==================================================================
Maintenance for IBM Sterling Connect:Direct FTP Plus Version 1.2.0
==================================================================

This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 
code base. It is applicable to C:D FTP+ version 1.2.0, and contains all the new 
functionality and fixes as described in the C:D FTP+ 1.2.0 Release notes, as 
well as fixes for the issues listed below.

After applying the maintenance, the banner displayed when initiating a 
connection to a server will report that your C:D version is 1.2.0.x, where x is 
the current Fix Pack.  It will also display the 
date that the maintenance was created.

For more information, please refer to the C:D FTP+ 1.2.0 Release Notes.

==========================
iFixes to C:D FTP+ 1.2.0.0
==========================

001) QC18743  commit date:  22 Feb 2012
---------------------------------------
     Binary files retrieved from OS/390 HFS are corrupted.

002) QC19250  commit date:  27 Feb 2012
---------------------------------------
     put or get attempted after connection is broken goes into retry but never 
     successfully reconnects.  Other commands issued in same scenario, such as 
     cd or dir, fail but do not clearly indicate that failure is due to 
     communication issue.

NOTE:  The previous designation of 'QC' for a product issue will be transitioned 
       to 'RTC' due to the migration to the IBM Rational tool tracking system. 
       Also, most fixes will also refer to an APAR number pursuant to 
       implementing IBM defect description terminology.

003) RTC314166  commit date:  13 Mar 2012
-----------------------------------------
     get command hangs when receiving a 0 byte file over a Secure+ connection.

004) RTC412135 / APAR IC99435  commit date:  12 Feb 2014
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ is affected by a vulnerability in the IBM 
     Runtime Environment, Java(TM) Technology Edition (CVE-2013-1500).

005) RTC442047 / APAR IT04790  commit date:  14 Oct 2014
--------------------------------------------------------
     get command hangs or is interrupted with "550 A communications error 
     occurred while trying to send a message" when receiving certain files in 
     binary mode over a Secure+ connection.

006) RTC455801 / APAR IT07069  commit date:  11 Feb 2014
--------------------------------------------------------
     SSLv3 contains a vulnerability that has been referred to as the Padding 
     Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). 
     SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled.
     Fix changes the default protocol from SSLv3 to TLS.

007) RTC503673 / APAR IT15845  commit date:  28 Jun 2016
--------------------------------------------------------
     Connect:Direct FTP+ uses Flexera InstallAnywhere, which is vulnerable to 
     the following issue:

     CVE-2016-4560:  Flexera InstallAnywhere could allow a remote attacker to 
                     execute arbitrary code on the system. The application does 
                     not directly specify the fully qualified path to a 
                     dynamic-linked library when running on Microsoft Windows. 
                     By persuading a victim to open a specially-crafted file 
                     from a WebDAV or SMB share using a vulnerable application, 
                     a remote attacker could exploit this vulnerability via a 
                     specially-crafted library to execute arbitrary code on the 
                     system.

     NOTICE:  This is the last release to be published for C:D FTP+ 1.2.0 for
              HP-UX PA_RISC.  In the future, releases for this platform will
              be available on demand only from Customer Support.

008) RTC546237 / APAR IT21636  commit date:  30 Jul 2017
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses jzlib version 1.1.3.  This jzlib 
     version is vulnerable to the following issues:

     CVE-2016-9840:  zlib is vulnerable to a denial of service, caused by an 
                     out-of-bounds pointer arithmetic in inftrees.c. By 
                     persuading a victim to open a specially crafted document, a 
                     remote attacker could exploit this vulnerability to cause a 
                     denial of service.
                     
     CVE-2016-9841:  zlib is vulnerable to a denial of service, caused by an 
                     out-of-bounds pointer arithmetic in inftrees.c. By 
                     persuading a victim to open a specially crafted document, a 
                     remote attacker could exploit this vulnerability to cause a 
                     denial of service.

     CVE-2016-9842:  zlib is vulnerable to a denial of service, caused by an 
                     undefined left shift of negative number. By persuading a 
                     victim to open a specially crafted document, a remote 
                     attacker could exploit this vulnerability to cause a denial 
                     of service.

     CVE-2016-9843:  zlib is vulnerable to a denial of service, caused by a big-
                     endian out-of-bounds pointer. By persuading a victim to 
                     open a specially crafted document, a remote attacker could 
                     exploit this vulnerability to cause a denial of service.