MH01644
08/16/16
|
- Using the lshmcencr command enhancements to list
the current SSH encryptions will initially show no
results (lshmcencr -c ssh -t c).
This indicates the default list of all the supported
SSH ciphers is currently configured.
Once a user modifies the defaults using the chhmcencr
-c ssh command, the list command will
correctly return the active ciphers.
- This PTF has been rebuilt to resolve an issue that
can cause one or more managed servers to go to an
"incomplete" state. The impacted PTF has a build
date of 08-16-2016. Users that have already applied
the 08-16 build of MH01659 should download the new
build and re-apply the PTF, even if they are
currently not encountering any symptoms.
Impacted build:
"version= Version: 7
Release: 7.9.0
Service Pack: 3
HMC Build level 20160816.1
MH01659: security updates (08-16-2016)
","base_version=V7R7.9.0
"
- Enhanced the chhmcencr and lshmcencr commands to
support user configuration of the encryption ciphers
and Message Authentication Code (MAC) algorithms
used by the HMC Secure Shell (SSH) interface.
- Fixed Apache Tomcat Vulnerability: CVE-2016-3092.
- Fixed multiple NTP vulnerabilities: CVE-2015-7703,
CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and
CVE-2016-2518.
- Fixed multiple OpenSSH vulnerabilities:
CVE-2015-6563, CVE-2015-6564, CVE-2016-3115, and
CVE-2016-1908.
- Fixed IBM Websphere Application Server (WAS)
vulnerability: CVE-2016-2923.
- Updated the expiration date for the vterm
applet. The current certificate expires August
25th 2016.
- Fixed an issue where, after successfully applying
a concurrent server firmware update, the HMC
Change Licensed Internal Code panel could show an
incorrect pending deferred firmware level. The
problem does not impact the GUI view levels task or
lslic command. This issue is only exposed by a
rare type of concurrent server firmware update which
has never been released in the field but could occur
in the future.
- Fixed an issue where HMC backups to a remote
server may fail with rc=26 permission denied
when the remote user has write access to the
target. The problem only occurs when a
previous backup was done and the remote user does
not have the permissions to overwrite an existing
RemoteAccessFile.Test file.
- Fixed a problem where HMC to HMC communication
intermittently fails resulting in serviceable event
B3036620. Other symptoms include failure to
negotiate a primary HMC for problem analysis which
can result in failure to report a server serviceable
event or calling home the same event twice.
Repeated occurrences of the B3036620 without a HMC
reboot can eventually lead to a hang of the HMC
where users are unable to login via the GUI or run
commands via ssh.
- No longer initialize the OS version the HMC shows
for VIOS partitions with the underlying OS kernel
version information. This practice sometimes
caused the OS version shown for VIOS partitions to
be the base AIX version, or to be the VIOS OS
version appended with the AIX OS version
distribution number. After this fix, if the
HMC is unable to query the OS version information
from the VIOS, the OS version shown will be blank.
- Changed the backup critical console data function
to no longer fail when the backup of performance
monitoring data fails. With this fix, a
warning is reported if the performance monitoring
data is not successfully backed up and the backup
function continues. Prior to this fix, the
backup function failed with the wrong error.
- Fixed a rare timing issue where attempting to view
properties on a powered off server can cause the HMC
to lose connection to all managed servers until the
next HMC reboot. SRC E23D040A may be reported due to the core dump of the hdwr_svr process.
- Fixed a problem where, on the local HMC console
session, the HMC Management > Open
Restricted Shell Terminal GUI task is not displayed
for any HMC user except hscroot.
- Fixed an issue where a managed system may go into
an Incomplete state after removing I/O hardware due
to stale data in the hardware discovery cache
causing an unhandled NullPointerException.
- Fixed an issue that impacts partition profiles
that contain SR-IOV logical ports and also contain
virtual Ethernet adapters that use non-default
vSwitches. After the first activation of the
profile, any non-default vSwitches used by virtual
Ethernet adapters in the profile will be changed to
the default vSwitch. The user must edit all
affected profiles to restore the original vSwitch
names
|
MH01635
6/23/16
|
- Added functionality to the chhmc command to allow
an admin to set a grub password at bootup.
- Removed support for all the Ciphers which are less
than or equal to 1024 bits for port 443.
- Fixed openSSL vulnerabilities:
CVE-2016-2105, CVE-2016-2106, CVE-2016-2107,
CVE-2016-2108, and CVE-2016-2109
- Fixed Java vulnerability: CVE-2016-3426
- Fixed Power Hardware Management Console:
CVE-2016-0230
- Fix gnutls security vulnerabilities: CVE-2015-2806
and CVE-2015-8313
- Fixed an issue with the "mu" key not working when
using an IBM spacesaver keyboard with the Japanese
keyboard layout.
- Fixed an issue with pedbg failing to collect all
the necessary data when the zip file exceeded 2GB.
- Fixed an issue where the event log showed HSCL05E9
when activating new partitions.
- Fixed a backup issue where PCM data was included
even though the user did not select to include PCM
data.
|
MH01628
05/16/16
|
- Disabled DHE ciphers with private key less than or
equal to 1024 bits.
- Enhanced logging for serviceable event E212E122
logged against /dev.
|
MH01622
04/22/16
|
- Fixed the following openssl security
vulnerabilities: CVE-2015-3197, CVE-2016-0702,
CVE-2016-0705, CVE-2016-0797
- Fixed Tomcat vulnerabilities: CVE
2015-5174,CVE-2015-5345, CVE-2015-5346,
CVE-2015-5351, CVE-2016-0706, CVE-2016-0714,
CVE-2016-0763
- Fixed Vulnerabilities in bind: CVE-2016-1285 and
CVE-2016-1286
- Fixed security vulnerability with Strongswan:
CVE-2015-8023
- Fixed a security issue with HMC restricted shell.
- Fixed a Repair & Verify issue on systems
utilizing the 24 inch frame with a power
subsystem where users can experience a failure of
concurrent service maintenance activities on
power components within the CEC enclosure, the Power
Subsystem enclosure, and any installed I/O devices
within the frame. Servers impacted include
the POWER 575, 590, 595, 795: Models
9125-F2A,F2B,F2C; 9118-575; 9119-590,595,FHA,FHB;
9406-595.
Errors include:
"An internal error occurred when the management
console
attempted to validate the service network.
Some or all of the
required network resources may not be
available. Contact your
next level of support for problem
determination."
and
"Redundancy status could not be determined for
the FRU in
location:
U5791.001.XXXXXXX-Ex"
(example)
The FRU cannot be exchanged concurrently. The
IO Drawer must be
powered off and partitions may need to be
shut down to continue
the repair. "
- Fixed an issue where serviceable event E212E115
may be reported against rmcd during performance
information transmission.
- Fixed a rare deadlock issue that required a HMC
reboot to recover. Symptoms include unable to
login GUI remotely; CLI commands fail with "command
server
failed" errors; partition mobility
failing with HSCLA200 An unknown error occurred
during the partition migration.
|
MH01610
03/15/16
|
- Fixed a Java security issue: CVE-2016-0448
- Fixed security vulnerabilities in glibc:
CVE-2015-7547, CVE-2014-9761, CVE-2015-8776,
CVE-2015-8777, and CVE-2015-8778
- Enabled all TLS protocols on vterm(9960),
FCS(9920) and remote web access(12443) ports.
- Fixed an issue during Remote Restart to prevent
the lpars going into open firmware state on the
target managed system because storage
mappings/adapters were missing. The HMC will now
report a valid error when an exception is hit and
will display the correct Remote Restart status.
|
MH01605
02/17/16
|
- Fixed multiple OpenSSH vulnerabilities involving
the ssh client "Roaming" feature: CVE-2016-0777 and
CVE-2016-0778
- Fixed multiple Vulnerabilities in NTP :
CVE-2015-7691, CVE-2015-7692, CVE-2015-7701,
CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
CVE-2015-7705, CVE-2015-7848, CVE-2015-7849,
CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and
CVE-2015-7871
- Fixed an issue where the managed servers go to an
Incomplete state when the RMC interface has a blank
(null) ipv4 or ipv6 value.
- Fixed an issue where /var may fill up with core
dumps when Pegasus server is enabled and in use by a
remote client.
|
MH01597
1/25/16
|
- Fixed multiple OpenSSL Vulnerabilities:
CVE-2015-3193, CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196, and CVE-2015-1794
- Fixed multiple Java Vulnerabilities:
CVE-2015-4843, CVE-2015-4868, CVE-2015-4806,
CVE-2015-4872, CVE-2015-4911, CVE-2015-4893,
CVE-2015-4842, and CVE-2015-4803
- Fixed an issue where the HMC web server may
intermittently deadlock. Symptoms include one
or more of the following: unable to connect using a
browser; browser error "Service Temporarily
Unavailable"'; multiple serviceable events for
E35A0016 and/or E35A0017; unable to restart
due to / file system full from repeated diagnostic
dumps.
|