IBM Issues HiPER And Security Patches For V5R4
September 21, 2015 Timothy Prickett Morgan
Here is a weird one. Last week, IBM released PTF patches for OS/400 V5R4, also known as i5/OS 5.4, the venerable release of OS/400 that came out in February 2006 and that was withdrawn from marketing in May 2011 and had its standard Software Maintenance ended in September 2013. Extended maintenance is still running for those customers who pay for it, and will continue to do so until September 30, 2016.
While this Program Support Extension (PSE) support does offer tech support for the V5R4 stack on Power Systems and earlier machines, it has always been my understanding that Big Blue does not generate new bug fixes outside of the normal Software Maintenance (SWMA) window. IBM does not do new feature development under extended support, but it does provide usage support, meaning helping you out when something goes wrong as you try to do stuff.
Doug Bidwell, our intrepid PTF hunter, spotted the updates for V5R4 and has downloaded then and applied them to some customer machines that are still running V5R4 and they appear to work. The PTFs were put into the HIPER and Security PTF groups, HIPER being short for “High Impact” and “Pervasive” patches to the OS/400 and IBM i platform, and security being what you expect. As far as Bidwell can tell, the patches are exactly the same in both groups, and IBM has not issued a new cumulative release (CUME, in IBMspeak) of V5R4.
Here are the PTF numbers so you can go hunting for them if you are still on V5R4:
Here are the links to the two PTF groups:
When you click through to those links, you will see that IBM actually did the updates on September 11 this year, and it updated the HIPER PTF group last on December 17, 2013 and the Security PTF group on January 29, 2013. The description of the issue is as follows from these documents: “ISC released an CVE-2015-5477, BIND did not handle TKEY queries correctly, and may cause BIND to exit. ISC released an CVE-2015-4620, over DNSSEC validation, which will affect V7R1~V7R2 release and can cause a security problem.”
If you understand that, you need to spend more time outside. But seriously, ISC is short for the Internet Systems Consortium, and BIND is a popular open source implementation of the Domain Name Server (DNS) and is short for the Berkeley Internet Name Domain. The DNS is was converts the text names of a web address to an IP address with its four sets of three digit numbers. (We all thought it might have something to do with the binding of program elements during program compilations, but nothing that exciting.) Anyway, the bug fix for BIND, which is in the OS/400 V5R4 stack, relates to this security issue identified by CVE, allowing for denial of service attacks to be launched by remote hackers. This vulnerability was identified on July 10 of this year, and has been fixed in the Canonical Ubuntu Server, SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and Debian variants of Linux.
One warning from the patch: “After update to BIND 9, the V5R4 IBM i Navigator will not be compatible with the new version BIND server. The high version i Navigator (V6R1 or above) can be partially compatible with the BIND 9 on V5R4, it can be used to configure the existing instances, but when creating new instances, the generated configuration files will be still in BIND 8 format, and cannot work correctly with BIND 9.”
The same fixes are in their equivalent groups for IBM i 6.1, 7.1, and 7.2.
That sounds like a pain in the neck, but maybe not enough to just upgrade to IBM i 7.2. Which is probably a good idea, people.