=========================================================
Maintenance for IBM Connect:Direct FTP Plus Version 1.3.0
=========================================================

This maintenance archive includes module replacements for the C:D FTP+ 1.2.0 
code base. It is applicable to C:D FTP+ version 1.3.0, and contains all the new 
functionality and fixes as described in the C:D FTP+ 1.3.0 Release notes, as 
well as fixes for the issues listed below.

After applying the maintenance, the banner displayed when initiating a 
connection to a server will report that your C:D version is 1.3.0.x, where x is 
the current Fix Pack.  It will also display the 
date that the maintenance was created.

For more information, please refer to the C:D FTP+ 1.3.0 Release Notes.

NOTICE:  Beginning with iFix 1.3.0.0.iFix023 below, security updates will be
         described as either affected or vulnerable, based on the following
         definitions from IBM:

         Affected: The software product contains code which has a documented
                   vulnerability. Based on currently available information,
                   however, we believe that the issue is likely not exploitable.
                   However, as a best practice and from an abundance of caution,
                   we recommend customers update their systems as soon as
                   practical. Vulnerabilities evolve, and a means of exploiting
                   any issue may emerge at any time.

         Vulnerable: The software product contains code, which has a documented
                     vulnerability. Our analysis shows that the issue may be
                     exploitable.

         Issues classified as affected will not be published in security
         bulletins, in most cases.

==========================
iFixes to C:D FTP+ 1.3.0.0
==========================

001) RTC455801 / APAR IT07069  commit date:  11 Feb 2014
--------------------------------------------------------
     SSLv3 contains a vulnerability that has been referred to as the Padding 
     Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). 
     SSLv3 is enabled by default in Connect:Direct FTP+ when Secure+ is enabled.
     Fix changes the default protocol from SSLv3 to TLS.

002) RTC491210 / APAR IT14195  commit date:  08 Mar 2016
--------------------------------------------------------
     Connect:Direct FTP+ (CDFtp+) running on all supported UNIX platforms except 
     for HP-UX uses IBM� Runtime Environment Java� Technology Edition, Version 
     7.0.9.  CDFtp+ running on HP-UX PA_RISC uses IBM� Runtime Environment Java� 
     Technology Edition, Version 6.0.14.
     
     Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK 
     updates for October 2015, CDFtp+ is vulnerable to:

     CVE-2015-4872:  An unspecified vulnerability related to the Security 
                     component has no confidentiality impact, partial integrity 
                     impact, and no availability impact.

     Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK 
     updates in January 2016 and includes the vulnerability commonly referred to 
     as �SLOTH�, CDFtp+ is vulnerable to:

     CVE-2016-0475:  An unspecified vulnerability related to the Libraries 
                     component has partial confidentiality impact, partial 
                     integrity impact, and no availability impact.

     CVE-2015-7575:  The TLS protocol could allow weaker than expected security 
                     caused by a collision attack when using the MD5 hash 
                     function for signing a ServerKeyExchange message during a 
                     TLS handshake. An attacker could exploit this vulnerability 
                     using man-in-the-middle techniques to impersonate a TLS 
                     server and obtain credentials. This vulnerability is 
                     commonly referred to as �SLOTH�.

     Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK 
     updates for October 2015, CDFtp+ is vulnerable to:

     CVE-2015-4872:  An unspecified vulnerability related to the Security 
                     component has no confidentiality impact, partial integrity 
                     impact, and no availability impact.

     Of the issues in JRE 6.0.14 that were disclosed as part of the IBM Java SDK 
     updates in January 2016 and includes the vulnerability commonly referred to 
     as �SLOTH�, CDFtp+ is vulnerable to:

     CVE-2015-7575:  The TLS protocol could allow weaker than expected security 
                     caused by a collision attack when using the MD5 hash 
                     function for signing a ServerKeyExchange message during a 
                     TLS handshake. An attacker could exploit this vulnerability 
                     using man-in-the-middle techniques to impersonate a TLS 
                     server and obtain credentials. This vulnerability is 
                     commonly referred to as �SLOTH�.

003) RTC496774 / APAR IT14554  commit date:  31 Mar 2016
--------------------------------------------------------
     Connect:Direct FTP+ (CDFtp+) running on HP-UX Itanium uses IBM� Runtime 
     Environment Java� Technology Edition, Version 7.0.9.  CDFtp+ running on HP-
     UX PA_RISC uses IBM� Runtime Environment Java� Technology Edition, Version 
     6.0.16.16.
  
     Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK 
     updates for October 2015, CDFtp+ is vulnerable to:

     CVE-2015-4872:  An unspecified vulnerability related to the Security
                     component has no confidentiality impact, partial integrity
                     impact, and no availability impact.

     Of the issues in JRE 7.0.9 that were disclosed as part of the IBM Java SDK 
     updates in January 2016 and includes the vulnerability commonly referred to 
     as �SLOTH�, CDFtp+ is vulnerable to:

     CVE-2016-0475:  An unspecified vulnerability related to the Libraries
                     component has partial confidentiality impact, partial
                     integrity impact, and no availability impact.

     CVE-2015-7575:  The TLS protocol could allow weaker than expected security
                     caused by a collision attack when using the MD5 hash
                     function for signing a ServerKeyExchange message during a
                     TLS handshake. An attacker could exploit this vulnerability
                     using man-in-the-middle techniques to impersonate a TLS
                     server and obtain credentials. This vulnerability is
                     commonly referred to as �SLOTH�.

     Of the issues in JRE 6.0.16.16 that were disclosed as part of the IBM Java 
     SDK updates in January 2016, CDFtp+ is vulnerable to:

     CVE-2016-0475:  An unspecified vulnerability related to the Libraries
                     component has partial confidentiality impact, partial
                     integrity impact, and no availability impact.

004) RTC503673 / APAR IT15845  commit date:  23 Jun 2016
--------------------------------------------------------
     Connect:Direct FTP+ uses Flexera InstallAnywhere, which is vulnerable to 
     the following issue:

     CVE-2016-4560:  Flexera InstallAnywhere could allow a remote attacker to 
                     execute arbitrary code on the system. The application does 
                     not directly specify the fully qualified path to a 
                     dynamic-linked library when running on Microsoft Windows. 
                     By persuading a victim to open a specially-crafted file 
                     from a WebDAV or SMB share using a vulnerable application, 
                     a remote attacker could exploit this vulnerability via a 
                     specially-crafted library to execute arbitrary code on the 
                     system.

005) RTC518198 / APAR IT17607  commit date:  19 Oct 2016
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) 
     Version 7.0.9.30 (6.0.16.20 on the HP-UX PA_RISC platform).  These JREs are 
     vulnerable to the following issue, disclosed as part of the IBM Java SDK 
     updates in April 2016:

     CVE-2016-3426:  An unspecified vulnerability related to the JCE component 
                     could allow a remote attacker to obtain sensitive 
                     information resulting in a partial confidentiality impact 
                     using unknown attack vectors.

006) RTC539217 / APAR IT20756  commit date:  24 May 2017
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) 
     Version 7.0.9.50 (6.0.16.30 on the HP-UX PA_RISC platform).  These JREs are 
     vulnerable to the following issues, disclosed as part of the IBM Java SDK 
     updates in January 2017:

     CVE-2016-5546:  An unspecified vulnerability related to the Libraries 
                     component has no confidentiality impact, high integrity 
                     impact, and no availability impact.
                     
     CVE-2016-5548:  An unspecified vulnerability related to the Libraries 
                     component could allow a remote attacker to obtain sensitive 
                     information resulting in a high confidentiality impact 
                     using unknown attack vectors.

     CVE-2016-5549:  An unspecified vulnerability related to the Libraries 
                     component could allow a remote attacker to obtain sensitive 
                     information resulting in a high confidentiality impact 
                     using unknown attack vectors.

     CVE-2016-5547:  An unspecified vulnerability related to the Libraries 
                     component could allow a remote attacker to cause a denial 
                     of service resulting in a low availability impact using 
                     unknown attack vectors.

     CVE-2016-5552:  An unspecified vulnerability related to the Networking 
                     component has no confidentiality impact, low integrity 
                     impact, and no availability impact.

     CVE-2016-2183:  OpenSSL could allow a remote attacker to obtain sensitive 
                     information, caused by an error in the DES/3DES cipher, 
                     used as a part of the SSL/TLS protocol. By capturing large 
                     amounts of encrypted traffic between the SSL/TLS server and 
                     the client, a remote attacker able to conduct a man-in-the-
                     middle attack could exploit this vulnerability to recover 
                     the plaintext data and obtain sensitive information. This 
                     vulnerability is known as the SWEET32 Birthday attack.

     NOTICE:  This is the last release to be published for C:D FTP+ 1.3.0 for
              HP-UX PA_RISC.  In the future, releases for this platform will
              be available on demand only from Customer Support.

007) RTC546237 / APAR IT21636  commit date:  30 Jul 2017
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses jzlib version 1.1.3.  This jzlib 
     version is vulnerable to the following issues:

     CVE-2016-9840:  zlib is vulnerable to a denial of service, caused by an 
                     out-of-bounds pointer arithmetic in inftrees.c. By 
                     persuading a victim to open a specially crafted document, a 
                     remote attacker could exploit this vulnerability to cause a 
                     denial of service.
                     
     CVE-2016-9841:  zlib is vulnerable to a denial of service, caused by an 
                     out-of-bounds pointer arithmetic in inftrees.c. By 
                     persuading a victim to open a specially crafted document, a 
                     remote attacker could exploit this vulnerability to cause a 
                     denial of service.

     CVE-2016-9842:  zlib is vulnerable to a denial of service, caused by an 
                     undefined left shift of negative number. By persuading a 
                     victim to open a specially crafted document, a remote 
                     attacker could exploit this vulnerability to cause a denial 
                     of service.

     CVE-2016-9843:  zlib is vulnerable to a denial of service, caused by a big-
                     endian out-of-bounds pointer. By persuading a victim to 
                     open a specially crafted document, a remote attacker could 
                     exploit this vulnerability to cause a denial of service.

008) RTC552784 / APAR IT22755  commit date:  12 Oct 2017
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� (JRE) 
     Version 7.0.10.1 (6.0.16.41 on the HP-UX PA_RISC platform).  These JREs are 
     vulnerable to the following issue, disclosed as part of the IBM Java SDK 
     updates in January 2017:

     CVE-2017-10115:  An unspecified vulnerability related to the Java SE JCE 
                      component could allow an unauthenticated attacker to 
                      obtain sensitive information resulting in a high 
                      confidentiality impact using unknown attack vectors.

     CVE-2017-10116:  An unspecified vulnerability related to the Java SE 
                      Security component could allow an unauthenticated attacker 
                      to take control of the system.

009) RTC569886  commit date:  01 Jun 2018
-----------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� 
     (JRE) Version 7.0.10.10.  This JRE is vulnerable to the following issues, 
     disclosed as part of the IBM Java SDK updates in January and April 2018:

     CVE-2018-2633:  An unspecified vulnerability related to the Java SE JNDI 
                     component could allow an unauthenticated attacker to take 
                     control of the system.

     CVE-2018-2603:  An unspecified vulnerability related to the Java SE 
                     Libraries component could allow an unauthenticated 
                     attacker to cause a denial of service resulting in a low 
                     availability impact using unknown attack vectors.

     CVE-2018-2579:  An unspecified vulnerability related to the Java SE 
                     Libraries component could allow an unauthenticated 
                     attacker to obtain sensitive information resulting in a 
                     low confidentiality impact using unknown attack vectors.

     CVE-2018-2618:  An unspecified vulnerability related to the Java SE JCE 
                     component could allow an unauthenticated attacker to 
                     obtain sensitive information resulting in a high 
                     confidentiality impact using unknown attack vectors.

     CVE-2018-2602:  An unspecified vulnerability related to the Java SE I18n 
                     component could allow an unauthenticated attacker to 
                     cause low confidentiality impact, low integrity impact, 
                     and low availability impact.

     CVE-2018-2783:  An unspecified vulnerability related to the Java SE 
                     Security component could allow an unauthenticated 
                     attacker to cause high confidentiality impact, high 
                     integrity impact, and no availability impact.

010) MFT-10002 / APAR IT26935  commit date:  08 Nov 2018
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� 
     (JRE) Versions 8.0.5.16, 8.0.5.15, and 7.0.10.25.  These JREs are 
     vulnerable to the following issues, disclosed as part of the IBM Java SDK 
     updates in July 2018:

     CVE-2018-12539:  Eclipse OpenJ9 could allow a local attacker to gain 
                      elevated privileges on the system, caused by the failure 
                      to restrict the use of Java Attach API to connect to an 
                      Eclipse OpenJ9 or IBM JVM on the same machine and use 
                      Attach API operations to only the process owner. An 
                      attacker could exploit this vulnerability to execute 
                      untrusted native code and gain elevated privileges on 
                      the system.

     CVE-2018-1656:  The IBM Java Runtime Environment's Diagnostic Tooling 
                     Framework for Java (DTFJ) does not protect against path 
                     traversal attacks when extracting compressed dump files.

011) MFT-10291 / APAR IT28838  commit date:  12 Apr 2019
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ uses IBM� Runtime Environment Java� 
     (JRE) Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30. These JREs are 
     vulnerable to the following issues, disclosed as part of the IBM Java SDK 
     updates in October 2018 and January 2019: 

     CVE-2018-3180:  An unspecified vulnerability related to the Java SE JSSE 
                     component could allow an unauthenticated attacker to 
                     cause low confidentiality impact, low integrity impact, 
                     and low availability impact. 

     CVE-2018-1890:  IBM SDK, Java Technology Edition Version 8 on the AIX 
                     platform uses absolute RPATHs which may facilitate code 
                     injection and privilege elevation by local users. 

     CVE-2018-12547:  Eclipse OpenJ9 is vulnerable to a buffer overflow, 
                      caused by improper bounds checking by the jio_snprintf() 
                      and jio_vsnprintf() functions. By sending an overly long 
                      argument, a remote attacker could overflow a buffer and 
                      execute arbitrary code on the system or cause the 
                      application to crash. 

012) MFT-10607 / APAR IT30889  commit date:  26 Sep 2019
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ running on AIX uses IBM� Runtime
     Environment Java� (JRE) Version 8.0.5.30.  This JRE is vulnerable to the
     following issues, disclosed as part of the IBM Java SDK updates in July
     2019:
	 
     CVE-2019-4473:  Multiple binaries in IBM SDK, Java Technology Edition on
                     the AIX platform use insecure absolute RPATHs, which may
                     facilitate code injection and privilege elevation by local
                     users.

     CVE-2019-11771:  Eclipse OpenJ9 could allow a local attacker to gain
                      elevated privileges on the system, caused by the inclusion
                      of unused RPATHS in AIX builds. An attacker could exploit
                      this vulnerability to inject code and gain elevated
                      privileges on the system.

013) MFT-10611 / APAR IT30425  commit date:  26 Sep 2019
--------------------------------------------------------
     Installation on some systems with limited 32 bit library support may fail,
     reporting �JRE libraries are missing or not compatible.� Also, C:D FTP+
     installed on an EFS file system in an Amazon Web Services EC2 instance will
     fail to start, reporting �Error: missing `j9vm' JVM�.

014) MFT-10963  commit date:  06 Apr 2020
-----------------------------------------
     Installation fails on Windows Server 2019, reporting the following or
     similar error:  "Flexeraaw7$aaa: Windows DLL failed to load".

015) MFT-11035 / APAR IT32539  commit date:  13 Apr 2020
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ running on Microsoft Windows uses IBM�
     Runtime Environment Java� (JRE) Versions 8.0.5.40. This JRE is vulnerable
     to the following issue, disclosed as part of the IBM Java SDK updates in
     January 2020:

     CVE-2019-4732: IBM SDK, Java Technology Edition Version could allow a local
                    authenticated attacker to execute arbitrary code on the
                    system, caused by DLL search order hijacking vulnerability
                    in Microsoft Windows client. By placing a specially-crafted
                    file in a compromised folder, an attacker could exploit this
                    vulnerability to execute arbitrary code on the system.

016) MFT-11081 / APAR IT32747  commit date:  04 May 2020
--------------------------------------------------------
     When using the GUI and connected to C:D z/OS, a directory listing on z/OS
     will not show files that have a volser that begins with digits.

017) MFT-11341 / APAR IT33951  commit date:  09 Mar 2021
--------------------------------------------------------
     IBM Connect:Direct for UNIX uses IBM(R) Runtime Environment Java(TM) (JRE)
     Versions 8.0.6.0, 8.0.5.30, and 7.0.10.40. These JREs are vulnerable to the
     following issues, disclosed as part of the IBM Java SDK updates in March
     and August 2020:

     CVE-2020-2654: An unspecified vulnerability in Java SE related to the Java
                    SE Libraries component could allow an unauthenticated
                    attacker to cause a denial of service resulting in a low
                    availability impact using unknown attack vectors.

     CVE-2020-14579: An unspecified vulnerability in Java SE related to the
                     Libraries component could allow an unauthenticated attacker
                     to cause a denial of service resulting in a low
                     availability impact using unknown attack vectors.

     CVE-2020-14578: An unspecified vulnerability in Java SE related to the
                     Libraries component could allow an unauthenticated attacker
                     to cause a denial of service resulting in a low
                     availability impact using unknown attack vectors.

     CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE
                     component could allow an unauthenticated attacker to obtain
                     sensitive information resulting in a low confidentiality
                     impact using unknown attack vectors.

018) MFT-11441 / APAR IT34448  commit date:  05 Oct 2020
--------------------------------------------------------
     When configured for SSLv3, connection attempts fail, indicating �550
     Connection failure - possible Secure+ definition error.� A debug log of
     this failure shows �java.io.IOException: Error creating the SSLSocket:
     java.security.NoSuchAlgorithmException: no such algorithm: SSLv3 for
     provider IBMJSSE2�.

     NOTICE: SSLv3 is an obsolete and insecure protocol. IBM recommends using
             the TLS protocol instead.

019) MFT-11923 / APAR IT36153  commit date:  31 Aug 2021
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
     Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
     8.0.6.15. CDFtp on HP-UX uses JRE Version 8.0.5.35. These JREs are
     vulnerable to the following issues, disclosed as part of the IBM Java SDK
     updates in October 2020 and January 2021:

     CVE-2020-27221: Eclipse OpenJ9 is vulnerable to a stack-based buffer
                     overflow when the virtual machine or JNI natives are
                     converting from UTF-8 characters to platform encoding. By
                     sending an overly long string, a remote attacker could
                     overflow a buffer and execute arbitrary code on the system
                     or cause the application to crash.

     CVE-2020-14782: An unspecified vulnerability in Java SE related to the
                     Libraries component could allow an unauthenticated attacker
                     to cause no confidentiality impact, low integrity impact,
                     and no availability impact.

020) MFT-12802 / APAR IT39686  commit date:  08 Feb 2022
--------------------------------------------------------
     Apache Log4j used by IBM Sterling C:D FTP+ has been upgraded to version
     2.17.1.

021) MFT-13412 / APAR IT41221  commit date:  14 Jun 2022
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
     Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
     8.0.6.30. This JRE is vulnerable to the following issues, disclosed as part
     of the IBM Java SDK updates in October 2021:

     CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE
                     component could allow an unauthenticated attacker to obtain
                     sensitive information resulting in a high confidentiality
                     impact using unknown attack vectors.

     CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE
                     component could allow an unauthenticated attacker to obtain
                     sensitive information resulting in a low confidentiality
                     impact using unknown attack vectors.

022) MFT-14065 / APAR IT43060  commit date:  06 Feb 2023
--------------------------------------------------------
     IBM Sterling Connect:Direct FTP+ (CDFtp) on AIX, Linux, Solaris, and
     Windows platforms use IBM(R) Runtime Environment Java(TM) (JRE) Version
     8.0.7.10. This JRE is vulnerable to the following issue, disclosed as part
     of the IBM Java SDK updates in October 2022:

     CVE-2022-21626: An unspecified vulnerability in Java SE related to the
                     Security component could allow an unauthenticated attacker
                     to cause a denial of service resulting in a low
                     availability impact using unknown attack vectors.

     IBM Sterling Connect:Direct FTP+ (CDFtp) on HP-UX platform uses IBM(R)
     Runtime Environment Java(TM) (JRE) Version 8.0.6.30. This JRE is vulnerable
     to the following issues, disclosed as part of the IBM Java SDK updates in
     October 2021:

     CVE-2021-35550: An unspecified vulnerability in Java SE related to the JSSE
                     component could allow an unauthenticated attacker to obtain
                     sensitive information resulting in a high confidentiality
                     impact using unknown attack vectors.

     CVE-2021-35603: An unspecified vulnerability in Java SE related to the JSSE
                     component could allow an unauthenticated attacker to obtain
                     sensitive information resulting in a low confidentiality
                     impact using unknown attack vectors.


NOTICE:  C:D FTP+ on Solaris x86 platform is deprecated.  Fixes will be available 
         only on demand for this platform until end of support is reached.

NOTICE:  Going forward, security updates will be described as either affected or
         vulnerable, based on the following definitions from IBM:

         Affected: The software product contains code which has a documented
                   vulnerability. Based on currently available information,
                   however, we believe that the issue is likely not exploitable.
                   However, as a best practice and from an abundance of caution,
                   we recommend customers update their systems as soon as
                   practical. Vulnerabilities evolve, and a means of exploiting
                   any issue may emerge at any time.

         Vulnerable: The software product contains code, which has a documented
                     vulnerability. Our analysis shows that the issue may be
                     exploitable.

         Issues classified as affected will not be published in security
         bulletins, in most cases.

023) MFT-14244 / APAR IT43733  commit date:  16 May 2023
--------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Solaris platforms use
     IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.7.20. This JRE
     version is affected by the following issues, dislosed as part of recent IBM
     Java SDK updates: CVE-2023-21830, CVE-2023-21843, and CVE-2022-21426.

     CDFTP on HP-UX platform uses JRE Version 8.0.7.10. This JRE version is
     affected by the following issue: CVE-2023-30441. This JRE version is
     vulnerable to the following issue, disclosed as part of recent IBM Java SDK
     updates: CVE-2022-21626.


NOTICE:  C:D FTP+ on HP-UX platform is deprecated.  Fixes will be available only 
         on demand for this platform until end of support is reached.

024) MFT-14605 / APAR IT44110  commit date:  05 Jul 2023
--------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFTP) on AIX, Linux, and Windows platforms use
     IBM(R) Runtime Environment Java(TM) (JRE) Version 8.0.8.0. Some issues in
     this version were disclosed as part of recent IBM Java SDK updates.

     This JRE version is vulnerable to the following issue: CVE-2023-21967.

     This JRE version is affected by the following issues: CVE-2023-21930, CVE-
     2023-21968, CVE-2023-21954, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938,
     and CVE-2023-2597.


NOTICE: Beginning with the iFix below, CDFTP on AIX requires XL C++ Runtime
        16.1.0.7 or later.  This is a requirement of IBM JRE version 17.  For
        more information, see https://www.ibm.com/support/pages/fix-list-xl-cc-
        runtime-aix#161X.


025) MFT-15198 / APAR IT45282  commit date:  17 Jan 2024
--------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment Java(TM)
     (JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates.

     JRE versions on Linux, AIX, and Windows platforms are vulnerable to CVE-2023-5676 and CVE-2023-22081,
     and affected by CVE-2023-22067, CVE-2023-22045 and CVE-2023-22049.

     JRE versions on Solaris platform are vulnerable to CVE-2023-5676, CVE-2023-22081, and CVE-2023-21967,
     and affected by CVE-2023-22067, CVE-2023-22045, CVE-2023-22049, CVE-2023-21954, CVE-2023-21930,
     CVE-2023-21968, CVE-2023-21939, CVE-2023-21937, CVE-2023-21938, and CVE-2023-2597.
     
     Updated bundled JRE version to 17.0.9.0 for Linux, AIX, and Windows platforms, and 8.0.8.15 for Solaris platform.

026) MFT-15198 / APAR IT45847/IT45848  commit date:  29 Mar 2024
----------------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment Java(TM)
     (JRE) that have vulnerabilities disclosed as part of recent IBM Java SDK updates.

     JRE versions on Linux, AIX, and Windows platforms are affected by CVE-2024-20932, CVE-2024-20952,
     CVE-2024-20918, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, and CVE-2024-22361.

     JRE versions on Solaris platform are affected by CVE-2024-20952, CVE-2024-20918,
     CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, and CVE-2023-33850.
     
     Updated bundled JRE version to 17.0.10.0 for Linux, AIX, and Windows platforms, and 8.0.8.20 for Solaris platform.

027) CDFTP-39  commit date:  05 Apr 2024
----------------------------------------
     OWASP scan may report invalid/previously fixed issues.

028) MFT-15888 / APAR IT46642  commit date:  05 Aug 2024
--------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment
     Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM
     Java SDK updates.

     JRE 17 versions on AIX, Linux, and Windows platforms are affected by CVE-
     2024-21085, CVE-2024-21012, and CVE-2024-3933.

     JRE 8 version on Solaris platform is affected by CVE-2024-21094, CVE-2024-
     21085, CVE-2024-21011, and CVE-2023-38264

     Fix updates bundled JRE version to 17.0.11.0 for Linux, AIX, and Windows
     platforms, and 8.0.8.25 for Solaris platform.

029) MFT-16092 / APAR IT47102  commit date:  18 Oct 2024
--------------------------------------------------------
     IBM Connect:Direct FTP+ (CDFtp) uses versions of IBM(R) Runtime Environment
     Java(TM) (JRE) that have vulnerabilities disclosed as part of recent IBM
     Java SDK updates.

     JRE 17 versions on AIX, Linux, and Windows platforms are affected by CVE-
     2024-21145, CVE-2024-21144, and CVE-2024-21131.

     JRE 8 version on Solaris platform is affected by CVE-2024-21147, CVE-2024-
     21145, CVE-2024-21140, CVE-2024-21144, CVE-2024-21138, CVE-2024-21131, and
     CVE-2024-27267.

     Updated bundled JRE version to 17.0.12.0 for Linux, AIX, and Windows
     platforms, and 8.0.8.30 for Solaris platform.

NOTICE:  C:D FTP+ on Solaris SPARC platform is deprecated.  Fixes will be 
         available only on demand for this platform until end of support is 
		 reached.