--------------------------------------------------
Patch 2.2.0.9-TIV-NCReporter-F0004 for Netcool/Reporter Release 2.2 
---------------------------------------------------

Date
----------
March 14th, 2016


Bug/Enhancement Identification
------------------------------
APAR Number	: IV82698
Case Number	: 1085


Bug Requirement(s)
--------------------
Netcool/Reporter 2.2.0.0 release must be installed.
Reporter Fix Pack 2.2.0.9 is installed.
Netcool/Reporter 2.2.0.9 Interim Fix 1 is installed

Problem(s) Resolved/Enhancement(s)
----------------------------------
This patch upgrades OpenSSL for Netcool/Reporter to version 1.0.1s to fix below 
security vulnerabilities:

1) (CVE-2016-0800)A cross-protocol attack was discovered that could lead to decryption of TLS sessions
2) (CVE-2016-0705)A double free bug was discovered when OpenSSL parses malformed DSA private keys
3) (CVE-2016-0797)In the BN_hex2bn function the number of hex digits is calculated using an int value |i|
4) (CVE-2016-0799)The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow
5) (CVE-2016-0702)A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture
6) (CVE-2016-0703)s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers
7) (CVE-2016-0704)s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites
8) (CVE-2015-3197) A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2
9)  All other 2015 fix on Openssl 1.0.1r and before.

Classes/Files that fixes this bug:
----------------------------------
%APACHE_HOME%\bin\libeay32.dll
%APACHE_HOME%\bin\ssleay32.dll
%APACHE_HOME%\bin\openssl.exe
%APACHE_HOME%\conf\openssl.cnf
%APACHE_HOME%\conf\extra\httpd-ssl.conf
%APACHE_HOME%\modules\mod_ssl.so


Component Test 1 - Verify if OpenSSL can be installed successfully. 
------------ 
1. Install Reporter2.2GA,Fix Pack2.2.0.9 and Reporter 2.2.0.9 Interim Fix 1
2. Install this patch
3. Check OpenSSL version per running "openssl version" under $APACHE_HONE/bin

Test result:
Passed,  
   1. OpenSSL version should be 1.0.1s
   

Component Test 2- Verify if all major functions of Reporter work well after OpenSSL upgrading. 
 ------------   
1. Install Reporter2.2GA,Fix Pack2.2.0.9 and Reporter 2.2.0.9 Interim Fix 1
2. Install this patch
3. Login Reporter and run all components

Test result:
Passed,
1. OpenSSL was upgraded successfully.
2. All Reporter components works well.