Lukas Beeler wrote:
<<SNIP>> IBM offers loads of security relevant PTFs, labeling
each of those just as "Integrity Fix" - you don't know what
you're dealing with. Microsoft communicates security issues
much better.
Not every security\integrity PTF is so limited in its descriptive
text, but I agree the lack of transparency is problematic. For
example, for a security issue that existed with STRPASTHR, there was
no indication that the problem involved *only* client passthru
requests; except what one might infer from, if even there were, any
superseded PTFs listed in the PTF cover letter. Having known that,
for a system where STRPASTHR [and its API] were well controlled, the
administrator might choose to delay application of the PTF until the
next cumulative. However not knowing what interfaces are impacted
by the APAR\PTF, there is little choice but to schedule the
application of the PTF at the soonest available maintenance window.
There would be little harm in IBM providing some detail about
what interfaces are affected, even if not specifically giving the
details about how the origin; i.e. as in the above STRPASTHR
example, where we now know that there was a problem with STRPASTHR,
but no idea how to undermine security\integrity by using that
feature. The obvious benefit being the ability to make a somewhat
informed decision about when to apply the PTF.
Regards, Chuck
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
