============================================================================ Copyright © Aricent Holdings Luxembourg S.a.r.l. 2018,2019. All rights reserved. ============================================================================ ================================================= Maintenance for IBM Connect:Direct for UNIX 6.0.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.0.0 code base. It is applicable to C:D UNIX version 6.0.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.0.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.0.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.0.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 6.0.0.0 ================================================= 001) MFT-10001 / APAR IT26905 commit date: 16 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM Runtime Environment Java. (JRE) Versions 8.0.5.15 and 8.0.5.17. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 002) CDUA-1234 commit date: 10 Dec 2018 -------------------------------------------------------- Trace file names having absolute path are set correctly for PMGR/CMGR/SMGR. 003) CDUA-1235 commit date: 24 Dec 2018 -------------------------------------------------------- Delete Secure+ remote node operation, whose alias node name with upper case letter is present, returns Error code SPCG270E. 004) MFT-10047 / APAR IT27442 commit date: 11 Jan 2019 -------------------------------------------------------- When upgrading a C:D UNIX node with an existing keystore, a keystore password is not required. However, the automated install script, cdinstall_a, fails reporting CDAI003E when the cdai_installCmd is set to "upgrade" and no cdai_keystorePassword parameter is coded. 005) CDUA-1287/CDUA-1291 commit date: 15 Jan 2019 -------------------------------------------------------- CDUA-1287-cfgcheck crash is observed.Due to cfgcheck crash, silent installation/upgrade procedure fails with rc=22 CDUA-1291-cdpmgr crash observed if process started with root.Process runs normal with user account. 006) CDUA-1296 commit date: 16 Jan 2019 -------------------------------------------------------- Not able to restore from 6.0 to 4.3 by taking backup manually on Solaris. 007) CDUA-1292 commit date: 17 Jan 2019 -------------------------------------------------------- When upgrade with silent installer fails, the service which was previously up before upgrade is not up after auto restore of C:D UNIX node. 008) MFT-9526 / APAR IT26469 commit date: 23 Jan 2019 ------------------------------------------------------- To run C:D UNIX on Solaris 10 requires Update 10 or greater. Updates may be applied as a full release or as a patchset. cdinstall correctly recognizes a full release Update, but wasn't recognizing a patchset update and failed the install. 009) CDUA-1295 commit date: 25 Jan 2019 ----------------------------------------- When upgraded with silent installer on Solaris, the client port remains in TIME_WAIT state and takes some time to clear, as a result of which silent installation fails with rc=34. 010) CDUA-1324 commit date: 28 Jan 2019 ----------------------------------------- Silent installation on Solaris fails with rc=22. 011) CDUA-1328 commit date: 29 Jan 2019 ----------------------------------------- On a Solaris system with IPV6 connectivity configured, cdpmgr start up may fail reporting an XIPT002I message, and CLI connections may fail reporting an XIPT003I message. 012) MFT-9523 commit date: 04 Feb 2019 ---------------------------------------- Control Center not reading CDU Secure+ presence correctly. 013) CDUA-1233 commit date: 06 Feb 2019 ----------------------------------------- SEAServer node's Override,ClientAuth,EncryptData parameter's update request should return error and shall not be displayed over SPCLI 014) MFT-9917 / APAR IT27019 commit date: 13 Feb 2019 ------------------------------------------------------- An ICC select process command submitted to C:D UNIX may occasionally fail with CNCD058E message. 015) CDUA-1380 commit date: 19 Feb 2019 ----------------------------------------- Update white label script notices,licensing information, and ports. 016) MFT-10143 / APAR IT28061 commit date: 25 Feb 2019 ------------------------------------------------------- A proxy update issued by a KQV client does not complete successfully if the user name or node name contains a period. 017) MFT-9967 / APAR IT26865 commit date: 08 Mar 2019 ------------------------------------------------------- CD UNIX may allow a user with sudo access restricted to certain CD UNIX executable files to expand access beyond the restriction, as indicated in the following issue: CVE-2018-1903: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. 018) CDUA-1336 commit date: 25 mar 2019 -------------------------------------------------------- Transfer rate to AWS S3 needs improvement. This fix also adds support to direct access to S3 from on-premises node. The following new properties are available and can be used in initparm.cfg file or sysopts: s3.endPointUrl IP or hostname to access S3 services. Amazon S3 endpoint is the default. Example: s3.endpointUrl=my.s3provider.com s3.endPointPort Port to use if any. No default value. Example: s3.endpointPort=8080 s3.endPointSecure Secure or non secure access. HTTPS or HTTP requests. YES is the default. Example: s3.endpointSecure=NO s3.profilePath Credential file to use. Amazon credentials search order is the default. Example: s3.profilePath='/opt/some path/credentials' s3.profileName Profile name to use from credential file. default is the amazon S3 default [default] Example: s3.profileName=otherprofile s3.executorQueue Parallel transfer upload queue size. Default is 5. s3.executorMinPool Parallel upload. Initial number of transfer upload threads to use. Default is 10. s3.executorMaxPool Parallel upload. Maximum number of transfer upload threads to use. Default is 30. Max value is AmazonS3 max connections (50).