobat Reader To read the PDF files using Acrobat Reader: 1. Double click Acrobat Exchange. 2. Choose Open from the File menu. 3. Select the .pdf file you want to open. 4. Use the menu bar at the top of the screen to navigate the document, or click a Table of Contents entry (on the left) to go directly to that information. Note The binocular icon opens search functions. The magnifying glass icon enlarges the text and illustrations. 1-10 Introduction 1.9.1.3 Using XPDF Thanks to Derek B. Noonburg for letting us download his XPDF application. Note You need a three-button mouse to use XPDF. At the DCL prompt from the directory in which the VAX or Alpha XPDF.EXE is stored, do the following: 1. Type RUN XPDF.EXE. The XPDF screen appears. 2. Position the arrow on any of the icons (except the ? icon) on the bottom of the screen. 3. Press the right nouse button to display choices. 4. Select OPEN to display the list of PDF files. 5. Select the PDF file you want, and click OPEN to read the file. 6. Use the icons on the bottom of the screen to search for the information you want. To view the online help for XPDF: 1. Position the cursor on the question mark (?) icon. 2. Press the left mouse button to open the online help. Introduction 1-11 Chapter__2______________________________________________________ CHANGES AND ENHANCEMENTS This chapter briefly describes features that are new or changed significantly in TCPware Version 5.9. 2.1 Installation Disk Space Requirements The following table indicates the disk space requirements for installing TCPWARE V5.9. _____________________________________________________________ System_Architecture_____________Peak_Usage__Net_Usage________ VAX 290,000 165,000 Alpha 390,000 230,000 I64_____________________________420,000_____270,000__________ 2.2 New Features 2.2.1 BIND9 Updates o BIND9 has been updated from 9.4.1p to 9.6.1-p1 and is based on ISC's Bind Version 9.4.1. Future updates to BIND will originate from the 9.6.1 code baseline. With BIND 9, the ISC no longer supports the NSLOOKUP tool. It recommends using the DIG tool instead. As a result, we are including the BIND 8.x version of NSLOOKUP. In addition, the NDC tool has been replaced by RNDC for BIND 9. New features include, but are not limited to: 1. Full NSEC3 support 2. Automatic zone re-signing. 3. New update-policy method tcp-self. CHANGES AND ENHANCEMENTS 2-1 4. Improved statistics reporting. o Implemented ISC security fix to protect against DoS attacks with dynamic updates (ISC BIND 9.6.1-p1). [DE 10893] o Added support for SPF and IPSEC RR data types. [DE 10931] o Added functionality to specify a specific operator class for OPCOM messages. Using the logical TCPWARE_NAMED_OPCOM_ TARGET, a system administrator can define a value from OPER1 through OPER12. For example, to direct the opcoms to OPER8, use the command: $ DEFINE/SYSTEM/EXEC TCPWARE_NAMED_OPCOM_TARGET "OPER8" To then see the opcom messages : $ REPLY/ENABLE=OPER8 The default or undefined value is the NETWORK class. [DE 10409] 2.2.2 DNS Resolver o The DNS Resolver code base has been updated. 2.2.3 Drivers o Ephemeral port randomization for security. Typically ports were issued in sequential order, which allows the potential for blind attacks, which can range from throughput-reduction to broken connections or data corruption. This feature issues random port numbers, which makes it more difficult for an attacker to guess a local port number and disrupt communications. [DE 10757] o The Ephemeral port obfuscation algorithm has been modified to avoid an occasionally seen "port in use" condition. o TTY_PORT_BUFIO function is now supported for remote terminal devices (see TCP/IP Services documentation). [DE 10817] o Performance improvements were made for Integrity systems. 2-2 CHANGES AND ENHANCEMENTS o Support for $QIO with larger than 65535 bytes has been added to the BG interface for VMS V8. [DE 10861] 2.2.4 FTP o FTP now supports RESTart STREAM (RFC 3659), and MFMT (Modify Fact Modification Time). The commands GET and PUT now have a /RESTART qualifier that will resume an interrupted transfer where it was stopped. [DE 10384] o The FTP SIZE command is now accurate for STREAM mode transfers. It will take longer to respond as the file is processed in order to determine the size. o The FTP client will now request the list of optional FTP commands that are supported with the FEAT command and observe whether or not the MDTM (get file modification time), MFMT (modify fact, modification time), and REST STREAM commands are supported. If the appropriate command is supported and /SET_FACT=MODIFICATION_TIME is included on the transfer command (GET/PUT) then the FTP client will perform the appropriate operations to set the modification time after transferring the file. [DE 10818] o When the FTP server creates a ftp_listener.log file, the file format now allows the use of type/tail. 2.2.5 IMAP o IMAP's code base has been updated to University of Washington's IMAP v2007e. 2.2.6 IPS - Intrusion Prevention System o This security feature monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. IPS is highly flexible and customizable. When an attack is detected, pre-configured rules will block an intruder's IP address from accessing the TCPware 5.9 system, prevent an intruder from accessing a specific application, or both. The time period that the filter is in place is configurable. An API is provided so that TCPware CHANGES AND ENHANCEMENTS 2-3 customers can incorporate the IPS functionality into their applications. Support for Common Link interfaces and Pseudo-devices has been added. The following applications now have IPS support: FTP, IMAP, POP3, R-Services, SMTP, SNMP, SSH, and TELNET. 2.2.7 NETCU o NETCU will now automatically detect the buffer size for interfaces that are capable of sending jumbo ethernet packets. [DE 10696] 2.2.8 OpenSSL o OpenSSL's code base has been updated(to 0.9.8k). 2.2.9 SNMP Updates o SNMP can now send SNMPv2 traps and will return SNMPv2 error codes whenever possible. 2.2.10 TFTP Server Update o The TFTP server was updated to support Option Exten- sions(RFC 2347) and Blocksize Option(RFC 2348). [DE 9615] 2.3 Fixes in this Release 2.3.1 Drivers o THE BGDRIVER will now start the keepalive timer when keepalives are enabled on a connected socket. [DE 10804] o The BGDRIVER now supports TCP_KEEPALIVE, TCP_KEEPINTVL, and TCP_KEEPCNT. [DE 10838] o Fewer alignment faults on AXP and IA64. [DE 10792] o Correct the possibility of an undetected error when allocating a socket data structure, which could cause a crash. [DE 10780] 2-4 CHANGES AND ENHANCEMENTS o The NTDriver has been fixed to correctly fill ACCPORNAM information. [DE 10685] o Additional checking has been added when walking an internal list to avoid a potential crash. [DE 10427] o Corrected an error in processing timed filters. o Allow sockaddrs greater than 16 bytes. This allows programs that use a data structure large enough to hold a sockaddr_in6 to run. o Allow AF_UNSPEC (0) as the family in sockaddrs as well as AF_INET. o Always set the address family to AF_INET when putting the BSD 4.3 sockaddr in BSD 4.4 format. Correction of errors found in BSD 4.4 functions and getaddrinfo implementation. 2.3.2 Filter Logging o An issue with filter logging files not being closed properly when the filter is removed has been fixed. [DE 10692] o A problem with filter logging flushing files to disk has been resolved. [DE 10691] 2.3.3 FTP o Fixed a problem that would occationally crash the FTP server. [DE 10844] o FTP sessions failing if TCPWARE_FTP_IDLE_TIMEOUT is defined incorrectly has been fixed. [DE 10839] o Corrected an error that would cause multiple "230 User logged in" messages when an unsupported AUTH command is received. [DE 10753] CHANGES AND ENHANCEMENTS 2-5 2.3.4 NETCU o An upper limit of 60000 bytes has been put on the mailbox creation for NETCU DEBUG. This restores behavior prior to VMS V7.3-1 in which VMS limited the mailbox bytlm to 60000 and allows users with a greater bytlm to have more available for other things. [DE 10394] 2.3.5 NTP o Corrected a potential denial of service attack. [DE 10922] o NTPQ and NTPDC now process each of the answers returned by getaddrinfo until they successfully establish a connection, or run out of answers. 2.3.6 SFTP o Problems with SFTP failing when the directory path used logicals instead of a physical device. [DE 10787] o Problems which caused SFTP> LS directory_specification to list the directory file instead of the contents of the directory on Alpha processors have been corrected. [DE 10717] o Improvements in SFTP access controls (directory and operation restrictions). [DE 10701] o Improvements in handling SFTP realpath operations [DE 10700, 10656] o Corrected errors in processing when attempting to disable SRI encoding on ODS2 disks by defining the logical: TCPWARE_SFTP_ODS2_SRI_ENCODING to FALSE [DE 10671] o Carats (^) are now added where necessary in ODS5 file specifications. [DE 10654] o For ODS5 devices, SFTP will only put carets in file names if the logical TCPWARE_SFTP_ADD_ODS5_CARETS is defined to be True, Yes, or 1. In all other cases the name will be used as-is. 2-6 CHANGES AND ENHANCEMENTS o Using ODS5 and SFTP, the code needs to put a caret in place if there is a dot after the current one. [DE 10854] o Incoming SFTP connections are getting an error ":open for write: no such file or directory" if the incoming paths contain a directory and filename and not just a directory. [DE 10832] o Problems with SCP-SERVER1 on Alpha have been corrected. [DE 10651] o Removed code that attempts to resolve the proper setting of the "execute" bit on files as this has a very different meaning on VMS than it does on UNIX. [DE 10622] o Changed "Unexpected error" message when there are no files in a directory to "No matching files". [DE 10727] o Corrected problems with large file transfers and directory of files larger than 4GB. [DE 10735] o SFTP client ACCVIO. [DE 10829] 2.3.7 SMTP o A channel leak when accounting has been enabled but the accounting server is not available has been fixed. [DE 10860] o The actual error status generated when the SMTP symbiont is unable to open a file has been added to the OPCOM message generated and broadcast. [DE 10853] 2.3.8 SSH o Occasional failing audits of failed password attempts has been fixed. o SSH processes disappearing due to port scans has been resolved. [DE 10824] o When the SSH server can't do a reverse lookup on a client address, SYS$REM_NODE wouldn't be set properly. [DE 10661] o The LOGIN_TYPE field wasn't being set correctly. [DE 10834] CHANGES AND ENHANCEMENTS 2-7 o When executing SSH sessions in a batch job that executes a script on a UNIX system, the SSH client could hang in a loop, consuming system resources. This has been corrected. NOTE: However, a timing issue may remain that can be avoided with the addition of a "sleep 1" statement at the end of the UNIX script. o Removed the ability to unload the SSHLEI as it could cause a system crash under unique circumstances. [DE 10754] o The incorrected handling of the PWD_EXPIRED UAF flag has been corrected. o When executing SSH in a command procedure or a batch job, and SSH executes a remote command on some UNIX systems where output is done to STDERR on the UNIX system, the SSH client on the VMS side may hang. This has been corrected. At the end of some sessions, the fatal error: "Assertion failed: iorec != ((void *) 0)" may be seen. This has been corrected. [DE 10716] o Corrected an ACCVIO when public key authentication fails in batch mode. [DE 10675] o NETCU STOP/SSH could display the message SYSTEM-F-ABORT even when SSH was shutdown properly. This has been corrected. [DE 9665] o Sporadic roblems with SSH Server connections handing when login.com had active output have been fixed. [DE 10643] 2.4 Known Issues o Telnet On the AXP architecture, the TELNET server will not create filter server entries when it should. This will be fixed for the final release of TCPWare V5.9. 2-8 CHANGES AND ENHANCEMENTS Chapter__3______________________________________________________ Documentation Notes This chapter discusses the enhancements made to the TCPware for OpenVMS hardcopy and on-line documentation (including DCL HELP), as well as errata found after the publication or production dates (look for the entry "ERRATA"). 3.1 General Documentation Enhancements o TCPware for OpenVMS Management Guide, Chapter 27, "Intrusion Prevention System (IPS)" has been added. o TCPware for OpenVMS Network Control Utility Command Reference has been updated to reflect the NETCU SHOW IPS and NETCU SET IPS commands for controlling and monitoring the TCPware Intrusion Prevention System. o TCPware for OpenVMS Network Control Utility Command Reference has been updated to add the /EXTRACT= qualifier to the NETCU SHOW FILTERS command. o A few documentation issues regarding SSH have been clarified or cleaned up since the V5.8-2 documentation release. [DE 10866] 3.2 HELP Files o The "Intrusion_Prevention_System" topic has been added to provide a brief overview of TCPware IPS. 3.3 NETCU online help o Within NETCU help, the sub-topic "IPS_COMMAND" has been added to both the SET and SHOW topics. Documentation Notes 3-1