From Newsgroup: comp.os.vms

VSI just released a DCL patch.

All architectures. All versions (read: all VSI versions). Rating 1.

"addresses mismanagement of the stack in some DCL processing which
may cause the process to crash"

Sounds like something everyone should install.

Arne

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 2026-03-04, Arne Vajhoj <arne@vajhoej.dk> wrote:

VSI just released a DCL patch.

All architectures. All versions (read: all VSI versions). Rating 1.

"addresses mismanagement of the stack in some DCL processing which
may cause the process to crash"

Sounds like something everyone should install.

Hmmm. A P1 for a mere process crasher without additional side effects
doesn't sound right.

The first crasher I found in DCL (a few months before the CVE issue) was
also just a benign process crasher (I stuffed structured binary junk into
the recall history buffer) and that certainly didn't qualify as a P1.

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

The last CVE they have listed is still the CVE I am responsible for:

https://vmssoftware.com/about/cves/

_IF_ this is a vulnerability, then the kind of language used in that CVE description is also the same kind of language that needs to be used here.

Also, congratulations to whoever found this (vulnerability or no vulnerability).

Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/5/2026 8:25 AM, Simon Clubley wrote:

On 2026-03-04, Arne Vajh|+j <arne@vajhoej.dk> wrote:

VSI just released a DCL patch.

All architectures. All versions (read: all VSI versions). Rating 1.

"addresses mismanagement of the stack in some DCL processing which
may cause the process to crash"

Sounds like something everyone should install.

Hmmm. A P1 for a mere process crasher without additional side effects
doesn't sound right.

The first crasher I found in DCL (a few months before the CVE issue) was
also just a benign process crasher (I stuffed structured binary junk into
the recall history buffer) and that certainly didn't qualify as a P1.

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

VSI is already pushing it.

Prominent (literally red!) notice on client portal.

Direct email to customers.

Arne

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

Simon Clubley <clubley@remove_me.eisner.decus.org-earth.ufp> wrote:

On 2026-03-04, Arne Vajh|+j <arne@vajhoej.dk> wrote:

VSI just released a DCL patch.

All architectures. All versions (read: all VSI versions). Rating 1.

"addresses mismanagement of the stack in some DCL processing which
may cause the process to crash"

Sounds like something everyone should install.

Hmmm. A P1 for a mere process crasher without additional side effects
doesn't sound right.

The first crasher I found in DCL (a few months before the CVE issue) was
also just a benign process crasher (I stuffed structured binary junk into
the recall history buffer) and that certainly didn't qualify as a P1.

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

The last CVE they have listed is still the CVE I am responsible for:

https://vmssoftware.com/about/cves/

_IF_ this is a vulnerability, then the kind of language used in that CVE description is also the same kind of language that needs to be used here.

Deciding if this is vulnerability or not may be tricky and I VSI
may prefer to spend resources on fixing this. IIUC CVE is issued
when there is some plausible way to exploit it. AFAIK several things
first deemed impossible to exploit turned out to be vulnerabilities.
So P1 looks reasonable and if there are no known exploit then not
issuing CVE is reasonable too.

To put it differently, "mere process crasher" is IMO rather rare.
Usualy it is potential vulnerability.
--
Waldek Hebisch
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/5/2026 9:47 AM, Waldek Hebisch wrote:

Simon Clubley <clubley@remove_me.eisner.decus.org-earth.ufp> wrote:

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

_IF_ this is a vulnerability, then the kind of language used in that CVE
description is also the same kind of language that needs to be used here.

Deciding if this is vulnerability or not may be tricky and I VSI
may prefer to spend resources on fixing this. IIUC CVE is issued
when there is some plausible way to exploit it. AFAIK several things
first deemed impossible to exploit turned out to be vulnerabilities.
So P1 looks reasonable and if there are no known exploit then not
issuing CVE is reasonable too.

To put it differently, "mere process crasher" is IMO rather rare.
Usualy it is potential vulnerability.

Yes.

Everything related to DCL and data in P1 space above the start
of the user mode stack is sensitive, because it is privileged
stuff.

I think the bottom line is: PATCH NOW!

Arne

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms


On 3/5/26 7:41 AM, Arne Vajh|+j wrote:

On 3/5/2026 8:25 AM, Simon Clubley wrote:

On 2026-03-04, Arne Vajh|+j <arne@vajhoej.dk> wrote:

VSI just released a DCL patch.

All architectures. All versions (read: all VSI versions). Rating 1.

"addresses mismanagement of the stack in some DCL processing which
may cause the process to crash"

Sounds like something everyone should install.

Hmmm. A P1 for a mere process crasher without additional side effects
doesn't sound right.

The first crasher I found in DCL (a few months before the CVE issue) was
also just a benign process crasher (I stuffed structured binary junk into
the recall history buffer) and that certainly didn't qualify as a P1.

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

VSI is already pushing it.

Prominent (literally red!) notice on client portal.

Direct email to customers.

No e-mail from VSI here recently, other than the "we know you're all
worried about Rdb" notice. Also nothing in red on the service portal
that I can see (the DCL packages are noted in green just like any other "recently released packages"). But the patch is there and is install 1,
so there's no ambiguity about what to do.

There is also a TCP/IP 6.0-30 update, and the release notes do say there
is security content, although they don't say what, just "VSI TCP/IP
Services for OpenVMS V6.0-30 contains important security updates. VSI
strongly recommends that all users install this version."
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/5/2026 6:25 PM, Craig A. Berry wrote:

On 3/5/26 7:41 AM, Arne Vajh|+j wrote:

VSI is already pushing it.

Prominent (literally red!) notice on client portal.

Direct email to customers.

No e-mail from VSI here recently, other than the "we know you're all
worried about Rdb" notice.

Hm. I got an email.

-a Also nothing in red on the service portal that I can see (the DCL packages are noted in green just like any other "recently released packages").

When I log into the client portal I see:
* left menu with download, forum etc.
* main "News/events" with 4 visible items each with a little
picture and some text
* between the "New/events" header and the 4 visible items I see
a red note

It looks different for you?

Arne

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms


On 3/5/26 6:23 PM, Arne Vajh|+j wrote:

On 3/5/2026 6:25 PM, Craig A. Berry wrote:

Also nothing in red on the service portal
that I can see (the DCL packages are noted in green just like any other
"recently released packages").

When I log into the client portal I see:
* left menu with download, forum etc.
* main "News/events" with 4 visible items each with a little
-a picture and some text
* between the "New/events" header and the 4 visible items I see
-a a red note

It looks different for you?

Hmm. I didn't know about the "client portal." I have always gone
directly either to the Service Platform (sp.vmssoftware.com) which I
mistakenly called the service _portal_ above, or to the forum (forum.vmssoftware.com). These now share an authentication mechanism
but otherwise seem to be different web sites running different software.

Now that I know it exists, I can log into client-portal.vmssoftware.com
and see news and product updates on the dashboard. The DCL kit is
mentioned under March product updates, but you have to drill down to
find out it's INSTALL_1. There is no red note anywhere on the page.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/6/2026 7:58 AM, Craig A. Berry wrote:

On 3/5/26 6:23 PM, Arne Vajh|+j wrote:

On 3/5/2026 6:25 PM, Craig A. Berry wrote:

Also nothing in red on the service portal
that I can see (the DCL packages are noted in green just like any other
"recently released packages").

When I log into the client portal I see:
* left menu with download, forum etc.
* main "News/events" with 4 visible items each with a little
-a-a picture and some text
* between the "New/events" header and the 4 visible items I see
-a-a a red note

It looks different for you?

Hmm.-a I didn't know about the "client portal."-a I have always gone
directly either to the Service Platform (sp.vmssoftware.com) which I mistakenly called the service _portal_ above, or to the forum (forum.vmssoftware.com).-a These now share an authentication mechanism
but otherwise seem to be different web sites running different software.

Now that I know it exists, I can log into client-portal.vmssoftware.com
and see news and product updates on the dashboard.-a The DCL kit is
mentioned under March product updates, but you have to drill down to
find out it's INSTALL_1.-a There is no red note anywhere on the page.

Weird. That portal must be doing some personalization.

I PM'ed you a screen shot in the forum.

Arne

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/6/2026 7:58 AM, Craig A. Berry wrote:

Hmm.-a I didn't know about the "client portal."-a I have always gone

TIL about the client portal

directly either to the Service Platform (sp.vmssoftware.com) which I mistakenly called the service _portal_ above, or to the forum (forum.vmssoftware.com).-a These now share an authentication mechanism
but otherwise seem to be different web sites running different software.

Now that I know it exists, I can log into client-portal.vmssoftware.com
and see news and product updates on the dashboard.

For me? "403 Forbidden" Should I take that personally? :)
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 3/5/2026 8:57 AM, Arne Vajh|+j wrote:

On 3/5/2026 9:47 AM, Waldek Hebisch wrote:

Simon Clubley <clubley@remove_me.eisner.decus.org-earth.ufp> wrote:

I would recommend people ask VSI if this is actually something that
can be made to be an outright vulnerability. _If_ it is, VSI really,
really, need to update this description to draw attention to this and
to also issue a CVE.

_IF_ this is a vulnerability, then the kind of language used in that CVE >>> description is also the same kind of language that needs to be used
here.

Deciding if this is vulnerability or not may be tricky and I VSI
may prefer to spend resources on fixing this.-a IIUC CVE is issued
when there is some plausible way to exploit it.-a AFAIK several things
first deemed impossible to exploit turned out to be vulnerabilities.
So P1 looks reasonable and if there are no known exploit then not
issuing CVE is reasonable too.

To put it differently, "mere process crasher" is IMO rather rare.
Usualy it is potential vulnerability.

Yes.

Everything related to DCL and data in P1 space above the start
of the user mode stack is sensitive, because it is privileged
stuff.

I think the bottom line is: PATCH NOW!

Arne

I assume that there is not a patch for all platforms, all versions?
What are the names of the files that are affected?
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/15/2026 11:07 PM, steve sparrow wrote:

On 3/5/2026 8:57 AM, Arne Vajh|+j wrote:

Everything related to DCL and data in P1 space above the start
of the user mode stack is sensitive, because it is privileged
stuff.

I think the bottom line is: PATCH NOW!

I assume that there is not a patch for all platforms, all versions?
What are the names of the files that are affected?

There are patches for all 3 platforms supported by VSI:

VMS842L2A_DCL-V0400
V4.0-0
04-Mar-2026
AXP
V8.4-2L1,V8.4-2L2
ECO kit (Rating-1)
No

VMS842L3I_DCL-V0400
V4.0-0
04-Mar-2026
I64
V8.4-1H1,V8.4-2,V8.4-2L1,V8.4-2L3
ECO kit (Rating-1)
No

VMS923X_DCL-V0400
V4.0-0
04-Mar-2026
X86
V9.2-2,V9.2-3
ECO kit (Rating-1)
No

and per release notes they replace:
SYS$SYSTEM:DCL.EXE

Arne

--- Synchronet 3.22a-Linux NewsLink 1.2