========================================================== Maintenance for IBM Sterling Connect:Direct for UNIX 4.2.0 ========================================================== This maintenance archive includes module replacements for the C:D UNIX 4.2.0 code base. It is applicable to C:D UNIX version 4.2.0, and contains all the new functionality and fixes as described in the C:D UNIX 4.2.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 4.2.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 4.2.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.0 ================================================= 001) RTC425410 / APAR IT01935 / CVE-2014-0963 commit date: 12 May 2014 ------------------------------------------------------------------------ Vulnerability related to Record Processing in TLS 1.0 and later which can result in high CPU Utilization that requires a system reboot to resolve. 002) RTC423150 commit date: 13 May 2014 ----------------------------------------- Inappropriate CSPA204E written to statistics when Sterling Contol Center Secure Connection settings are changed. 003) RTC423881 / APAR IT01701 commit date: 23 May 2014 -------------------------------------------------------- z/OS file allocation attributes specified in a type defaults file (typekey) may not be honored. Copy step may also fail with errors similar to SVSJ032I. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.1 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.1 ================================================= 001) RTC428811 / APAR IT02517 commit date: 12 Jun 2014 -------------------------------------------------------- cdpmgr fails to start, reporting "Secure+ library installation corrupted", after upgrading from a previous CDU version without Secure+ installed. 002) RFE 401559 (ID 40797) / APAR IT03451 commit date: 01 Aug 2014 -------------------------------------------------------------------- Simple clicking OK button in CD Secure+ Admin tool, without changing any value is updating the node's record file. 003) RTC432516 / APAR IT03523 commit date: 01 Aug 2014 -------------------------------------------------------- On some Linux systems, CDU 4.2.0 may fail to start, reporting an exception that indicates "libgsk8cms.so: cannot open shared object file: No such file or directory". 004) RTC102568 / APAR IT03815 commit date: 19 Aug 2014 -------------------------------------------------------- An interrupted snode process goes into WAIT/WS state until pnode resumes the process. If pnode never resumes the process, the snode process will remain in the TCQ in WAIT/WS indefinitely. Fix adds a new parameter to the tcq record of the initparm.cfg, ckpt.max.age. This parameter specifies the number of days that an snode process will remain in WAIT/WS state waiting for the pnode to resume the process before it is automatically deleted. The default value is 8. 005) RTC433169 / APAR IT04106 commit date: 04 Sep 2014 -------------------------------------------------------- If a connection attempt to a remote node failed for some reason, the session start statistics record (SSTR) would log a completion code (CC) of 0, improperly indicating that the session attempt succeeded. 006) RTC436256 / APAR IT04446 commit date: 17 Sep 2014 -------------------------------------------------------- Added millisecond time resolution to some of the existing time stamps saved in statistics logs, such as "Stat log record time" (STAR), "Start time of event" (STRT) and "Stop time of the event" (STPT). The CLI will only display the added resolution for select statistics with detail=yes. API clients can choose whether or not to display the added resolution. 007) RTC448795 / APAR IT05619 commit date: 18 Nov 2014 -------------------------------------------------------- The SSLv3 protocol contains a number of weaknesses including POODLE (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566). IBM Sterling Connect:Direct (CD) for UNIX is therefore also vulnerable when the SSLv3 protocol is used. When CD for UNIX is operating as the SSL server (snode in CD terms) and is configured for TLS connections, and a CD operating as the SSL client (pnode in CD terms) attempts an SSLv3 connection, it's possible that CD for UNIX will allow the connection to be made and negotiated to SSLv3. Fix prevents the possible negotiation to SSLv3 when TLS is configured. NOTICE: SSLv3 is an obsolete and insecure protocol. IBM recommends to use the TLS protocol instead. To fully disable SSLv3 and use TLS instead, ensure that all secure connections are configured to 'Enable TLS Protocol' and 'Disable Override'. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.2 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.2 ================================================= 001) RTC442224 / APAR IT04683 commit date: 19 Dec 2014 -------------------------------------------------------- In some circumstances, CDU will mistake a new incoming process for a restarted process, generating an XSMG251I message and process failure. 002) RTC442941 / APAR IT05409 commit date: 19 Dec 2014 -------------------------------------------------------- In some circumstances, CDU will inappropriately synchronize a new incoming run task process with a previously interrupted run task process, and immediately return the status of the interrupted process with an XSMG417I message instead of running the new task. 003) RTC443927 / APAR IT04686 commit date: 19 Dec 2014 -------------------------------------------------------- When C:D is doing work, temporary files are created in the {C:D UNIX installation directory}/work/{C:D UNIX node name} directory. After certain error scenarios, some of these temporary files are not removed. 004) RTC451495 / APAR IT06191 commit date: 05 Jan 2015 -------------------------------------------------------- CVE-2014-8730, a Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack, affects Sterling Connect:Direct for UNIX. 005) RTC453918 / APAR IT06994 commit date: 21 Jan 2015 -------------------------------------------------------- FASP transfers use port 33001 on the snode side, no matter which fasp record listen ports are configured in the snode initparm.cfg file. 006) RTC454367 / APAR IT06869 commit date: 05 Feb 2015 -------------------------------------------------------- A client which has submitted a maxdelay process that lasts longer than one minute may get an error return code with message XCMM044I returned after exactly one minute. 007) RTC418516 / APAR IT02062 commit date: 06 Feb 2015 -------------------------------------------------------- The first several characters of the file name specification are cut off when received by 64 bit File Open Exits on Linux or Solaris x86 platforms. WARNING: All File Open Exits, including 32 bit versions, must be recompiled after applying this fix. 008) RTC456414 commit date: 13 Feb 2015 ----------------------------------------- Added a PMR Stamper and Data Collector utility, which automates gathering diagnostic information about Connect:Direct for UNIX and optionally sends it to IBM Support. Execute "{C:D UNIX installation directory}/etc/CD_Data_Collector --help" to see usage details. 009) RTC452436 / APAR IT07136 commit date: 17 Feb 2015 -------------------------------------------------------- Automated upgrade to C:D UNIX 4.2.0 from versions previous to 4.2.0 fails with error message CDAI015E. 010) RTC392436 / APAR IT03077 commit date: 17 Feb 2015 -------------------------------------------------------- An upgrade command performed by the automated installation script (cdinstall_a) will fail if pre-existing configuration files don't pass the configuration check, or if the sample.cd process fails to complete successfully, even when the configuration errors or sample.cd operation failure is considered tolerable. Fix adds a variable to cdinstall_a called cdai_verifyUpgrade. This variable allows users to choose whether to verify an upgrade or not. Valid values are "y" (the default) and "n". 011) RTC457220 / APAR IT07339 commit date: 24 Feb 2015 -------------------------------------------------------- A wildcard copy with the source specification on AIX may occasionally fail to find any files matching the wildcard pattern when matching files in fact exist. 012) RTC456767 / APAR IT07359 commit date: 25 Feb 2015 -------------------------------------------------------- CDU 4.2.0 automated installation script (cdinstall_a) doesn't process the cdai_localCertFile parameter or other certificates located in the deployment directory. 013) RTC431679 / APAR IT03078 commit date: 27 Feb 2015 -------------------------------------------------------- The automated installation script, cdinstall_a, doesn't provide an option to deploy a custom keystore file or a custom label for the deployed keycert file. Fix adds and describes three new optional variables, cdai_keystoreFile, cdai_keystorePassword, and cdai_localCertLabel, that allow users to deploy a custom keystore file and specify the keycert label to be used in basic Secure+ configurations. If cdai_keystoreFile and cdai_keystorePassword are specified, then the automated installation will use this file as the keystore file. If they are not specified, then the automated installation procedure will use the default keystore file that is created during the installation. In either case, the keystore file will be customized by adding the certificate portion of the deployed keycert file and any other deployed certificates to it. If cdai_localCertLabel is specified, the specification will be used to label the keycert for use in basic Secure+ configurations. If it is not specified, a default label will be used. 014) RTC423131 / APAR IT02518 commit date: 06 Mar 2015 -------------------------------------------------------- An XPAE003I message is generated for a select statistics command issued with a destfile or srcfile parameter value enclosed in double quotes, which are required if the value contains spaces, equal signs or other reserved characters. 015) RTC433224 / APAR IT03227 commit date: 06 Mar 2015 -------------------------------------------------------- The fsync.after.receive initparm option, used to make sure files written and closed by C:D on an NFS destination are immediately ready for processing, doesn't detect when the NFS resource is out of space. Note, the fix for this issue changes the fsync.after.receive default value to "Y". 016) RTC457537 / APAR IT07855 commit date: 20 Mar 2015 -------------------------------------------------------- When a very old version of Global Security Kit Version 8 (GSKit 8) is installed globally on a system, C:D UNIX 4.2.0 installations may fail, producing a Java core dump and reporting that "The Initialize Secure+ operation failed." If upgrading from a previous version of C:D UNIX, the Java core dump will be followed by a message reporting that "The ReKey Parmfile Secure+ operation failed." 017) RTC460297 / APAR IT07894 commit date: 23 Mar 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses IBM Java Runtime, which is vulnerable to the following issues: CVE-2014-3065: IBM Java SDK contains a vulnerability in which the default configuration for the shared classes feature potentially allows arbitrary code to be injected into the shared classes cache, which may subsequently be executed by other local users. CVE-2014-6468: An unspecified vulnerability related to the Hotspot component has complete confidentiality impact, complete integrity impact, and complete availability impact. 018) RTC460318 / APAR IT07931 commit date: 24 Mar 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses GSKit, which is vulnerable to the following issues: CVE-2015-0138: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack. CVE-2015-0159: An unspecified error in GSKit usage of OpenSSL crypto function related to the production of incorrect results on some platforms by Bignum squaring (BN_sqr) has an unknown attack vector and impact in some ECC operations. 019) RTC454740 / APAR IT08220 commit date: 10 Apr 2015 -------------------------------------------------------- In the copy termination statistics record, process name, process number and snode name fields are duplicated. 020) RTC462260 / APAR IT08276 commit date: 13 Apr 2015 -------------------------------------------------------- CBC ciphers are vulnerable to CVE-2011-3389 (BEAST Attack). Previous recommendation to mitigate CVE-2011-3389 was to not use CBC ciphers. RC4 ciphers are vulnerable to CVE-2015-2808 (Bar Mitzvah Attack). Current recommendation to mitigate CVE-2015-2808 is to discontinue use of RC4 ciphers. However, the remaining available ciphers are generally CBC ciphers. Accordingly, code is fixed to mitigate CVE-2011-3389. Note: Connect:Direct for UNIX by default disables the RC4 stream cipher. If you enabled the RC4 stream cipher you are exposed to the RC4 "Bar Mitzvah" Attack for SSL/TLS. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. 021) RTC456648 / APAR IT08514 commit date: 23 Apr 2015 -------------------------------------------------------- After upgrading to C:D UNIX 4.2.0 from a previous version, some clients, such as Sterling Control Center or Sterling Connect:Direct Browser, may generate errors processing a select statistics command. Possible errors include "CCTR035E Failed to connect to server" or "KQVString.parse() detected data problem...." 022) RTC456874 / APAR IT08958 commit date: 19 May 2015 -------------------------------------------------------- After a system reboot, cdpmgr may fail to start, reporting XPMD006I message. 023) RTC462223 / APAR IT08954 commit date: 28 May 2015 -------------------------------------------------------- CDU nodes configured to run behind a load balancer will have the same node name. When these nodes act as pnodes and initiate processes to the same snode at the same time, it's possible that the snode will not be able to distinguish between the processes, generating XLKL004I messages and possibly corrupting the TCQ. Fix adds a new parameter to the ndm.node initparm record called instance.id. The parameter value is initialized with a universally unique identifier (UUID). 024) RTC461501 / APAR IT08385 commit date: 04 Jun 2015 -------------------------------------------------------- cdver executed without argument may not display the product version. Issue may also manifest during installation or upgrade procedures as "unary operator expected" errors. 025) RTC469550 / APAR IT09564 commit date: 22 Jun 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ and File Agent Options use IBM Java Runtime, which is vulnerable to the following issue on HP-UX and Solaris platforms: CVE-2015-0383: An unspecified vulnerability in Oracle Java SE and JRockit related to the Hotspot component has no confidentiality impact, partial integrity impact, and complete availability impact. 026) RTC458884 / APAR IT09904 commit date: 07 Jul 2015 -------------------------------------------------------- cdpmgr may occasionally crash. The crash is more likely when cdpmgr is idle. A possible symptom of the issue is the Session Count statistics records (RECI=SCNT) logged with either negative or unrealistically large positive values indicated. 027) RTC462479 / APAR IT10090 commit date: 10 Jul 2015 -------------------------------------------------------- Connect:Direct for UNIX did not report snodeid value utilized. 028) RTC463108 / APAR IT10120 commit date: 16 Jul 2015 -------------------------------------------------------- A process copy step sending to an invalid destination, such as a nonexistent path, will log an XCPS003I on the source side and then XIPT016I and go into TIMER/RETRY. On the destination side, an XCPR010I is logged and then "SMGR terminated by signal 11". 029) RTC470882 / APAR IT10377 commit date: 28 Jul 2015 -------------------------------------------------------- Connect:Direct for UNIX Secure+ will fail to send data when the negotiated RU size is less than 16K on systems that use the SSL BEAST mitigation. The error is "The SSL library failed, reason=SSL_write failed Message ID CSPA309E". The issue occurs between nodes where an older version of Secure+ is used, that does not support buffer sizes larger than 16K for SSL sessions. 030) RTC471695 / APAR IT10717 commit date: 31 Jul 2015 ------------------------------------------------------- Connect:Direct API commands over a secure connection fail after upgrading the JRE in Connect:Direct Browser, Sterling Control Center or other application using the Application Interface for Java (AIJ). 031) RTC438326 / APAR IT04205 commit date: 14 Aug 2015 -------------------------------------------------------- On occasion, the statistics archive utility won't run on a day when it should run, causing two days worth of statistics log files to be contained in the archive file when it runs the next day. 032) RTC474638 / APAR IT10817 commit date: 20 Aug 2015 -------------------------------------------------------- Copy receive performance from C:D Z/OS can be degraded when the UNIX destination file sysopts includes "datatype=binary", and the Z/OS source file record format is VB or FB. 033) RTC445816 / APAR IT06148 commit date: 09 Jan 2015 -------------------------------------------------------- A fresh C:D install will include the unused "syslog.logd" initparm. 034) RTC448618 / APAR IT06145 commit date: 15 Dec 2014 -------------------------------------------------------- Under specific stress situations, "direct" will trigger a segmentation fault. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.3 ----------------------------------------------------------- C:D for UNIX 4.2.0.3 adds support for FASP (Fast and Secure Protocol). FASP is supported on Linux and AIX platforms only. See the Hardware and Software Requirements section of the Sterling Connect:Direct for UNIX 4.2.0 Release Notes for specific information regarding support for FASP. FASP requires a license key for use. Download the license key from Passport Advantage when you download the fix pack. Note 1: If you previously downloaded a licence key for UNIX V4.2.0.2, you must download the new license key for 4.2.0.3 to continue using FASP. Your old license key will not work with the new fix pack. Note 2: If you are installing Sterling Connect:Direct for UNIX V4.2.0.3 using the Automated Install method, you must also update your options file with the new cdai_asperaLicenseFile parameter to support FASP. Set the parameter value to . Alternatively the value may be specified on the command line with --asperaLicenseFile. ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.3 ================================================= 001) RTC452439 / APAR IT06692 commit date: 18 Sep 2015 -------------------------------------------------------- After a process is submitted that refers to a netmap entry with comm.transport equal to tcp or udt33 and that has two or more comm.info specifications, which is an invalid configuration, further process submissions that refer to other valid netmap entries will not run and stay in WAIT/WC state. 002) RTC477087 / APAR IT11383 commit date: 22 Sep 2015 -------------------------------------------------------- When viewing a detailed copy termination record (CTRC) of a secure copy step in the CLI, the Security Mode value might be truncated. 003) RTC457011 commit date: 23 Sep 2015 ----------------------------------------- Messages XCMM028I and XTRA000I missing from msgfile.cfg. 004) RTC458466 / APAR IT09079 commit date: 24 Sep 2015 -------------------------------------------------------- Statistics archive script failure messages are not captured and displayed in the XSTA004E message. 005) RTC476357 / APAR IT11308 commit date: 26 Oct 2015 -------------------------------------------------------- The tcp.max.time.to.wait and runstep.max.time.to.wait parameters may not be honored during process execution if a client issues repetitive select process detail=yes commands while the process is executing. This would be the case if the C:D node is monitored by Control Center, for example. 006) RTC478504 / APAR IT11951 commit date: 26 Oct 2015 -------------------------------------------------------- cdpmgr responsiveness can be degraded when installed on a slow file system due to increased time needed to log stat records. XSTL005W and XSTL006W messages are added to warn when increased time is needed to log stat records. There was also a minor inefficiency in statistics logging that may begin occurring the day after cdpmgr is initialized. 007) RTC480733 / APAR IT11978 commit date: 27 Oct 2015 -------------------------------------------------------- An OpenSSL denial of service vulnerability disclosed by the OpenSSL Project affects GSKit. Connect:Direct for UNIX Secure+ Option uses GSKit and is vulnerable to the following issue: CVE-2015-1788: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. 008) RTC483784 / APAR IT12356 commit date: 20 Nov 2015 -------------------------------------------------------- XSQF006I error generated when a copy step destination uses pipe I/O, and fsync.after.receive initparm is set to 'y'. 009) RTC482534 / APAR IT12247 commit date: 09 Dec 2015 -------------------------------------------------------- Added support for new C:D Java Application Interface (CDJAI) Secure+ commands. Refer to the CDJAI documentation for further information. The SPCli "Delete KeyStoreEntry" and "Import KeyCert" commands were also enhanced. See the SPCli help command for details. 010) RTC483171 / APAR IT12761 commit date: 15 Dec 2015 -------------------------------------------------------- Secure+ install script may hang after indicating "Initializing the Secure+ Parmfile." 011) RTC483323 / APAR IT12844 commit date: 17 Dec 2015 -------------------------------------------------------- Statistics log file archive script fails to capture log files with extensions greater than three digits. 012) RTC484160 / APAR IT12867 commit date: 18 Dec 2015 -------------------------------------------------------- In a high stress scenario where an snode has less session capacity than the pnode, some processes may become stuck in the TIMER queue and require a manual release. 013) RTC487482 / APAR IT12868 commit date: 18 Dec 2015 -------------------------------------------------------- When analyzing stat logs that capture a high load scenario, it can be difficult to identify all stat records logged by a particular ndmsmgr process. Fix adds a new stat log field called OSID. OSID value is set to the UNIX pid of the process that logged it. 014) RTC489332 / APAR IT13232 commit date: 18 Jan 2016 -------------------------------------------------------- Connect:Direct for UNIX Secure+ Option uses GSKit, which is vulnerable to the following issue: CVE-2016-0201: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials. 015) RTC462517 / APAR IT13623 commit date: 04 Feb 2016 -------------------------------------------------------- A long running ndmsmgr doing a series of run job steps may eventually begin producing erratic results. This scenario might come about if there are many processes stacked up in the TCQ for an adjacent node that only allows one or two sessions. In this case ndmsmgr would likely piggy back the stacked processes one after another. One example of the possible erratic results involves CDU sending a series of processes to CDW that include a binary copy step and a run job step. The copy steps may eventually begin to fail with CDW reporting LCPR001I, "record length in comm buffer bigger than IO buffer size." 016) RTC490329 / APAR IT13627 commit date: 04 Feb 2016 -------------------------------------------------------- On Linux and AIX platforms, a long running ndmsmgr performing many copy steps will consume an increasing amount of system memory. 017) RTC486767 / APAR IT13996 commit date: 25 Feb 2016 -------------------------------------------------------- Processes may be coded with an snode that will invoke a Secure+ alias node when a session is attempted. In some cases, these secure session attempts can fail, reporting a CSPA201E message with reason text indicating "error setting ciphers". 018) RTC476574 / APAR IT14034 commit date: 29 Feb 2016 -------------------------------------------------------- If the cdpmgr process is killed while C:D processes are being executed, when cdpmgr is restarted, these processes may fail, reporting XSQF009I referring to a temporary work file in the C:D work directory, and XSMG405I. 019) RTC490759 / APAR IT14056 commit date: 01 Mar 2016 -------------------------------------------------------- tcp.max.time.to.wait and runstep.max.time.to.wait parameters are not honored if smgr tracing is turned on. 020) RTC494236 / APAR IT14215 commit date: 10 Mar 2016 -------------------------------------------------------- Processes submitted with a start time specified (startt parameter) may not run as scheduled. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.4 ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.4 ================================================= 001) RTC495302 / APAR IT14517 commit date: 15 Apr 2016 -------------------------------------------------------- Copy steps to C:D z/OS with LRECL and BLKSIZE set to the same value and RECFM set to FB may fail with XCPS009I. In some block mode transfer scenarios, it's also possible that the ndmsmgr module will be terminated by signal 6 or signal 11. 002) RTC497577 / APAR IT14861 commit date: 20 Apr 2016 -------------------------------------------------------- Send of a text file to C:D z/OS may fail with SCPA024I, if C:D UNIX is doing codepage conversion and the destination file uses FB records. 003) RTC498204 / APAR IT14769 commit date: 22 Apr 2016 -------------------------------------------------------- When receiving a new data file, C:D UNIX uses create mode 664 by default. These permission settings may not be appropriate in some scenarios. Fix adds two new initparms to the copy.parms record in initparm.cfg: recv.file.open.perm=nnn, where nnn is an octal integer describing the desired default permissions for new files received. It's the same as the value documented for the copy sysopt "permiss". recv.file.open.ovrd=x, where x is one of the following three values: 'Y' - Allow copy step sysopt "permiss" value to override recv.file.open.perm value when receiving a new file. This is the default. 'N' - Disallow copy step sysopt "permiss" value to override recv.file.open.perm value when receiving a new file. 'P' - Allow copy step sysopt "permiss" value to override recv.file.open.perm value when pnode is receiving a new file. 004) RTC495458 / APAR IT14956 commit date: 26 Apr 2016 -------------------------------------------------------- On AIX systems, cdinstall reports missing files when installing client or server only (not both at once.) 005) RTC480100 / APAR IT12148 commit date: 29 Apr 2016 -------------------------------------------------------- Consecutive pipe characters ('|') are not translated to EBCDIC after a copy step sending a file to Connect:Direct for z/OS and using standard compression is interrupted and restarted. 006) RTC501357 / APAR IT15059 commit date: 05 May 2016 -------------------------------------------------------- Attempting to import a keycert into the keystore where the private key is encrypted with SHA-2 fails, reporting "Open PEM KeyStore failed: Unsupported PKCS8 format." SPCli also reports an SPCG761E message. 007) RTC495655 / APAR IT15275 commit date: 16 May 2016 -------------------------------------------------------- A process that fails due to a problem creating a valid local user profile should report an XSMG242I message. However, if the process has generated other error messages before encountering the problem creating a valid local user profile, one of the previously generated messages may be inappropriately reported with the XSMG242I message text. 008) RTC495312 / APAR IT15330 commit date: 22 Jul 2016 -------------------------------------------------------- SPCli commands may fail reporting: SPCG000E rc=8 com.stercomm.csg.SPAdmin.SPAFileWriteException: Error encountered during rekey: Error #3 - Lock Process Failed This is likely when the primary group of the installer id was changed after the initial installation, and an upgrade is attempted. 009) RTC497560 / APAR IT15270 commit date: 22 Jul 2016 -------------------------------------------------------- In some scenarios, an inappropriate XDFD001I message referring to a file in the C:D work directory may be logged after an otherwise successful process completes. The issue may also manifest as an XCFF002I followed by XNMP005E referring to the netmap.cfg file at the start of a copy step. 010) RTC502642 / APAR IT15475 commit date: 26 May 2016 -------------------------------------------------------- If read permission for Other has been removed from the netmap.cfg file, in some cases an inappropriate XCFF001I message referring to the netmap.cfg file will be logged. 011) RTC488564 / APAR IT13224 commit date: 10 Jun 2016 -------------------------------------------------------- When copying text files to or from an EBCDIC remote node, C:D UNIX translates ASCII data to EBCDIC and vice versa as needed. In some cases, an alternative to the default ASCII to EBCDIC translation provided by C:D UNIX is desired. While the product includes options for users to create their own custom xlate tables or to use codepage translation, for convenience, new xlate tables are provided that convert ISO-8859-1 ASCII text to IBM-037 EBCDIC and back. These xlate tables are located in {C:D UNIX install dir}/ndm/xlate directory. They may be specified in copy step sysopts, or be made the default translation by specifying them in the global copy record of the initparm.cfg file. 012) RTC503337 / APAR IT15730 commit date: 15 Jun 2016 -------------------------------------------------------- A direct CLI will terminate reporting XCMG000I and XCLW002I if a view process command is issued for a process in the TCQ that includes a submit statement. 013) RTC497594 / APAR IT15934 commit date: 29 Jun 2016 -------------------------------------------------------- Added high-speed bridging support through Sterling Secure Proxy which allows IBM High-Speed Add-on for Connect:Direct to be used between nodes with native FASP support (Linux, AIX, and Windows as of the date of this iFix) and nodes without native FASP support. 014) RTC507456 / APAR IT16359 commit date: 28 Jul 2016 -------------------------------------------------------- When importing a keycert with an encrypted RSA private key, which uses the traditional SSLeay compatible format for private key encryption, the import keycert operation will fail reporting "PEM KeyStore open exception - asn1 parse failure: ..." The further text will usually refer to an issue involving DER length or DER sequence. SPCli will also report an SPCG761E message. 015) RTC508398 / APAR IT16360 commit date: 29 Jul 2016 -------------------------------------------------------- Java API clients, such as C:D Browser, are able to display files on the server that the logged in user does not have permission to view. 016) RTC503445 / APAR IT16597 commit date: 15 Aug 2016 -------------------------------------------------------- If a run task command includes a pipe character ('|'), the run task sysopts displayed in CLI detailed select statistics of the RTED record cuts off after the pipe character. 017) RTC510439 commit date: 8 Sept 2016 -------------------------------------------------------- Enable authentication without a password for Secure+ client connections received from Sterling Connect:Direct Application Interface for Java (AIJ) or AIJ based products, like Sterling Control Center. Secure+ certificates can be used instead user credentials. Add support for Client API Source IP Checking. Client Source IP Checking is configured in the userfile.cfg (optional). A new field has been added to the local user record to specify one or more IP addresses and/or host names (comma separated) to be used to validate the Client connection's remote IP address or host name. If the validation fails, the Client API connection is rejected. NOTICE: This is the last release to be published for C:D UNIX 4.2.0 for HP-UX PA_RISC. In the future, releases for this platform will be available on demand only from Customer Support. 018) RTC488870 / APAR IT15015 commit date: 13 Sep 2016 -------------------------------------------------------- A wildcard copy step that has completed copying several files and is interrupted and restarted may start the wildcard copy over again from the beginning, instead of picking up at the last completed copy. 019) RTC512250 / APAR IT17124 commit date: 20 Sep 2016 -------------------------------------------------------- If the system command invoked for a copy receive using pipe=yes sysopts is invalid or fails for some other reason, the process may inappropriately go to the Timer/Retry queue and retry indefinitely. 020) RTC489941 / APAR IT15012 commit date: 20 Sep 2016 -------------------------------------------------------- A process script coded with a valid string that contains a tilde character ('~') may fail inappropriately with a syntax error. An example of this would be a process with an snodeid coded with a password that includes a tilde character. 021) RTC510530 / APAR IT17600 commit date: 28 Oct 2016 -------------------------------------------------------- cdpmgr response time can be slowed if the TCQ becomes loaded with many processes. This can result in increased time needed to execute processes and to accept incoming client or server connections. 022) RTC512557 / APAR IT17995 commit date: 14 Nov 2016 -------------------------------------------------------- SPCli import trustedcert command fails with SPCG770E if a certificate that has a duplicate public key but is dissimilar in other ways, such as a different "Issuer" or "Valid to" date, already exists in the keystore. Note 1: Unique certificate labels must be specified for this scenario by using the SPCli command's label parameter. Note 2: New software requirements introduced with this fix: AIX: 7.1 updated to technology level 3 (7100-03), 6.1 updated to technology level 7 (6100-07). Linux (x86 and zSeries): RHEL 6.4 and greater, SLES 11 service pack 2 or greater. 023) RTC517695 / APAR IT18040 commit date: 18 Nov 2016 -------------------------------------------------------- C:D Unix can generate segmentation faults if an abnormally large ndm.path:path value is coded in initparm.cfg. 024) RTC519254 / APAR IT18347 commit date: 06 Feb 2017 -------------------------------------------------------- C:D UNIX at various times will make system calls to query about a file. These queries can fail from time to time for various reasons, which are recorded in a system feedback code. C:D UNIX logs these failures with an XCPS001I message, but is not always capturing the feedback codes in this message. On other occasions, an XCPS001I message is logged inappropriately. 025) RTC508850 / APAR IT18346 commit date: 12 Dec 2016 -------------------------------------------------------- In rare scenarios, C:D UNIX executing a process as snode may fail to detect when a session has been broken, leaving the process in EX status. If pnode then retries the process while C:D UNIX snode is in this state, C:D UNIX will reject the restarted process with an XSMG251I message. The remote node will consider this a hard error and not retry the process. 026) RTC523141 / APAR IT18670 commit date: 05 Jan 2017 -------------------------------------------------------- Properly coded processes placed in a file and submitted with the CLI (submit with "file=" parameter) may occasionally fail and report various syntax errors, including XPAS001I. 027) RTC520734 / APAR IT18819 commit date: 13 Jan 2017 -------------------------------------------------------- CD_Data_Collector script may fail to execute on some systems, indicating a syntax error involving an open parenthesis character. 028) RTC525021 / APAR IT18956 commit date: 24 Jan 2017 -------------------------------------------------------- SSL/TLS Handshake from Connect:Direct UNIX to Sterling Secure Proxy (SSP) fails when using a SHA-2 certificate while multiple protocols are enabled. 029) RTC523369 / APAR IT19015 commit date: 30 Jan 2017 -------------------------------------------------------- C:D UNIX will sometimes display an invalid snode user ID in the process start record (PSTR) details of a select stat command. Also, the snode user ID field is applicable only to the PSTR record, and the field name was inappropriately being displayed on other statistics records. 030) RTC495442 / APAR IT18899 commit date: 16 Mar 2016 -------------------------------------------------------- direct module will generate a segmentation fault and fail to start if the NDMAPICFG environment variable is not set or is not pointing to a valid CLI configuration file. 031) RTC527211 / APAR IT19071 commit date: 02 Feb 2017 -------------------------------------------------------- smgr trace of copy step with pipe IO on the source side may corrupt the data stream. 032) RTC525284 / APAR IT19236 commit date: 13 Feb 2017 -------------------------------------------------------- cdstatm may crash when a CSPA message is logged. 033) RTC527308 / APAR IT19295 commit date: 20 Feb 2017 -------------------------------------------------------- On Solaris and HP-UX platforms, ikeyman may fail to start, reporting "Exception in thread "main" java.lang.NoClassDefFoundError: com/ibm/gsk/ikeyman/Ikeyman". 034) RTC527839 / APAR IT19411 commit date: 24 Feb 2017 -------------------------------------------------------- The Secure+ KeyStore requires each certificate to have a unique alias name which is used to associate Identity/KeyCerts with Secure+ Nodes. During certificate import, when label names are not provided, the alias name is generated from the X509 Common Name (CN) component of the Subject Name. In cases where the same CN is assigned to multiple certificates, the import may skip otherwise valid certificates. Fix adds a unique ID generator to allow multiple certificates using the same CN to co-exist. The unique ID generator is invoked by a new import option, AddWithUniqueLabel, which has been added to both the CD Secure+ Admin Tool (SPadmin) and the CD Secure+ CLI (SPCli). 035) RTC529669 / APAR IT19412 commit date: 24 Feb 2017 ------------------------------------------------------- The Certificate Viewer in CD Secure+ Admin Tool does not word wrap public keys. 036) RTC529730 / APAR IT19347 commit date: 24 Feb 2017 -------------------------------------------------------- An OpenSSL vulnerability disclosed by the OpenSSL Project affects GSKit. Connect:Direct for UNIX Secure+ Option uses GSKit and is vulnerable to the following issue: CVE-2016-2183: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the- middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. Fix adds the ability to engage a GSKit remediation for this vulnerability via a system environment variable named CD_GSK_OPTIONS. To enable the remediation, set the value of this environment variable to GSK_ENFORCE_TDEA_RESTRICTION in the shell of the C:D administrator that starts cdpmgr. Caution: The effect of this remediation is to arbitrarily break a session after 32 GB of data have been transmitted if a DES/3DES cipher is in use. Fix will also cause SPAdmin and SPCli to display a warning message if vulnerable or deprecated settings are enabled in the Secure+ configuration. 037) RTC504172 / APAR IT19880 commit date: 27 Mar 2017 -------------------------------------------------------- The automated installation script deploys a custom netmap.cfg after deploying a custom Secure+ configuration. Ordering the deployment this way is a problem if the Secure+ configuration is intended to act on the deployed netmap.cfg. 038) RTC504173 / APAR IT19878 commit date: 27 Mar 2017 -------------------------------------------------------- If a custom Secure+ configuration is deployed during an automated installation, i.e., cdai_spConfig parameter is specified for cdinstall_a, it's possible that the deployment could fail without notification. Also, on some platforms, a cdinstall_a script error could be reported indicating "integer expression expected". 039) RTC527444 / APAR IT19892 commit date: 27 Mar 2017 -------------------------------------------------------- The automated installation (cdinstall_a) will process keycert files contained in the deployment directory. The Enterprise Deployment Guide indicates that these files must end with .pem, .cer, or .crt. However, if there are inadvertent files in the deployment directory that end in pem, cer, or crt (no preceding dot), then cdinstall_a will attempt to process the inadvertent files. 040) RTC490860 / APAR IT19919 commit date: 30 Mar 2017 ------------------------------------------------------- In some restart scenarios, C:D UNIX snode may report an XCPK004I message. When this happens, it's possible that the restarted session will hang. 041) RTC490859 / APAR IT19961 commit date: 30 Mar 2017 -------------------------------------------------------- In some restart scenarios, it's possible that the pnode ndmsmgr will be abruptly terminated with a signal 11 (SIGSEGV, segmentation violation). 042) RTC478359 / APAR IT19985 commit date: 31 Mar 2017 -------------------------------------------------------- The initparm.cfg parameter instance.id value generated on Solaris may include non-ASCII characters. 043) RTC531403 commit date: 14 Apr 2017 ----------------------------------------- If there are multiple issues opening PEM or CMS KeyStores while upgrading a C:D UNIX with Secure+ node, only the last error is reported. 044) RTC532107 commit date: 14 Apr 2017 ---------------------------------------- CD Secure+ Admin Tool (SPAdmin) does not always display the certificate chain in tree view. 045) RTC531543 commit date: 14 Apr 2017 ----------------------------------------- When executing the SPCli command "Create RemoteNode name=xxx", the SPCli fails with "SPCL108E rc=8 All mandatory key word value pairs must be entered". Specifying only the node name is a valid scenario. 046) RTC532169 commit date: 14 Apr 2017 ----------------------------------------- CD Secure+ Admin Tool (SPAdmin) may run noticeably slower than normal. 047) RTC535230 / APAR IT20160 commit date: 14 Apr 2017 -------------------------------------------------------- When an SSL PEM certificate file contains an identity certificate and one or more intermediate CA certificates, an attempt to import it into the Secure+ keystore may fail to capture the intermediate CA certificates. 048) RTC533544 / APAR IT20320 commit date: 24 Apr 2017 -------------------------------------------------------- In some scenarios, inappropriate XSMG276I messages are generated for a copy step using a wildcard specification to send files to another node. 049) RTC529669 / APAR IT19412 commit date: 24 Feb 2017 -------------------------------------------------------- The Certificate Viewer in CD Secure+ Admin Tool does not word wrap public keys. 050) RTC504889 / APAR IT21004 commit date: 13 Jun 2017 -------------------------------------------------------- On some Linux zSeries systems, ndmsmgr processes may hang, for a short or long time, and consume significant CPU resource. For Linux zSeries systems that display this ndmsmgr hang behavior, edit {C:D installation directory}/ndm/lib/gsk/lib/N/icc/icclib/ICCSIG.txt and add the following two parameters at the end of the file on two separate lines: "ICC_LOOPS=1" and "ICC_SHIFT=8". 051) RTC536028 / APAR IT20394 commit date: 13 Jun 2017 -------------------------------------------------------- In some scenarios, an inappropriate XSQF009I message is generated for a copy step that specifies an unqualified (no directory prefix) source or destination file name. 052) RTC538118 / APAR IT21058 commit date: 16 Jun 2017 -------------------------------------------------------- cfgcheck erroneously reports message XRIA002I for a local user in userfile.cfg properly configured with client.cert_auth. 053) RTC540151 / APAR IT21062 commit date: 16 Jun 2017 -------------------------------------------------------- Secure+ commands provided via cdai_spConfig parameter during an automated upgrade (cdinstall_a) are not executed. 054) RTC532806 / APAR IT21081 commit date: 19 Jun 2017 -------------------------------------------------------- Base Record field name from deprecated STS feature is still displayed in SPAdmin when editing node records. Notice: When an alias record is selected for editing, the real record will now be displayed. An alias is a symbolic link, and this associated change in behavior is to more accurately reflect that fact. 055) RTC533714 / APAR IT21326 commit date: 06 Jul 2017 -------------------------------------------------------- When a security exit is in use and there are many processes that require different snode credentials queued up, it's possible that inappropriate access failures, such as XSQF010I and XSQF006I, may occur. 056) RTC544573 / APAR IT21370 commit date: 10 Jul 2017 -------------------------------------------------------- Connect:Direct for UNIX uses zlib, which is vulnerable to the following issues: CVE-2016-9840: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9841: zlib is vulnerable to a denial of service, caused by an out-of-bounds pointer arithmetic in inftrees.c. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. CVE-2016-9843: zlib is vulnerable to a denial of service, caused by a big- endian out-of-bounds pointer. By persuading a victim to open a specially crafted document, a remote attacker could exploit this vulnerability to cause a denial of service. 057) RTC540911 / APAR IT21610 commit date: 02 Aug 2017 -------------------------------------------------------- The XSCM006E message, logged when user authentication fails due to an issue with Strong Access Control List (SACL), does not capture the specific reason for the issue. 058) RTC547115 / APAR IT22072 commit date: 30 Aug 2017 -------------------------------------------------------- Some C:D messages generate system feedback codes. These codes are not displayed in select statistics command output. 059) RTC544181 / APAR IT22085 commit date: 22 Aug 2017 -------------------------------------------------------- A run job or run task may fail, reporting XRPM004I. When this happens, it is often due to the local user that is executing the run task or run job is also running more UNIX processes than the maximum process limit inherited by cdpmgr on startup. Fix adds code to retry the transient condition and a new warning message, XRPM011I, when the condition is encountered and retried. This condition may also be mitigated by increasing the maximum process resource limit of the user that initiates cdpmgr. 060) RTC54020 / APAR IT21854 commit date: 01 Sep 2017 ------------------------------------------------------- If a C:D client, such as IBM Control Center, submits a configuration update request that includes a string value that is too long, such as an alternate.comminfo value that exceeds 256 characters, C:D will silently truncate the value instead of returning an error. 061) RTC548240 /APAR IT22389 commit date: 20 Sep 2017 ------------------------------------------------------ In some cases, retained process will not be kicked off at scheduled time. 062) RTC548926 / APAR IT22353 commit date: 21 Sep 2017 ------------------------------------------------------ IBM License Management Tool is unable to detect new version of Connect Direct Unix after upgrading from CD Unix 4.1.0 to CD Unix 4.2.0 063) RTC545175 / APAR IT22431 commit date: 22 Sep 2017 ------------------------------------------------------ Codepage conversion fails with MBCS002E FDBK=-9 when the first record is very small and a subsequent record is much longer. 064) RTC550082 / APAR IT22842 commit date: 19 Oct 2017 -------------------------------------------------------- User exit makes may fail, reporting undefined references to work_dir_id_swap, work_dir_id_swap_back, or Trace_status. 065) RTC552361 / APAR IT23008 commit date: 03 Nov 2017 -------------------------------------------------------- Invoking spadmin.sh, spcli.sh, or lcu.sh creates a /tmp/.com_ibm_tools_attach directory used by the Java Attach API. The Java Attach API is not used in C:D, so the /tmp directory creation is unnecessary and seen by some as a possible security risk. 066) RTC553734 / APAR IT22992 commit date: 10 Nov 2017 -------------------------------------------------------- When running cdcust, or cdinstall which invokes cdcust, on AIX 7.2, the error "/etc/ncs/uuid_gen: not found" may be seen. 067) RTC550906 / APAR IT23127 commit date: 04 Dec 2017 -------------------------------------------------------- When sending a file to C:D Z/OS, coding destination file DCB blksize=0 should cause C:D Z/OS to calculate an appropriate block size based on the other DCB attributes, such as lrecl. In some cases, C:D UNIX was overriding the blksize=0 specification with its default block size of 23040, generating an SVSG011I error message on C:D Z/OS. In other cases, an inappropriate SVSH021I message may be generated, even when blksize=0 is not explicitly coded. 068) RTC552636 / APAR IT23191 commit date: 19 Dec 2017 -------------------------------------------------------- cfgcheck produces an error if there is more than one rnode.listen record in initparm.cfg. 069) RTC545251 / APAR IT23541 commit date: 19 Dec 2017 -------------------------------------------------------- When the netmap.cfg parameter outgoing.address is specified with an invalid value, the message generated when a session attempt fails incorrectly indicates a socket creation failure. Also, if the remote node is configured for restricted ports (firewall.parms record in the initparm.cfg) and the outgoing.address is specified with an invalid value, a bind is attempted on each port in the restricted list, instead of failing immediately due to the invalid bind address. 070) RTC559614 / APAR IT23869 commit date: 31 Jan 2018 -------------------------------------------------------- If the legitimate credentials for an incoming connection attempt are a user id with no password, the connection may be rejected inappropriately with an XCMM038I message. It's also possible that CMGR may be terminated by a signal 11 (SEGV). 071) RTC552947 / APAR IT24014 commit date: 09 Feb 2018 -------------------------------------------------------- When Secure+ security mode is disabled, session establishment can be expected to take less time than when a security mode, FIPS 140-2, for example, is enabled. However, session establishment with security mode disabled takes the same amount of time as when enabled. Session establishment times may also be increased if cdpmgr inherits a large maximum file descriptor system resource limit. 072) RTC560719 / APAR IT24113 commit date: 21 Feb 2018 -------------------------------------------------------- cfgcheck generates an XRIA002I message indicating an unknown field name for valid local user record field client.source_ip. 073) RTC561582 / APAR IT24339 commit date: 09 Mar 2018 -------------------------------------------------------- Copy send performance to C:D Z/OS can be degraded when the UNIX source file sysopts includes "datatype=binary", and the Z/OS destination file record format is VB or FB. 074) RTC562386 / APAR IT24362 commit date: 16 Mar 2018 -------------------------------------------------------- Parser error XPAE003I may be generated when submitting a process that has an snodeid coded with a 'Y' or 'N' character for the password. 075) RTC523522 / APAR IT18957 commit date: 14 Apr 2018 -------------------------------------------------------- In rare circumstances, a text file sent to a destination file with fixed block record format on z/OS may be padded with ASCII blanks instead of EBCDIC. 076) RTC565352 / APAR IT24904 commit date: 27 Apr 2018 -------------------------------------------------------- There are three possible issues that may occur when sending a text file a to a z/OS destination that uses VB format with LRECL=BLKSIZE+4: . If the first record is within four bytes of the block size, the transfer will fail with an SVSJ045I message. . If the first record is four bytes or more smaller than the block size, and a subsequent record fills an entire block exactly, the z/OS destination file will be corrupted. . If the first record is four bytes or more smaller than the block size, and a subsequent record is up to four bytes longer than the maximum record size, this error condition will not be detected, and the z/OS destination file will be corrupted. 077) RTC567101 / APAR IT24905 commit date: 27 Apr 2018 -------------------------------------------------------- When sending a file to C:D z/OS and specifying the SYSOUT SYSOPTS parameter, CDU may inappropriately set the destination record format (RECFM) to VB. 078) RTC564598 / APAR IT25140 commit date: 23 May 2018 -------------------------------------------------------- Incoming Secure+ session incorrectly allowed when the .Local node has Secure+ enabled and there is no Secure+ entry for the remote node. 079) RTC564088 / APAR IT25329 commit date: 13 Jun 2018 -------------------------------------------------------- If a process is submitted that runs a job or task on a node with a pmgr trace running, anything written to stdout by the job or task may also appear in the pmgr trace output. This might occur even after the pmgr trace is turned back off. 080) RTC561515 commit date: 22 Jun 2018 ----------------------------------------- When alt.comm.outbound is configured on a remote node, traverse the alt.comm.outbound list on each process retry until we have a successful connection to the remote node. 081) RTC565959 commit date: 25 Jun 2018 ----------------------------------------- In some circumstances, an attempt to update the .Local node record via the Secure+ Admin Tool will fail reporting something similar to "Error #6 - Remote Node file not found." 082) RTC566602 / MFT-9446 / APAR IT26480 commit date: 02 Jul 2018 ------------------------------------------------------------------- On AIX systems, C:D UNIX executables will inappropriately prefer run time libraries in /usr/vac/lib and /usr/vacpp/lib directories instead of the standard /usr/lib /lib directories. The /usr/vac/lib and /usr/vacpp/lib directories may be populated if an IBM compiler is installed on the system, for example. If the libraries in /usr/vac/lib and /usr/vacpp/lib are old or otherwise incompatible with the C:D UNIX executables, various errors may occur, including XSMG609I, SMGR (pnode) failed to convert FMH68 to network format. 083) RTC571051 commit date: 13 Jul 2018 ----------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. Enhanced error messages to provide greater detail when this happens. 084) MFT-9526 / APAR IT26469 commit date: 30 Jul 2018 ------------------------------------------------------- To run C:D UNIX on Solaris 10 requires Update 10 or greater. Updates may be applied as a full release or as a patchset. cdinstall correctly recognizes a full release Update, but wasn't recognizing a patchset update and failed the install. 085) MFT-9523 / APAR IT26470 commit date: 13 Aug 2018 ------------------------------------------------------- Control Center not reading CDU Secure+ presence correctly. 086) MFT-9883 commit date: 11 Jan 2018 ---------------------------------------- Connect:Direct for UNIX Secure+ Option uses GSKit, which is vulnerable to the following issue: CVE-2018-1427: IBM GSKit contains several environment variables that a local attacker could overflow and cause a denial of service. OpenSSL vulnerabilities disclosed by the OpenSSL Project affects GSKit. Connect:Direct for UNIX Secure+ Option uses GSKit and is vulnerable to the following issues: CVE-2017-3732: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. CVE-2017-3736: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. 087) MFT-9886 commit date: 15 Aug 2018 ---------------------------------------- Connect:Direct for UNIX Secure+ uses IBM Java Runtime, which is vulnerable to the following issue: CVE-2018-2602: An unspecified vulnerability related to the Java SE I18n component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. 088) MFT-9824 commit date: 16 Aug 2018 ---------------------------------------- A process may terminate abruptly with statistics reporting "SMGR terminated by signal". A known manifestation of this issue is likely to occur when a run job on a C:D z/OS node is attempted. 089) MFT-9613 commit date: 04 Sep 2018 ---------------------------------------- The Connect:Direct for Unix UI will fail when opening netapi.cfg if the local file system has assigned to the file an inode number greater than 32 bits in size. 090) RTC571051 / MFT-9588 / APAR IT26481 commit date: 18 Sep 2018 ------------------------------------------------------------------- In rare circumstances, a process may fail to start, reporting an XSCM006E error, all users are denied access to CD from the SACL, even though the Strong Access Control (SACL) directory and file appear to have correct ownership and permissions set. 091) MFT-9917 commit date: 30 Oct 2018 ---------------------------------------- An ICC select process command submitted to C:D UNIX may occasionally fail with CNCD058E message. 092) MFT-10001 / APAR IT26905 commit date: 13 Nov 2018 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.15 and 7.0.10.25. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2018: CVE-2018-12539: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations to only the process owner. An attacker could exploit this vulnerability to execute untrusted native code and gain elevated privileges on the system. CVE-2018-1656: The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) does not protect against path traversal attacks when extracting compressed dump files. 093) MFT-10047 / APAR IT27442 commit date: 19 Dec 2018 -------------------------------------------------------- When upgrading a C:D UNIX node with an existing keystore, a keystore password is not required. However, the automated install script, cdinstall_a, fails reporting CDAI003E when the cdai_installCmd is set to "upgrade" and no cdai_keystorePassword parameter is coded. 094) MFT-9996 / APAR IT27673 commit date: 08 Jan 2019 ------------------------------------------------------- A backup created when running the interactive script may incur permission errors when writing to the installation directory's parent folder. Instead, create the backup in the installation directory. 095) MFT-10116 / APAR IT27777 commit date: 17 Jan 2019 -------------------------------------------------------- A COPY to the local destination file /dev/null fails with error XSQF006I, feedback code 22. 096) MFT-10091 / APAR IT28000 commit date: 12 Feb 2019 -------------------------------------------------------- Cerificate serial number is displayed in different formats over stats and SPAdmin GUI 097) MFT-9967 / APAR IT26865 commit date: 07 Nov 2018 ------------------------------------------------------- CD UNIX may allow a user with sudo access restricted to certain CD UNIX executable files to expand access beyond the restriction, as indicated in the following issue: CVE-2018-1903: IBM Sterling Connect:Direct for UNIX could allow a user with restricted sudo access on a system to manipulate CD UNIX to gain full sudo access. 098) MFT-10192 / APAR IT28399 commit date: 12 Mar 2019 -------------------------------------------------------- Copy fails with error XIPT019E when CRC check is enabled. 099) MFT-10212 / APAR IT28704 commit date: 08 Apr 2019 -------------------------------------------------------- A protocol violation and session failure occur after a remote RUNTASK step executed in C:D Unix fails due to a user permissions error. 100) MFT-9971 / APAR IT28761 commit date: 11 Apr 2019 ------------------------------------------------------- In the statistics log entry recording maximum achieved parallel sessions (RECI=SCNT), the LCNT001I message text does not display the maximum sessions or time achieved. 101) MFT-4757 / APAR IT28892 commit date: 23 Apr 2019 ------------------------------------------------------- Restarted copy steps fail with XCPR011I if the snode was cold started (work directory cleared) between the initial session and the restarted session. 102) MFT-10273 / APAR IT28898 commit date: 24 Apr 2019 -------------------------------------------------------- Restarted copy steps fail with XCPR011I if the destination file was deleted between the initial session and the restarted session. 103) MFT-10147 / APAR IT29097 commit date: 10 May 2019 -------------------------------------------------------- When multiple copy processes are in session to a C:D snode running in a load balanced cluster and that node is abruptly killed, the pnode will restart the processes and the copies will complete successfully on another snode in the cluster. However, in rare cases, the copy termination record of some of the restarted processes is not logged on the snode side, and temporary work files may be left in the shared snode work directory. 104) MFT-10324 / APAR IT29156 commit date: 15 May 2019 -------------------------------------------------------- When CD Unix performs a COPY RECEIVE, a restart of the COPY may fail with a Signal 11. 105) MFT-10389 / APAR IT29296 commit date: 29 May 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in January 2019: CVE-2018-12547: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVE-2018-1890: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. 106) CDUA-1519 commit date: 30 May 2019 ----------------------------------------- Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct File Agent (CVE-2018-1890, CVE-2018-12547), which is bundled with Connect:Direct for UNIX. Also, the File Agent installer may fail on some UNIX systems with error "Installer User Interface Mode Not Supported". 107) CDUA-1429 commit date: 20 Jun 2019 ----------------------------------------- cfgcheck takes lot of time to validate thousands of netmap entries. 108) MFT-10314 / APAR IT29530 commit date: 24 Jun 2019 -------------------------------------------------------- The C:D Unix cust report generates error XRIA002I "unknown field name" when parameter 'udp.src.ports.list.iterations' is included in the initparms.cfg file. 109) CDUA-1542 / APAR IT29487 commit date: 21 Jun 2019 -------------------------------------------------------- A restarted process may log an inappropriate XSQF009I message referring to a file that ends with ".savedCTRstatLog". Also, the direct CLI output of a detailed select statistics command may include a message id and a Short Text description of the message. The Short Text description might be truncated if the text is very long. Note: It's remotely possible that a restarted process may fail on the snode side with an XSMG235I or XSMG239I message that refers to a file ending with .savedCTRstatLog. This indicates that there may be a copy step of the indicated process that is missing its CTRC record on the snode side. If user investigates and determines the CTRC record is logged, or is not necessary, then they may get past these errors by removing the indicated file that ends with .savedCTRstatLog and then releasing the process again. 110) MFT-6817 / APAR IT09719 commit date: 01 Jul 2019 ------------------------------------------------------- During certain stress situations, cdpmgr may become unresponsive for some minutes. During this time, select statistics will show multiple XLKL004I messages in sequence. 111) MFT-10416 commit date: 10 Jul 2019 ----------------------------------------- On some systems, cdpmgr may fail to start, reporting an XRIA010I message. cfgcheck may also report the same error attempting to validate configuration files. 112) CDUA-1611 commit date: 26 Jul 2019 ----------------------------------------- SPAFileWriteException on spcli.sh stat() when fully qualified directory name is provided. 113) MFT-7999 commit date: 29 Jun 2016 ---------------------------------------- In SPCli.sh, a valid "create alias" command will fail inappropriately, reporting message SPCL108E. 114) MFT-10282 / APAR IT29243 commit date: 24 May 2019 -------------------------------------------------------- During FASP transfer at Pnode, API command select process with details times out. 115) CDUA-1477 / CDUA-1461 commit date: 15 Jul 2019 ----------------------------------------------------- Any process submitted using any C:D client with restart parameter set to some valid value in runtask for validation, then the process is validated without showing any detail about restart paramater in response from C:D server. 116) CDUA-1287 / CDUA-1291 commit date: 15 Jan 2019 ----------------------------------------------------- CDUA-1287-cfgcheck crash is observed.Due to cfgcheck crash, silent installation/upgrade procedure fails with rc=22 CDUA-1291-cdpmgr crash observed if process started with root.Process runs normal with user account. 117) CDUA-1378 commit date: 18 Jul 2019 ----------------------------------------- After setting non-existing trace file path for cdpmgr, new CLI/other clients fail to connect with CDU. 118) MFT-8523 / APAR IT18663 commit date: 25 Feb 2017 ------------------------------------------------------- Using SPCli to update all remote nodes via a wildcard specification, "update remotenode name=* protocol=defaulttoln", for example, fails with "SPCG271E rc=8 The specified node(s) ".Keystore" do not exist in this parmfile." 119) MFT-10562 / APAR IT30282 commit date: 16 Sep 2019 -------------------------------------------------------- A run task step executing a command that should normally take less than a second to run may take a full second to complete. 120) MFT-6320 / APAR IT30283 commit date: 16 Sep 2019 ------------------------------------------------------- cdinstall_a executing an upgrade from a fresh deployment directory (i.e., there are no artifacts left from a previous upgrade) will display a rm command error indicating the upgradersps.txt file does not exist. 121) MFT-7909 / APAR IT30318 commit date: 18 Sep 2019 ------------------------------------------------------- When the sending side of a HSAO (FASP) copy step has tcp.max.time.to.wait=0, the step may fail with FASP022E reported on the sending side and FASP009E on the receiving side. 122) MFT-9816 / APAR IT27957 / CVE-2019-4529 commit date: 20 Sep 2019 ----------------------------------------------------------------------- IBM Sterling Connect:Direct for UNIX could allow a user who is authorized for limited CD privileges to attack through a custom application written using the CD UNIX C/C++ API by replacing the system implementation of getuid() with a malicious implementation and gain unauthorized privilege to access to the CD UNIX Server. 123) CDUA-1746 commit date: 30 Sep 2019 ----------------------------------------- Added support in CD Unix for Control Center Director. Also, added support for License governance. -------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 4.2.0.5 NOTICE: Previous maintenance packages delivered on Fix Central consisted of compressed CPIO files. After a downloaded CPIO file was uncompressed, the installation scripts would then need to be extracted from it in order to apply the maintenance. All future maintenance, including this Fix Pack, will be packaged as uncompressed tar balls containing the uncompressed CPIO installation file and the installation scripts. Please refer to the Maintenance Installation Instructions that accompany maintenance downloads for more details. ----------------------------------------------------------- ================================================= iFixes listed below apply to C:D for UNIX 4.2.0.5 ================================================= 001) CDUA-1749 commit date: 08 Oct 2019 ----------------------------------------- On Solaris systems, the cdinstall_a script may fail, reporting "test: argument expected." Also, the cdcust script may insert extra install.agent records in the initparm.cfg file, or extra client.cert_auth parameters in the admin local user record in the userfile.cfg file. 002) MFT-10211 commit date: 10 Oct 2019 ----------------------------------------- Destination file can be corrupted if the file is received to a CDU cluster that is not configured with a shared work area (snode.work.path). 003) MFT-7394 commit date: 24 Oct 2019 ---------------------------------------- The cdcustrpt script executed by a user other than root will display "Permission denied" in reference to several files. 004) MFT-10606 / APAR IT30399 commit date: 04 Nov 2019 -------------------------------------------------------- IBM Sterling Connect:Direct for UNIX running on AIX uses IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.5.30. This JRE is vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in July 2019: CVE-2019-4473: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. CVE-2019-11771: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system. 005) MFT-10710 / APAR IT30961 commit date: 15 Nov 2019 -------------------------------------------------------- A process coded with a copy step that correctly uses pipe I/O function (sysopts parameter pipe=yes) for the source may fail to produce a data stream. I.E., the step will complete successfully, but will show zero bytes read. 006) MFT-10668 / APAR IT31157 commit date: 04 Dec 2019 -------------------------------------------------------- If netmap checking is on, and the incoming connection's IP address to check is specified in alternate.comminfo and listed past the 256th character in that field, the session will fail with a netmap check error. Fix extends the alternate.comminfo field length to 1023. If the field maximum length is exceeded, a new message, XCFM001I, will be generated and provide specific information about the error condition. 007) MFT-10721 / APAR IT31162 commit date: 10 Dec 2019 -------------------------------------------------------- In a rare circumstance, when using cdinstall_a script to upgrade or uninstall a node, the value of the cdai_adminUserid parameter may be incorrectly determined. 008) MFT-10786 commit date: 13 Dec 2019 ----------------------------------------- The Connect:Direct Agent may fail to start. Investigation of the Agent log file shows "java.lang.UnsatisfiedLinkError: cdsp (Not found in java.library.path)". 009) MFT-10754 / APAR IT31304 commit date: 16 Dec 2019 -------------------------------------------------------- If the strong password encryption (SPE) feature is in a bad state, a submit process command can fail with no error message indicating the reason for the failure. SPE will be in a bad state, for example, if the base product without Secure+ is running when Secure+ is installed. 010) MFT-10771 / APAR IT31319 commit date: 18 Dec 2019 -------------------------------------------------------- CDU opens a UDP socket on the same port used to listen for incoming API connections on TCP. 011) MFT-10694 commit date: 20 Dec 2019 ----------------------------------------- The XSTL006W message regarding recent slow stat log write times provided limited information. In addition to a slow stat log write count, fix adds slow write time average and longest slow write time. 012) MFT-10726 / APAR IT31361 commit date: 20 Dec 2019 -------------------------------------------------------- An installation or upgrade of C:D Unix sets the installation directory permissions to 700, instead of the expected 755. 013) MFT-10810 commit date: 07 Jan 2020 ----------------------------------------- The Secure+ CLI help command output does not list the "display keystore" command. "help display keystore" generates an SPCL010E error message. 014) MFT-10758 commit date: 14 Jan 2020 ----------------------------------------- Message JGIS049E missing from message file. 015) MFT-10666 / APAR IT31047 commit date: 27 Nov 2019 -------------------------------------------------------- During upgrade, ownership of userfile.cfg changes to root. 016) MFT-10767 / APAR IT31550 commit date: 16 Jan 2020 -------------------------------------------------------- A new parameter "agent.enable" has been added into record "install.agent" of initparm.cfg to start/stop install agent. Default value of the parameter is set to y(Enabled). To stop install agent, change value of agent.enable to n(Disabled). It takes upto 5 mins to start/stop install agent. 017) MFT-10884 commit date: 06 Feb 2020 ----------------------------------------- CD Install Agent doesn't start after upgrade from CCD. 018) CDUA-1838 commit date: 12 Feb 2020 ----------------------------------------- Various C:D UNIX executable modules, including cdpmgr, may fail to run on RHEL 8 systems, indicating "error while loading shared libraries: libnsl.so.1". 019) MFT-10718 / APAR IT31764 commit date: 05 Feb 2020 -------------------------------------------------------- cdcustrpt generated report cascades errors of initparm.cfg into other configuration files 020) MFT-10716 / APAR IT31781 commit date: 26 Feb 2020 -------------------------------------------------------- Upgrade to C:D Unix 4.2.0.5 from older versions fails, when "install" directory is present inside the C:D Unix installation. 021) CDUA-1897 commit date: 27 Feb 2020 ----------------------------------------- The *all keyword value is not always accepted by some C:D AIJ commands. To be understood the value has to be specified in uppercase which is not what the documentation specifies. 022) CDUA-1764 commit date: 03 Mar 2020 ----------------------------------------- The default values for the silent installer arguments serverPort (1364) and clientPort (1363) are not working contrary to what the documentation says. 023) CDUA-1945 commit date: 05 Mar 2020 ----------------------------------------- Record CDIA001I gets logged into stats every 5 minutes if CD agent fails to start. 024) CDUA-1883 commit date: 10 Mar 2020 ----------------------------------------- Crash of cdpmgr when initparm.cfg is modified and pmgr trace level is 4. 025) MFT-10759 / APAR IT31456 commit date: 08 Jan 2020 -------------------------------------------------------- Netmap file with incorrect record crashes CDU at UTC zero hour. 026) MFT-10926 /APAR IT32306 commit date: 30 Mar 2020 ------------------------------------------------------- CDU can't read a Statistics log file with a 4-digit extension 027) MFT-10851 / APAR IT32402 commit date: 02 Apr 2020 -------------------------------------------------------- When a process that has established a session and is executing fails with a retriable error, it is placed in the Timer queue to be executed again after a wait period. Due to the intelligent session retry facility, it's possible that this process could immediately be placed back into execution without a delay. However, there are some scenarios where executing again too soon after being placed in Timer could cause resynchronization issues at the snode. 028) MFT-10902 / APAR IT32092 commit date: 08 Apr 2020 -------------------------------------------------------- Under some circumstances, a submit process statement (not the submit command, but the submit statement coded within a process script) may generate an inappropriate CSPE007E message. When this happens, it is also possible that the ndmsmgr may terminate unexpectedly with a signal 11 (segmentation violation). 029) MFT-10938 commit date: 15 Apr 2020 ----------------------------------------- cdpmgr may continue to execute after an apparently successful stop command was issued. 030) MFT-10900 / APAR IT32064 commit date: 25 Sep 2020 -------------------------------------------------------- On systems where /tmp is mounted with the noexec option enabled, C:D Install Agent or File Agent installation may fail, indicating "JRE libraries are missing or not compatible". There may also be an indication that a security file or directory is missing. 031) CDUA-1560 commit date: 21 Apr 2020 ---------------------------------------- Silent installation fails in case an invalid .crt,.cer,.pem file is in deployment directory. 032) MFT-10783 / APAR IT31279 commit date: 05 May 2020 -------------------------------------------------------- Silent upgrade fails when traces are disabled. 033) MFT-10918 / APAR IT32508 commit date: 06 May 2020 -------------------------------------------------------- If a netmap entry has sess.pnode.max=0 (no outgoing sessions allowed) and sess.default=1 or more, incoming sessions fail with an XNMP007E message. 034) CDUA-2050 commit date: 11 May 2020 ----------------------------------------- HP-UX silent install/upgrade displays "cdinstall_a[41]: ==: A test command parameter is not valid." at completion. 035) CDUA-2047 commit date: 12 May 2020 ----------------------------------------- If install/agent/bin/install-agent.jar is not present than a)back up is not created for agent b)restore doesn't happen if upgrade fails c)Agent stop/start doesn't happen during upgrade. 036) CDUA-1434 commit date: 20 May 2020 ----------------------------------------- cfgcheck inappropriately indicates ERROR referring to a configuration file that generates only a WARNING level message. 037) MFT-11091 / APAR IT32816 commit date: 01 Jun 2020 -------------------------------------------------------- C:D UNIX shouldn't check space requirements during upgrade. 038) CDUA-2107 commit date: 02 Jun 2020 ----------------------------------------- Message file was missing a number of messages, including Sterling Secure Proxy messages added for its antivirus scanning support. 039) CDUA-2089 commit date: 10 Jun 2020 ----------------------------------------- Install Agent logs are owned by and can only be read by root. 040) MFT-11014 / APAR IT32981 commit date: 11 Jun 2020 -------------------------------------------------------- CCD License Data Collector not working properly.The issue occurs around daylight savings time changes. 041) MFT-11178 / APAR IT33144 commit date: 23 Jun 2020 -------------------------------------------------------- Eliminate creation of the obsolete STS folders 'import' and 'export' in the secure+ folder when installing the Secure+ feature. 042) MFT-10398 / APAR IT29723 commit date: 30 Jun 2020 -------------------------------------------------------- A CD Plex redirection is logged with SCPA007I, RC=8. The completion code has been changed to RC=0. 043) MFT-11245 / APAR IT33344 commit date: 06 Oct 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris. 044) MFT-11236 / APAR IT33402 commit date: 21 Jul 2020 -------------------------------------------------------- Incoming session requests fail with netmap check error XSMG016I following an IP address mismatch even when alternate.comminfo=*. 045) MFT-11320 / APAR IT33840 commit date: 14 Aug 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a user to manipulate CD UNIX to gain root privilege, as indicated in the following issue: CVE-2020-4587: IBM Connect:Direct for UNIX is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could manipulate CD UNIX to obtain root privileges. 046) MFT-11502 / APAR IT34639 commit date: 05 Nov 2020 -------------------------------------------------------- If the source side of a copy step is pipe IO (a data stream invoked with the pipe=yes sysopts) and the stream is ended abnormally (bad command, terminated by signal, etc.), the abnormal termination is not detected. The copy step will complete as though the pipe IO data stream was received and ended normally. 047) MFT-11518 / APAR IT34801 commit date: 09 Nov 2020 -------------------------------------------------------- run task steps that end abnormally, i.e., terminated by a signal, are logged as normal completions. Also, if a run task step generates stderr output, the stderr output is not captured or logged in statistics.