================================================= Maintenance for IBM Connect:Direct for UNIX 6.1.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.1.0 code base. It is applicable to C:D UNIX version 6.1.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.1.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.1.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.1.0 Release Notes. ================================================= iFixes listed below apply to C:D for UNIX 6.1.0.0 ================================================= 001) MFT-10783 / APAR IT31279 commit date: 05 May 2020 -------------------------------------------------------- Silent upgrade fails when traces are disabled. 002) CDUA-1801 commit date: 11 May 2020 ----------------------------------------- On RHEL 8 and SLES 15 systems, cdinstall_a execution may fail indicating an error loading shared libraries referring to libtirpc.so.1. On SLES 15 systems, cdinstall_a execution may fail indicating a command was not found referring to ifconfig or netstat. 003) CDUA-2035 commit date: 07 May 2020 ----------------------------------------- a). CDU Upgrade fails in case cfgCheck exits with a warning. b). cfgCheck exits with wrong return codes in case of error/warning. 004) CDUA-2078 commit date: 11 May 2020 ----------------------------------------- On trying to set the value of "SeaCacheEnable" using the AIJ interface, an error is observed "Invalid key word 'SeaEnableCache'". 005) CDUA-2067 commit date: 15 May 2020 ----------------------------------------- Corrected the Info message in docker container image for SIGINT signal 006) MFT-10851 / APAR IT32402 commit date: 15 May 2020 -------------------------------------------------------- When a process that has established a session and is executing fails with a retriable error, it is placed in the Timer queue to be executed again after a wait period. Due to the intelligent session retry facility, it's possible that this process could immediately be placed back into execution without a delay. However, there are some scenarios where executing again too soon after being placed in Timer could cause resynchronization issues at the snode. 007) CDUA-2100 commit date: 20 May 2020 ----------------------------------------- On Secure+ Admin tool while adding cipher suites, if user selects any option from Filter by certificate either RSA or ECDSA, TLS 1.3 cipher suites were not visible 008) MFT-11088 commit date: 29 May 2020 ----------------------------------------- Enable S3 Server Side Encryption (SSE-S3) using new parameter s3.sseS3=YES/NO 009) MFT-11014 / APAR IT32981 commit date: 01 Jun 2020 -------------------------------------------------------- CCD License Data Collector not working properly.The issue occurs around daylight savings time changes. 010) CDUA-2068 commit date: 02 Jun 2020 ----------------------------------------- Due to liveness and readiness check in IBM Container Certified Software, the STAT gets filled with messages showing "TCP lost the connection. System error is Success." 011) CDUA-2107 commit date: 02 Jun 2020 ----------------------------------------- Message file was missing a number of messages, including Sterling Secure Proxy messages added for its antivirus scanning support. 012) MFT-11039 / APAR IT32975 commit date: 02 Jun 2020 ------------------------------------------------------ Using CMPrlevel/WINdowsize/MEMlevel parameters causes XPAC011I on AIX CDU.This issue occurs around format specifier which is used to convert the string from lex parser into numbers. 013) CDUA-2104 commit date: 03 Jun 2020 ----------------------------------------- In Certified container software, the PVC get bound to any available PV in the cluster fulfilling the need to requirement depending on size, accessmode. The PVC should bound to the PV where the prerequisite files are present on mount path. Also, updated CDU 6.1 Knowledge Center link in IBM CCS. 014) MFT-11091 / APAR IT32816 commit date: 03 Jun 2020 -------------------------------------------------------- C:D UNIX shouldn't check space requirements during upgrade. 015) CDUA-2089 commit date: 09 Jun 2020 ----------------------------------------- Install Agent logs are owned by and can only be read by root. 016) MFT-11178 / APAR IT33144 commit date: 10 Jun 2020 -------------------------------------------------------- Eliminate creation of the obsolete STS folders 'import' and 'export' in the secure+ folder when installing the Secure+ feature. 017) MFT-11231 / APAR IT33310 commit date: 23 Jun 2020 -------------------------------------------------------- Invalid error and line number is printed in docker logs when secure plus certificate file is missing from the configuration directory (by default CDFILES) for containerized CDU. 018) CDUA-2130 commit date: 25 Jun 2020 ----------------------------------------- When dynamic provisioning is enabled on AWS managed services for Openshift platform, the ownership of SACL directory becomes root:cduser and permission of sysacl.cfg file changes to 660. This scenario is seen when pod get created with previously deployed pod's CDU data ie, after the restore of previous configuration the issue is observed. 019) MFT-11245 / APAR IT33344 commit date: 30 Jun 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris. 020) MFT-10745 / APAR IT32488 commit date: 30 Jun 2020 -------------------------------------------------------- A CLI session on Solaris fails with errors XSEC013I and XAPI005I when host names are specified in the keys.client and keys.server files for session authentication. The issue may also manifest, regardless of the keys.* files specification, as a CLI session failure reporting message XSEC010I when multiple CLI connections are made in rapid sequence. When this happens, CDU statistics will log an XIPT016I message when the local.node's tcp.max.time.to.wait specification has elapsed after the CLI failure. 021) CDUA-1435 commit date: 03 Jul 2020 ----------------------------------------- Connect:Direct for UNIX Installer does not prompt for password verify for the Keystore password. 022) CDUA-2159 commit date: 15 Jul 2020 ----------------------------------------- On Solaris, during silent install/upgrade error message "startInstallAgent() CD Agent not started. agent.enable is set to ." is displayed. 023) MFT-11258 / APAR IT33538 commit date: 15 Jul 2020 -------------------------------------------------------- Disabling Install Agent on Solaris10 causes CDIA002I to be logged every 5 minutes in Statistics. 024) MFT-11236 / APAR IT33402 commit date: 17 Jul 2020 -------------------------------------------------------- Incoming session requests fail with netmap check error XSMG016I following an IP address mismatch even when alternate.comminfo=*. 025) CDUA-2110 commit date: 28 Jul 2020 ----------------------------------------- If parameters in the initparm.cfg install.agent or license records are missing or improperly specified, the resulting XRIA001I or XRIA002I messages may not be formatted correctly. 026) CDUA-2141 commit date: 30 Jul 2020 ----------------------------------------- Added TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA to the list of default ciphers during silent install. 027) MFT-11234 / APAR IT33616 commit date: 07 Aug 2020 -------------------------------------------------------- When there is limited disk space available on the file system where CDU is or will be installed, the upgrade or install procedure may fail while configuring the Secure+ JRE and show messages about missing files or directories. 028) MFT-11320 / APAR IT33840 commit date: 13 Aug 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a user to manipulate CD UNIX to gain root privilege, as indicated in the following issue: CVE-2020-4587: IBM Connect:Direct for UNIX is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could manipulate CD UNIX to obtain root privileges. 029) MFT-11334 / APAR IT33867 commit date: 14 Aug 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE) Versions 8.0.6.0, 8.0.5.30, and 7.0.10.40. These JREs are vulnerable to the following issues, disclosed as part of the IBM Java SDK updates in March and August 2020: CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java SE Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. NOTE: The JRE fix for HP-UX Itanium was not available at the time this iFix was published. It will be provided when it becomes available. 030) CDUA-2173 commit date: 18 Aug 2020 ----------------------------------------- Umask is not consistent on system wrt to the cdpmgr process inside container. The umask of system shown is 022 while umask shown for cdpmgr is 077. So, corrected the default umask setting inside container. 031) MFT-10918 / APAR IT32508 commit date: 18 Aug 2020 -------------------------------------------------------- If a netmap entry has sess.pnode.max=0 (no outgoing sessions allowed) and sess.default=1 or more, incoming sessions fail with an XNMP007E message. 032) MFT-11216 / APAR IT33334 commit date: 21 Aug 2020 -------------------------------------------------------- On HP-UX and Solaris systems, while clients are rapidly submitting a series of processes, for example when C:D File Agent is processing many files recently added to a watch directory, it is possible that some of the process submissions will fail, with the client seeing XTQP001I and XPRG001I messages. 033) MFT-11260 / APAR IT33773 commit date: 21 Aug 2020 -------------------------------------------------------- SMGR terminated by Signal=11 due to a malformed proxy record in file userfile.cfg. 034) MFT-11275 / APAR IT33992 commit date: 01 Sep 2020 -------------------------------------------------------- cdmsgutil lacks a trace option to assist with diagnosing any issues with it that may arise. Fix adds a trace option. Invoke cdmsgutil with "-h" to see the usage. 035) MFT-11365 / APAR IT34116 commit date: 04 Sep 2020 -------------------------------------------------------- If a copy step that is using pipe IO functionality (sysopts pipe=yes) for the destination side is traced, ndmsmgr is killed with a segmentation violation (SIGSEGV). 036) CDUA-2274 commit date: 09 Sep 2020 -------------------------------------------------------- Support CD installation from Control Center Director. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.1 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.1 =========================================================== 001) MFT-11369 commit date: 15 Sep 2020 -------------------------------------------------------- posInfo array length in s3FileReader may be wrong and positioning on object stream may fail or may be wrong on a process restart. 002) MFT-10900 / APAR IT32064 commit date: 21 Sep 2020 -------------------------------------------------------- On systems where /tmp is mounted with the noexec option enabled, C:D Install Agent or File Agent installation may fail, indicating "JRE libraries are missing or not compatible". There may also be an indication that a security file or directory is missing. 003) MFT-11398 / APAR IT34160 commit date: 25 Sep 2020 -------------------------------------------------------- If the username portion of a proxy record contains one or more '@' characters, some clients may have trouble displaying the proxy record correctly. 004) MFT-11278 / APAR IT34263 commit date: 25 Sep 2020 -------------------------------------------------------- When multiple clients are connecting in rapid succession to a CDU server on Solaris or HP-UX, some of the connections may fail indicating XSEC010I. When this happens, the ndmcmgr process will hang, and, in most cases, eventually timeout, logging an XIPT016I message. It is also possible for an inappropriate XPMD005I message to be generated. 005) CDUA-2288/CDUA-2277/CDUA-2302/MFT-11355: commit date: 02 Oct 2020 -------------------------------------------------------- The following features has been integrated- a) Support for LDAP in plain vanilla container and IBM CCS b) Support for Helm 3 in IBM CCS c) Support for OpenShift 4.4 in IBM CCS d) Support for Licensing and Metering in IBM CCS LDAP support is not working after upgrade using IBM CCS because LDAP parameters were not populated correctly. Without providing appuser parameters, the deployment was getting failed because the appuser name variable was getting updated incorrectly resulting in null user argument while user creation For OCP 3.11 created on AWS cloud, the permission and onwership of SACL directory were incorrect on restart of pod. Hence, the file transfer was failing reporting inappropiate SACL directory ownership. Now, the permission and ownership has corrected to be 600 and root respectively. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.1.0.2 ----------------------------------------------------------- =========================================================== iFixes listed below apply to C:D for UNIX 6.1.0.2 =========================================================== 001) MFT-11245 / APAR IT33344 commit date: 06 Oct 2020 -------------------------------------------------------- The cdinstall script fails with a scripting error when executed on Solaris 10. 002) MFT-11096 / APAR IT34401 commit date: 09 Oct 2020 -------------------------------------------------------- In a rare circumstance, CDU servers running on HP-UX or Solaris may get stuck in a loop of message XIPT007I followed by message XPMC002I after a CLI connection is attempted or the port the server is listening on for client connections is probed. 003) CDUA-2346 commit date: 16 Oct 2020 ----------------------------------------- The upgrade/rollback jobs fails due to new integer value of license parameter in values.yaml file. Earlier, it was created an environment variable inside pod. But, now it is being removed as env variable and it can be seen in annotation section of pod while describing it. Since, no env variale would be created the upgrade/rollback shall work properly. 004) MFT-11366 / APAR IT34125 commit date: 22 Oct 2020 -------------------------------------------------------- If a copy step between two CDU nodes specifies sysopts with datatype=text, it may transfer in block mode, which is inappropriate and inefficient for CDU to CDU transfers. This issue may also manifest as communication errors, or a "SMGR terminated by signal" message. 005) MFT-11530 / APAR IT34855 commit date: 10 Nov 2020 -------------------------------------------------------- Automated install incorrectly allows a local node name that exceeds 16 chars 006) MFT-11520 / APAR IT34819 commit date: 12 Nov 2020 -------------------------------------------------------- IBM Connect:Direct for UNIX could allow a non-authorized user to gain application privileges, as described in the vulnerability below. CVE-2020-4747: IBM Connect:Direct for UNIX can allow a local or remote user to obtain an authenticated CLI session due to improper authentication methods. 007) MFT-11502 / APAR IT34639 commit date: 13 Nov 2020 -------------------------------------------------------- If the source side of a copy step is pipe IO (a data stream invoked with the pipe=yes sysopts) and the stream is ended abnormally (bad command, terminated by signal, etc.), the abnormal termination is not detected. The copy step will complete as though the pipe IO data stream was received and ended normally. 008) MFT-11547 / APAR IT35148 commit date: 03 Dec 2020 -------------------------------------------------------- When using SPAdmin and SPCli to import a file with multiple unique certificates that have labels equal to existing certificates in the keystore, and with the ImportMode set to AddUniqueLabel, only the first certificate in the file will get added with a unique label. Subsequent certificates in the import file will overwrite existing certificates that have the same label.