================================================= Maintenance for IBM Connect:Direct for UNIX 6.4.0 ================================================= This maintenance archive includes module replacements for the C:D UNIX 6.4.0 code base. It is applicable to C:D UNIX version 6.4.0, and contains all the new functionality and fixes as described in the C:D UNIX 6.4.0 Release notes, as well as fixes for the issues listed below. This release implements IBM's standard V.R.M.F method of identifying software. V, R, M and F are Version, Release, Modification and Fix Pack respectively. In general, V.R.M imply new functionality, while F is an accumulation of fixes called a Fix Pack. The term Fix Pack will be used going forward in place of Cumulative Maintenance. Individual fixes also have a new name, Interim Fixes, or iFixes for short. iFixes are numbered sequentially from one starting with any increment to V, R, M or F. Please see IBM's website for further details regarding this methodology. After applying the maintenance, the CLI banner will report that your C:D version is 6.4.0.x, where x is the current Fix Pack. It will also display the date that the maintenance was created. For more information, please refer to the C:D UNIX 6.4.0 Release Notes. NOTICE: Security updates will be described as either affected or vulnerable, based on the following definitions from IBM: Affected: The software product contains code which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time. Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable. Issues classified as affected will not be published in security bulletins, in most cases. ================================================= iFixes listed below apply to C:D for UNIX 6.4.0.0 ================================================= 001) Accumulated updates commit date: 26 Nov 2024 --------------------------------------------------- Update_01 CDUA-5495 -------------------- Updated UBI base image for CDU container to latest version which is UBI 9.5-1731517889 Update_02 MFT-15259 -------------------- CDU container uses binutils package that is affected by the following issue: CVE-2021-20197 Update_03 MFT-16363 -------------------- CDU container uses libexpat package that is affected by the following issue: CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 002) Object Store Service Updates commit date: 27 Nov 2024 ------------------------------------------------------------ Update_01 MFT-16088 / APAR IT47046 ----------------------------------- Multi parts file upload on Google Cloud (GCP) creates visible temporary parts. Object Store component updated by introducing a new property to store these temporary parts in a dedicated folder. The property name is gs.partUploadFolder. Update_02 MFT-16217 / APAR IT47045 ----------------------------------- Unable to upload an object to a bucket when using a Multi Region Access Point. Updated Object Store component to fix the issue. Update_03 MFT-16368 -------------------- In some cases, FIOX020E may be inappropriately reported sending to an S3 bucket with an underscore character in the bucket name. Update_04 MFT-16001 -------------------- On rare occasion, it may take an unusually long time to establish a secure connection to an object store end point. Update_05 CDUA-5379 -------------------- A copy step that attempts to access an object store with a valid store.partSize specified may inappropriately fail indicating invalid part size. Fix also improves memory handling to address the potential for FIOX021E messages indicating "java.lang.OutOfMemoryError Java heap space." Update_06 MFT-16383 ------------------- Sending big files to Google storage fails when rate to compose parts is too fast. The Object Store Service uses a compose API provided by Google SDK to merge uploaded parts into the final object. This API call has a limitation to 1 call per second for an object and sometime 2 consecutive calls are too fast. This issue was addressed by adding a retry mechanism when this error occurs. The retry is managed with 2 new properties: gs.composeDelay=1000 (default 1000, value in milliseconds): Maximum time to wait before a retry (minus time consumed by the failing compose call). gs.composeRetries=10 (default 10): Maximum number of retries for one compose call before error is thrown. Update_07 MFT-16375 -------------------- FIOX022E, FIOX021E, and FIOX020E messages may be seen attempting to connect to an AWS S3 endpoint via proxy. AWS S3 clients only accept non-secure proxy configuration. Default S3 http clients proxy scheme is "http" and only system properties http_proxyHost, http_proxyPort, http_proxyUser, http_proxyPassword or environment variable HTTP_PROXY can be set to establish a non-secure connection to a proxy. For a proxy secure connection, system properties https_proxyHost, https_proxyPort, https_proxyUser, https_proxyPassword or environment variable HTTPS_PROXY, proxy scheme must be "https". This value can't be set thru a system property. The new property s3.proxyScheme (HTTP or HTTPS) now allows this override. 003) Java component updates commit date: 27 Nov 2024 ------------------------------------------------------ Update_01 MFT-16374 / APAR IT47311 ---------------------------------- Integrated File Agent component included in IBM Connect:Direct for UNIX (CDU) uses versions of Spring Framework that are affected by CVE-2024-38820. Removed Spring Framework. Update_02 MFT-16330 / APAR IT47318 ---------------------------------- Install Agent component, included in IBM Sterling Connect:Direct for UNIX, uses Apache Commons IO (commons-io) version that is affected by the following issue: CVE-2024-47554. Updated commons-io to 2.14.0. 004) CDUA-5361 commit date: 03 Dec 2024 ---------------------------------------- Updated JVM options for default file.ioexit record added during installation to improve startup times and performance. 005) CDUA-4856 commit date: 03 Dec 2024 ----------------------------------------- cduStop script may indicate File Agent stop was unsuccessful when in fact it was successful. Also, cduStart script used fully qualified file reference to cdpmgr. If the installation directory name is very long, this could result in truncated ps command output. In addition to resolving the above issues, fix also eliminates repetitive messages while waiting for an action to complete, such as "Waiting for the client port to be free" and "cdpmgr still running, waiting 5 seconds to recheck". 006) CDUA-5428 commit date: 03 Dec 2024 ----------------------------------------- On the initparm.cfg stats record added during installation, the default statistics log file size was increased to 10M to improve performance and reduce the amount of files created in the work directory. 007) CDUA-5485 commit date: 03 Dec 2024 ----------------------------------------- S3 http proxy environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY were not recognized during C:D UNIX startup and removed from the process environment. 008) MFT-16252 commit date: 09 Dec 2024 ----------------------------------------- Silent installation may occasionally fail on very slow systems, while trying to start Install Agent due to port unavailability, which occurs if Install Agent is already started by cdpmgr from the backend. 009) CDUA-5493 / APAR IT47393 commit date: 09 Dec 2024 -------------------------------------------------------- If Secure+ keystore passwords contain special characters, upgrades from IBM Connect:Direct for UNIX versions prior to 6.3.0.3 may fail, displaying messages such as "Convert KeyStore failed…" and "SPCG760E rc=8 PKCS12 KeyStore open exception - toDerInputStream rejects tag type 55". 010) CDUA-5266 / APAR IT47423 commit date: 13 Dec 2024 -------------------------------------------------------- If Secure+ keystore passwords contain 64 or more characters, upgrades from IBM Connect:Direct for UNIX versions prior to 6.3.0.3 may fail, displaying messages such as "gsk_environment_init() failed -GSK_ERROR_ASN - Error validating ASN fields in encoding". Also, in IBM Connect:Direct for UNIX versions 6.3.0.3 and above, a fresh Secure+ keystore creation with password containing 64 or more characters, may fail with the error "gsk_environment_init() failed - GSK_ERROR_CRYPTO - Error processing cryptography" Updated GSKit version to 8.0.60.4 to address these issues. 011) CDUA-5544 commit date: 17 Dec 2024 ----------------------------------------- When dynamic provisioning is disabled and secure plus certificates are fed to helm chart by manually copying them to persistent volume mount path, the helm chart installation fails with missing secret.secretName error. ----------------------------------------------------------- iFixes listed above are accumulated in C:D for UNIX 6.4.0.1 -----------------------------------------------------------