================================================= Maintenance for IBM Connect:Direct for UNIX 6.3.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.3.0 code base. It is applicable to C:D UNIX version 6.3.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.3.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.3.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.3.0 Release Notes. NOTICE: Security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.3.0.0 ================================================= 001) CDUA-4217 commit date: 28 Jun 2023 ----------------------------------------- Config file opens from CDU can occasionally fail with XCFF001I and fdbk EINTR. 002) CDUA-4037 commit date: 01 Jun 2023 ----------------------------------------- Corrected secure processing for several AWS related environment variables. 003) CDUA-3662 commit date: 05 Jun 2023 ----------------------------------------- The maximum concurrent sessions limit imposed by the system and the user who initiated C:D are two items that may be useful to know, but were not being logged. Fix updates the NUIS record with the initiating user, and adds a new message that records the maximum concurrent sessions the system will allow. 004) MFT-14483 / APAR IT43918 commit date: 08 Jun 2023 -------------------------------------------------------- CDU uses GSKit 8.0.55.12. This version is vulnerable to the following issue: CVE-2023-32342. 005) CDUA-4248 commit date: 12 Jun 2023 -------------------------------------------------------- When a command is issued from Connect:Direct Browser to delete a user entry from userfile.cfg file, we get a success response even when the user does not exist. Added a fix to show relevant error in such a case. 006) MFT-14357 / APAR IT43960 commit date: 20 Jun 2023 -------------------------------------------------------- The CDU server terminates abruptly following a COPY failure with error FIOC004E. 007) CDUA-4086 commit date: 23 Jun 2023 ----------------------------------------- When Interactive upgrade is executed while cwd is CDU install directory, it removes all ndm directory items except SACL dir. 008) CDUA-4222 commit date: 27 Jun 2023 ----------------------------------------- During installation of Connect:Direct for UNIX on NFS with root squash enabled, a warning message is displayed saying chmod: changing permissions of '/opt/cdunix/file_agent/config': Operation not permitted. 009) CDUA-4274 commit date: 30 Jun 2023 ----------------------------------------- Install Agent logs grow indefinitely leading to very big log files over a period of time. Updated Install Agent to clear logs periodically. 010) MFT-14561 / APAR IT44029 commit date: 30 Jun 2023 -------------------------------------------------------- IBM Connect:Direct for UNIX (CDU) on AIX and Linux platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in this version were disclosed as part of recent IBM Java SDK updates. This JRE version is vulnerable to the following issues: CVE-2023-21930, CVE-2023-21967, and CVE-2023-21968. This JRE version is affected by the following issues: CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597. 011) CDUA-4274 commit date: 05 Jul 2023 ----------------------------------------- Updated UBI base image for CDU container to latest version which UBI 8.8-1009