Doug, The rewording on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= looks good from my perspective, thanks for having it done!
As for the Flash email message, it's always possible that I accidentally deleted it - so don't waste too much time chasing that on my account... though since I was on the lookout for just such a message, I tend to think I never got it. Thanks for your responsiveness! David D. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Tuesday, April 22, 2014 5:23 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** David, Thank you for the note. I have forwarded comments to the folks that own the page that AR System was not explicitly called out. They used the product name BMC Remedy ITSM Suite to cover all things Remedy. I have suggested they change it to something like BMC Remedy AR System and ITSM Suite or to add a new set of entries that explicitly state just AR System. Since the ITSM Suite is fundamentally dependent on the AR System. The fact that the ITSM Suite is not affected by the bug means that the AR System is not affected because ITSM could not be unaffected if the technology it was built on (AR System) wasn't also unaffected. So, your environment is clear of the issue. I cannot promise that there will be a change to wording of the messages, but I have forwarded your concerns about the product name. NOTE: As I was still typing in this response, I got a note back from the person coordinating the response that if a change of wording helps, he is more than willing to get that done. At this point, the proposal is to change to say BMC Remedy AR System and ITSM Suite. This way there is not a need to list every app and every component of everything separately, but to still emphasize that the AR System is included in the list as not being affected by the issue. Only versions of the product under current support are listed in this table. The bug was introduced into OpenSSL in 2012. So, nothing that shipped prior to 2012 can be affected by the bug - and all things pre 7.6.04 were shipped prior to 2012. As for the Flash, an initial flash message was sent out the day of the report of the issue and BMC simply sent a note including every product that used OpenSSL as a potential. I posted that the Remedy line was clear to this list within a day or so of that message and then the forma note of this product and others from BMC came out a couple of days following that. I see the one posted was dated April 15. I am not sure why the solutions were listed as unknown at that time as we had the answer on April 9 that the Remedy line (all pieces) are not affected. It may have just been all the information filtering back and caution was in the "unknown until we have all definitive information otherwise" camp. I am not sure who gets the Flash notices or how registered - but will try and see why you did not get something since you believe you are signed up to receive them. Thank you for the comments and hopefully, we can clean up some of the aspects you found confusing quickly and consider these topics in future communications. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Durling Sent: Monday, April 21, 2014 6:37 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
