========================================================== Maintenance for IBM Sterling Connect:Direct for UNIX 4.1.0 ========================================================== This maintenance archive includes module replacements for the C:D UNIX 4.1.0 code base. It is applicable to C:D UNIX version 4.1.0, and contains all the new functionality and fixes as described in the C:D UNIX 4.1.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 4.1.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 4.1.0 Release Notes. ============================== iFixes to C:D for UNIX 4.1.0.0 ============================== 001) QC18588 commit date: 18 Apr 2011 --------------------------------------- Stack overflow exploit potential in ndmsmgr. 002) QC18587 commit date: 25 Apr 2011 --------------------------------------- Null pointer dereference vulnerability in ndmsmgr. 003) QC18972 commit date: 26 Apr 2011 --------------------------------------- Added "daily" keyword that when specified with an elapsed time in the startt parameter of a submit command will schedule the process for the next day at the specified time. 004) QC19021 commit date: 26 Apr 2011 --------------------------------------- Trailing blanks are not stripped from first record of a text file received with strip.blanks=yes and codepage conversion. 005) QC18999 commit date: 06 May 2011 --------------------------------------- XIPT011I error when Control Center attempts to import a large (greater than 16k) trusted certificate file. 006) QC19050 commit date: 22 Jun 2011 --------------------------------------- Added functionality to allow server connections to strongly secure sensitive information in session overhead and leave data which may not be sensitive unencrypted to enhance performance. Documentation for this feature and how to use it is available on our IBM Sterling Support Center website. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.1.0.1 ----------------------------------------------------------- ============================== iFixes to C:D for UNIX 4.1.0.1 ============================== 001) QC19079 commit date: 29 Jul 2011 --------------------------------------- XSMG271I error on restarted wildcard copy step when local user on sending node is other than the C:D installer. 002) QC19299 commit date: 29 Jul 2011 --------------------------------------- SVSJ032I error sending a binary file to a z/OS destination file with V or VB record format. 003) QC19065 commit date: 01 Aug 2011 --------------------------------------- XSMG605I error when copy step to OS/400 node fails and connection is via Secure+ STS with digital signatures enabled. 004) QC19324 commit date: 05 Aug 2011 --------------------------------------- Scheduled process fails with XSQF009I error if cdpmgr is recycled before the scheduled process start time. 005) QC19435 commit date: 08 Aug 2011 --------------------------------------- Files written and closed by C:D on NFS destination may not be immediately ready for processing due to NFS delayed writes. Added initparm to optionally call fsync function to attempt to flush all data to disk before closing file. New initparm is "fsync.after.receive" and is part of the "copy.parms" record of initparm.cfg. It takes a value of 'y' or 'n', with 'y' indicating to call fsync before closing a data file that was received. Default value is 'n'. 006) QC19414 commit date: 09 Aug 2011 --------------------------------------- cdcust option to run "Configurations requiring root privilege" is ineffective when root user is configured with a nologin shell. 007) QC19633 commit date: 15 Aug 2011 --------------------------------------- cdinstall fails to detect and provide notice when the installed C:D version is newer than the installing version. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.1.0.2 ----------------------------------------------------------- ============================== iFixes to C:D for UNIX 4.1.0.2 ============================== 001) QC19725 commit date: 27 Sep 2011 --------------------------------------- Process with snodeid override specified submitted on C:D UNIX node via a submit statement within another C:D process may fail to pass snode security. NOTE: The previous designation of 'QC' for a product issue will be transitioned to 'RTC' due to the migration to the IBM Rational tool tracking system. Also, most fixes will also refer to an APAR number pursuant to implementing IBM defect description terminology. 002) RTC303677 / APAR IC81358 commit date: 03 Feb 2012 -------------------------------------------------------- Statistics archive files may be owned by root. 003) QC20035 commit date: 02 Mar 2012 --------------------------------------- An LCCA082I error is generated after cdpmgr has been started by root and a Secure+ configuration command is issued from a KQV client, like Sterling Control Center. 004) QC20157 commit date: 06 Apr 2012 --------------------------------------- Null pointer dereference vulnerability in ndmsmgr for Secure+ connections. Vulnerability could enable denial of service attack. 005) QC20403 commit date: 06 Apr 2012 --------------------------------------- Potential for XPMR018I error when client such as Sterling Control Center attempts to update the initparm.cfg file. 006) QC20041 commit date: 09 Apr 2012 --------------------------------------- Possible denial of service if attacker can play back multiple simulated sessions that include large malformed session control packets that generate lots of errors. 007) QC20473 commit date: 10 Apr 2012 --------------------------------------- Some records on z/OS VB destination file are not filled to LRECL specification when sending a UNIX file with datatype=binary and codepage conversion specified. 008) QC19832 commit date: 10 Apr 2012 --------------------------------------- On AIX systems, temporary work files are created in /tmp instead of {C:D install dir}/work/{C:D node name} directory for processes submitted by a user without write permission in the {C:D install dir}/work/{C:D node name} directory. 009) QC19857 commit date: 12 Apr 2012 --------------------------------------- View process command may hang and generate many XUPC023I errors when viewing a submitted process that includes a submit step with an snodeid or pnodeid override. 010) QC20043 commit date: 18 Apr 2012 --------------------------------------- Stack overflow vulnerability in ndmauthc. An attacker could exploit the vulnerability to execute commands with CDU installer authority. 011) QC20044 commit date: 19 Apr 2012 --------------------------------------- Stack overflow vulnerability in modules that read the initparm.cfg file, like cdpmgr and ndmsmgr. 012) QC20158 commit date: 25 Apr 2012 --------------------------------------- ndmsmgr segmentation violation during S+ connection attempt using a malicious certficate with an inordinately long subject. Possible denial of service. 013) QC20638 commit date: 25 Apr 2012 --------------------------------------- ndmcmgr may be terminated by segmentation violation (signal 11 in most cases) when a client such as C:D Browser or Control Center adds a Functional Authority (new user). 014) RTC140725 / APAR IC82150 commit date: 27 Apr 2012 -------------------------------------------------------- Improved safe initialization procedures for suid files ndmauthc, ndmauths, and cdpmgr. 015) RTC315406 commit date: 27 Apr 2012 ----------------------------------------- cdinstall indication of disk space requirement to install File Agent is too low. 016) QC19758 commit date: 27 Apr 2012 --------------------------------------- C:D HP NonStop reports an invalid feedback code in the completion status for a run task step submitted to C:D UNIX. 017) RTC328127 / APAR IC83593 commit date: 21 May 2012 -------------------------------------------------------- On exit, cdcust may give an inappropriate warning about incomplete root authority configurations. 018) RTC103045 commit date: 24 May 2012 ----------------------------------------- When Secure+ is installed on a node for the first time, it must be initialized. The initialization procedure requires the Connect:Direct node name, but it is not offered by default. 019) RTC326139 commit date: 30 May 2012 ----------------------------------------- When SSL/TLS is enabled, updating the .SEAServer entry in Secure+ would fail even when External Authentication is disabled: "Error: The .SEAServer host name must be specified." 020) RTC140646 commit date: 31 May 2012 ----------------------------------------- Clients like Sterling Control Center or Connect:Direct Browser are able to set an invalid tcp.api value in the local.node netmap entry causing future api connections to be rejected. 021) RTC328994 / APAR IC84027 commit date: 08 Jun 2012 -------------------------------------------------------- spcli may display resolved symbolic link values for pathnames entered with symbolic links specified 022) RTC333723 / APAR IC84003 commit date: 08 Jun 2012 -------------------------------------------------------- When Connect:Direct UNIX (CDU) receives a redirect message, SCPA007I, from Connect:Direct z/OS Plex environment, CDU inappropriately records a non- zero completion code. Plex redirection is a normal operational flow. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.1.0.3 ----------------------------------------------------------- In addition, C:D for UNIX 4.1.0.3 adds certification for AIX 7.1 on IBM pSeries, and Red Hat Enterprise Linux (RHEL) version 6.2 on Intel and AMD x86/x86-64. Please note the following list of system libraries that are required to run on RHEL 6.2: libXtst-1.0.99.2-3.el6.i686 libXmu-1.0.5-1.el6.i686 libXt-1.0.7-1.el6.i686 libXft-2.1.13-4.1.el6.i686 libX11-1.3-2.el6.i686 libXi-1.3-3.el6.i686 libXext-1.1-3.el6.i686 libXau-1.0.5-1.el6.i686 libXrender-0.9.5-1.el6.i686 ============================== iFixes to C:D for UNIX 4.1.0.3 ============================== 001) RTC336221 / APAR IC85214 commit date: 09 Aug 2012 -------------------------------------------------------- If multiple comm.info fields are defined in a netmap entry (valid for some SNA connections), cdpmgr will leak memory whenever the netmap entry is referenced. 002) RTC336094 / APAR IC84762 commit date: 17 Aug 2012 -------------------------------------------------------- comm.bufsize value defaults to 4096 when it's not specified in either the remote node record or the local.node record of the netmap.cfg file. Documented default is 65536. 003) RTC345214 / APAR IC86456 commit date: 13 Sep 2012 -------------------------------------------------------- Improper upgrade procedure resulting in mismatched Secure+ libraries causes cdpmgr to hang on start up. 004) RTC350216 / APAR IC86881 commit date: 03 Oct 2012 -------------------------------------------------------- Secure cdpmgr initialization procedure to sanitize inherited environment variables, added for APAR IC82150, may prevent run task steps that depend on one or more of the inherited environment variables from working properly. Solution adds initparm record ndm.env_vars:sanitize=[y|n] to allow user option to prevent cdpmgr from sanitizing inherited environment variables. Default value is 'y'. NOTE: This new initparm is added for convenience. IBM recommends coding run task steps so that they don't rely on inherited environment variables. 005) RTC336848 / APAR IC85987 commit date: 31 Oct 2012 -------------------------------------------------------- cdpmgr server is killed when command logging is turned on and a client, such as Sterling Control Center, attempts to import a large Secure+ trusted certificates file. 006) RTC356606 / APAR IC88093 commit date: 09 Nov 2012 -------------------------------------------------------- Certain business scenarios may require the need to specify a non-standard record delimiter for UNIX text files. Added new copy step sysopt called RECDL. The value of this sysopt is specified as x{hex value of character to be used as the text file record delimiter}, and will cause C:D to use the indicated character as the text file record delimiter instead of the traditional ASCII LF. For example, if the source file is in EBCDIC and using the EBCDIC NL (new line character) as the record delimiter, the source file sysopts would include ":RECDL=x15:". 007) RTC341549 / APAR IC86449 commit date: 24 Jan 2013 -------------------------------------------------------- On AIX 6.1 and above, a copy step that overwrites a local file to which the local user has no write permission is successful. 008) RTC349446 / APAR IC87996 commit date: 28 Jan 2013 -------------------------------------------------------- The Partitioned Data Set (PDS) member name, key word PPMN, is listed twice in the Copy Termination Record (record id CTRC) that is logged to statistics when copying a file to or from a zSeries PDS member. 009) RTC355425 / APAR IC89092 commit date: 28 Jan 2013 -------------------------------------------------------- Upgrading to 4.1.0 from a release previous to 4.1.0 configured with Secure+ generates some inappropriate messages indicating that the initialize Secure+ operation failed. 010) RTC363760 / APAR IC89667 commit date: 09 May 2013 -------------------------------------------------------- Secure+ SSL connection initiated to Connect:Direct for z/OS uses a 16k buffer even when both sides have larger buffer sizes specified. 011) RTC363064 / APAR IC89513 commit date: 09 May 2013 -------------------------------------------------------- On some Solaris systems, CLI may fail to connect, reporting XSEC016I message. ndmauthc or ndmauths may also generate a core file when this happens. 012) RTC374346 / APAR IC91973 commit date: 09 May 2013 -------------------------------------------------------- Greater than two gig file transfers fail with XSQF006I on Linux systems with kernel version 3.x. 013) RTC373823 / APAR IC91661 commit date: 09 May 2013 -------------------------------------------------------- Custom program using the Connect:Direct UNIX API may generate XCMG000I errors when submitting a command. Server may show an XSEC012I error concurrently. 014) RTC371183 / APAR IC92400 commit date: 09 May 2013 -------------------------------------------------------- Run task steps that rely on a LANG environment variable setting other than the system default value execute incorrectly. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.1.0.4 -----------------------------------------------------------