IBM i PTF Guide, Volume 19, Number 6
February 15, 2017 Doug Bidwell
Every two weeks, IBM updates the High Impact and Pervasive, or HIPER, PTFs that are so critical to the system that in Big Blue’s opinion they should be on every system as quickly as possible. In general, any HIPER PTF that affects any operating system releases is fixed as long as support for that IBM i release is still on support.
In the example below, from this week, the three problems are fixed on all three current IBM releases, that being 7.1, 7.2, and 7.3. The interesting part here is that OpenSSH 6.9 is vulnerable and that vulnerability is fixed in OpenSSH 7.4, but it is not clear if there is an easy way to upgrade the SSH code in any of the current releases. We are investigating this.
HIPERS V7R3 (SF99729) MF63237 An unexpected page fault in LIC stack switching function can result in abnormal system termination MF63202 Avoid SRCB6005121 partition termination when unexpected internal message data is encountered SI63791 This PTF forces the PTF MF63027 to permanently apply. ---------------------------------- HIPERS V7R2 (SF99719) SI63656 OpenSSH 6.9 is vulnerable to the following vulnerabilities fixed in OpenSSH 7.4: CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012 OpenSSH 6.9 has been patched to close the vulnerabilities MF63236 Same as MF63237 in V7R3 MF63201 Same as MF63202 in V7R3 ------------------------------ HIPERS V7R1 (SF99709) SI63657 same as SI63656 for V7R2 MF63235 Same as MF63237 in V7R3 MF63200 Same as MF63202 in V7R3
Here is the fun bit about HIPER PTFs. None of these HIPER PTFs are available in the cumulative updates for each IBM I release. The only way to keep current with HIPERs is to hunt through the PTFs every two weeks and add them.
The same with the security updates that also come out every two weeks or so as well.
One more thing we found out recently, and it is kind of critical. There are several WebSphere Application Server release levels that are covered in various IBM i releases. The idea behind a Program Temporary Fix, which is what PTF stands for, is that when you take the PTF and put it on your system, it fixes the problem. With the WebSphere code, you put the fixes on the system through a separate fixpack from the WebSphere teams and then you have to take further action to actually apply the patches. Starting with WebSphere 9, there are no longer any PTF groups associated with WebSphere. Now, you have to grab the WebSphere fixes separately from the WebSphere people and then patch this code separately from IBM i. Which defeats the entire purpose of an integrated system. We will be updating the guide next week to reflect this change in the WebSphere group PTFs and help you find these WebSphere updates.