May 18, 2022 Doug Bidwell
It was busy last week in the world of PTFs, but this week it is pretty quiet, excepting a few things. Which is good, because maybe you are not quite yet caught up anyway, right? It has been a long four years since we have new machines to play with, and we’re looking forward to getting our hands on IBM i 7.5 and, more importantly, seeing what kind of machines and deals that IBM will be making with the Power10 machines in July.
Here is the rundown of PTF Groups by IBM i release level since we last published, with …Read more
May 11, 2022 Doug Bidwell
So here is what’s new. Here is a notice at the top of the Fix Central Home Page: “Your action may be required. IBM will implement infrastructure improvements to electronic fix distribution on June 4, 2022. IP and hostnames will change for servers that support fix delivery. New connections are required. You must configure your firewall and proxy server if you have a firewall in your network, or if your machine uses a proxy server to access the internet. Please see preparing firewalls and proxies.”
And here is another note from the PTF Cume Cover Letter: “IMPORTANT: Permanently apply any …Read more
May 4, 2022 Doug Bidwell
Well, good people of IBM i Land, you are getting another relatively light week when it comes to PTFs, which makes sense with IBM i 7.5 and IBM i 7.4 TR 6 rolling out this week. This is good news because now you have time to digest all of the announcements and to start thinking about how you might take advantage of all of the new software Big Blue has been working on.
For those of you who have not kept current on your PTF patches, there is a vast archive of IBM i PTF Guide editions for you to …Read more
April 27, 2022 Doug Bidwell
It was a pretty quiet week in PTF Land, which stands to reason given the various holidays and the Spring Break that a lot of people had last week. It probably won’t last long, so take the downtime while you have it. There is stuff you need to deal with, of course.
One reminder: A new build for Access Client Services (ACS) 184.108.40.206 is available for download (2170).
Here is the rundown of PTF Groups by IBM i release level since we last published:
PTF Groups 7.4:
- Backup Recovery Solutions
PTF Groups 7.3:
April 20, 2022 Doug Bidwell
It is a new week, and there are two new security vulnerabilities in the IBM i platform. First, there is Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708), which you can read more about here. The IBM i PTF numbers containing the fix for the CVEs:
IBM i Release 5770-SS1 PTF Number PTF Download Link
7.4 SI78971 https://www.ibm.com/support/pages/ptf/SI78971
7.3 SI78972 https://www.ibm.com/support/pages/ptf/SI78972
7.2 SI78973 https://www.ibm.com/support/pages/ptf/SI78973
Then there is Security Bulletin: OpenSSL for IBM i is vulnerable to a denial of service due to a flaw in …Read more
April 6, 2022 Doug Bidwell
Get your PTF patching fingers ready to roll across the keyboard because there are some new security vulnerabilities in the IBM i platform. First up, Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493), which you can learn about here.
Release 2.2.0 can be fixed by upgrading to release 2.2.1 or 2.3.0, depending on your IBM i release level:
- IBM i 7.4: Upgrade to Db2 Web Query for i 2.3.0
- IBM i 7.3: Upgrade to
March 30, 2022 Doug Bidwell
It’s pretty quiet on the PTF western front. Not that there isn’t always some kind of weird stuff going on . . . because, let me assure you, there is. IBM i customers have all kinds of weird things happening, and that ain’t no April Fool’s joke. But, mercifully, this week, as we end the first quarter and Spring is starting meteorologically as well as calendaricly – yes, I just made that word up – there are only a few things going on.
Once again: To help you with the Log4j security vulnerability, we have created a supplemental spreadsheet as …Read more
March 23, 2022 Doug Bidwell
And the security vulnerabilities just keep on a-coming. This time, it is with the WebSphere Application Server. Check out Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038), which you can read all about here. The affected products are WebSphere Application Server Liberty, versions 220.127.116.11 through 18.104.22.168 and WebSphere Application Server versions 9.0 through 22.214.171.124.
Also, here some information: The default location of ACS is updated whenever there is a Cumulative update or upgrade to a OS level. (\\&SystemName\root\QIBM\ProdData\Access\ACS\Base). Here are fixes for this:
- IBM i 7.4: SI77377 – ACS 126.96.36.199
March 16, 2022 Doug Bidwell
This Log4j security vulnerability just keeps being more and more pesky. If you haven’t seen it yet, there is an update to a Security Bulletin called Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104), which you can read all about at this link.
The patches for each release are described in full here:
To help you with the Log4j security vulnerability, we have created a supplemental spreadsheet as a companion …Read more
March 7, 2022 Doug Bidwell
This week, there are a bunch of security bulletins about yet more new vulnerabilities, this time in the HTTP Server and the Samba Windows file server clone that are embedded in the IBM i operating system. There is also a partial mitigation against Log4j/Log4Shell vulnerabilities, and you may get a laugh or a cry out of this one. Maybe both. OK, probably both. Let’s go through them all.Read more