==========================================================
Maintenance for IBM Sterling Connect:Direct for UNIX 4.2.0
==========================================================

This maintenance archive includes module replacements for the C:D UNIX 4.2.0 
code base. It is applicable to C:D UNIX version 4.2.0, and contains all the new 
functionality and fixes as described in the C:D UNIX 4.2.0 Release notes, as 
well as fixes for the issues listed below.

This release implements IBM's standard V.R.M.F method of identifying software. 
V, R, M and F are Version, Release, Modification and Fix Pack respectively.  In 
general, V.R.M imply new functionality, while F is an accumulation of fixes 
called a Fix Pack.  The term Fix Pack will be used going forward in place of 
Cumulative Maintenance.  Individual fixes also have a new name, Interim Fixes, 
or iFixes for short.  iFixes are numbered sequentially from one starting with 
any increment to V, R, M or F.  Please see IBM's website for further details 
regarding this methodology.  

After applying the maintenance, the CLI banner will report that your C:D 
version is 4.2.0.x, where x is the current Fix Pack.  It will also display the 
date that the maintenance was created.

For more information, please refer to the C:D UNIX 4.2.0 Release Notes.

==============================
iFixes to C:D for UNIX 4.2.0.0
==============================

001) RTC425410 / APAR IT01935 / CVE-2014-0963  commit date:  12 May 2014
------------------------------------------------------------------------
     Vulnerability related to Record Processing in TLS 1.0 and later which can
     result in high CPU Utilization that requires a system reboot to resolve.

002) RTC423150  commit date:  13 May 2014
-----------------------------------------
     Inappropriate CSPA204E written to statistics when Sterling Contol Center
     Secure Connection settings are changed.

003) RTC423881 / APAR IT01701  commit date:  23 May 2014
--------------------------------------------------------
     z/OS file allocation attributes specified in a type defaults file 
     (typekey) may not be honored. Copy step may also fail with errors similar 
     to SVSJ032I.

-----------------------------------------------------------
iFixes listed above are accumulated in C:D for UNIX 4.2.0.1
-----------------------------------------------------------

==============================
iFixes to C:D for UNIX 4.2.0.1
==============================

001) RTC428811 / APAR IT02517  commit date:  12 Jun 2014
--------------------------------------------------------
     cdpmgr fails to start, reporting "Secure+ library installation
     corrupted", after upgrading from a previous CDU version without Secure+
     installed.

002) RFE 401559 (ID 40797) / APAR IT03451  commit date:  01 Aug 2014
--------------------------------------------------------------------
     Simple clicking OK button in CD Secure+ Admin tool, without changing any
     value is updating the node's record file.

003) RTC432516 / APAR IT03523  commit date:  01 Aug 2014
--------------------------------------------------------
     On some Linux systems, CDU 4.2.0 may fail to start, reporting an
     exception that indicates "libgsk8cms.so: cannot open shared object file: 
     No such file or directory".

004) RTC102568 / APAR IT03815  commit date:  19 Aug 2014
--------------------------------------------------------
     An interrupted snode process goes into WAIT/WS state until pnode resumes 
     the process.  If pnode never resumes the process, the snode process will 
     remain in the TCQ in WAIT/WS indefinitely.

     Fix adds a new parameter to the tcq record of the initparm.cfg, 
     ckpt.max.age.  This parameter specifies the number of days that an snode 
     process will remain in WAIT/WS state waiting for the pnode to resume the 
     process before it is automatically deleted.  The default value is 8.

005) RTC433169 / APAR IT04106  commit date:  04 Sep 2014
--------------------------------------------------------
     If a connection attempt to a remote node failed for some reason, the
     session start statistics record (SSTR) would log a completion code (CC) 
     of 0, improperly indicating that the session attempt succeeded.

006) RTC436256 / APAR IT04446  commit date:  17 Sep 2014
--------------------------------------------------------
     Added millisecond time resolution to some of the existing time stamps
     saved in statistics logs, such as "Stat log record time" (STAR), "Start
     time of event" (STRT) and "Stop time of the event" (STPT).  The CLI will
     only display the added resolution for select statistics with detail=yes.
     API clients can choose whether or not to display the added resolution.

007) RTC448795 / APAR IT05619  commit date:  18 Nov 2014
--------------------------------------------------------
     The SSLv3 protocol contains a number of weaknesses including POODLE
     (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566).  IBM
     Sterling Connect:Direct (CD) for UNIX is therefore also vulnerable
     when the SSLv3 protocol is used.  When CD for UNIX is operating as the
     SSL server (snode in CD terms) and is configured for TLS connections,
     and a CD operating as the SSL client (pnode in CD terms) attempts an
     SSLv3 connection, it's possible that CD for UNIX will allow the
     connection to be made and negotiated to SSLv3.  Fix prevents the
     possible negotiation to SSLv3 when TLS is configured.

     NOTICE:  SSLv3 is an obsolete and insecure protocol.  IBM recommends
              to use the TLS protocol instead.  To fully disable SSLv3 and
              use TLS instead, ensure that all secure connections are
              configured to 'Enable TLS Protocol' and 'Disable Override'.