================================================================== Maintenance for IBM Sterling Connect:Direct FTP Plus Version 1.2.0 ================================================================== This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 code base. It is applicable to C:D FTP+ version 1.2.0, and contains all the new functionality and fixes as described in the C:D FTP+ 1.2.0 Release notes, as well as fixes for the issues listed below. After applying the maintenance, the banner displayed when initiating a connection to a server will report that your C:D version is 1.2.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D FTP+ 1.2.0 Release Notes. ========================== iFixes to C:D FTP+ 1.2.0.0 ========================== 001) QC18743 commit date: 22 Feb 2012 --------------------------------------- Binary files retrieved from OS/390 HFS are corrupted. 002) QC19250 commit date: 27 Feb 2012 --------------------------------------- put or get attempted after connection is broken goes into retry but never successfully reconnects. Other commands issued in same scenario, such as cd or dir, fail but do not clearly indicate that failure is due to communication issue. NOTE: The previous designation of 'QC' for a product issue will be transitioned to 'RTC' due to the migration to the IBM Rational tool tracking system. Also, most fixes will also refer to an APAR number pursuant to implementing IBM defect description terminology. 003) RTC314166 commit date: 13 Mar 2012 ----------------------------------------- get command hangs when receiving a 0 byte file over a Secure+ connection. 004) RTC412135 / APAR IC99435 commit date: 12 Feb 2014 -------------------------------------------------------- IBM Sterling Connect:Direct FTP+ is affected by a vulnerability in the IBM Runtime Environment, Java(TM) Technology Edition (CVE-2013-1500). 005) RTC442047 / APAR IT04790 commit date: 14 Oct 2014 -------------------------------------------------------- get command hangs or is interrupted with "550 A communications error occurred while trying to send a message" when receiving certain files in binary mode over a Secure+ connection. 006) RTC455801 / APAR IT07069 commit date: 11 Feb 2014 -------------------------------------------------------- SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled. Fix changes the default protocol from SSLv3 to TLS.