1.  Home
  2. MIDRANGE-L
  3. October 2015

Re: Documentation for security patches

<snip>
As for IBM revealing stuff, I had to deal with an auditor who demanded
documentation for security patches. I told her the neither Mr. Ernst nor
Mr. Young couldn't get IBM to reveal those secrets.
</snip>

Recently I remarked how much things are changing. I just want to paste
this recent announcement as further proof:

It's important you scroll down through it to notice things like
<paraphrased>
"This is a particular hack that someone could use to easily penetrate your
system. Here's where it is documented on the internet how to execute that
hack. If you download this fix it will close that hack."
</paraphrased>

"If it ain't broke, don't fix it" is the biggest pile of horse excrement.

You can sign up for such notifications at:
<snip>
Manage your My notifications subscriptions, or send questions and
comments.
- Subscribe or Unsubscribe - https://www.ibm.com/support/mynotifications
</snip>

http://www-912.ibm.com/s_dir/slkbase.nsf/ibmscdirect/997583A5C2CCE24C86257DE40057829B?OpenDocument&myns=i710&mync=E&cm_sp=i710-_-NULL-_-E

The paragraph at the end, including some specific CVE's, was added at my
request to try to handle an audit ding we're getting.

Security Bulletin: IBM i Apache server affected by vulnerabilities
CVE-2015-1283 and CVE-2015-3183.
Security Bulletin: IBM i WebSphere Application Server affected by
vulnerability (CVE-2015-4938).
Security Bulletin: IBM i is affected by an ISC BIND vulnerability
(CVE-2015-5722).
Security Bulletin: IBM i is affected by several ISC BIND vulnerabilities
Security Bulletin: Vulnerabilities in IBM i Java
Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM i
(CVE-2015-4000)
Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL including
Logjam affect IBM i
Security Bulletin: Vulnerability in SSLv3 affects IBM i (CVE-2014-3566)
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM i
(CVE-2015-2808)
Security Bulletin: Multiple vulnerabilities, including Freak and Bar
Mitzvah, in IBM Java SDK affect IBM i.
Security Bulletin: RC4 Bar Mitzvah Attack for SSL/TLS (CVE-2015-2808)
affect IBM i.
Security Bulletin: IBM i is affected by several OpenSSL vulnerabilities.
Security Bulletin: IBM i is affected by the following networking BIND
vulnerability: CVE-2015-1349
Security Bulletin: IBM i is affected by the following SAMBA
vulnerabilities (CVE-2015-0240)
Security Bulletin: IBM i is affected by several OpenSSL vulnerabilities.
Security Bulletin: IBM i is affected by the following networking BIND
vulnerability: CVE-2014-8500
Security Bulletin: Buffer Overflow vulnerability affects IBM i Access for
Windows Personal Communications support (CVE-2015-0114)
Security Bulletin: Buffer Overflow vulnerability affects IBM i Access for
Windows (CVE-2014-8920)
Security Bulletin: TLS padding vulnerability affects IBM i Domino
(CVE-2014-8730)
Security Bulletin: IBM i is affected by the following OpenSSL
vulnerabilities: CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568.
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i.
Security Bulletin: IBM i affected by OpenSSL vulnerability (CVE-2014-0076)
Security Bulletin: IBM i is affected by the following OpenSSL
vulnerabilities: CVEs: CVE-2014-3508, CVE-2014-5139, CVE-2014-3509,
CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, Security
Bulletin: Multiple vulnerabilities in the IBM SDK JavaTM Technology for
IBM iSecurity Bulletin: Multiple vulnerabilities in the IBM SDK JavaTM
Technology for IBM i
Security Bulletin: IBM i is affected by the following SAMBA
vulnerabilities: CVE-2014-0178 and CVE-2014-0239
Security Bulletin: IBM i is affected by the following OpenSSL
vulnerabilities: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195,
CVE-2014-0198 and CVE-2014-3470
Security Bulletin: Multiple vulnerabilities in the IBM SDK JavaTM
Technology for IBM i
...

Note: Prior to 07/1/2013, IBM i did not publish Security Bulletins for
CVEs that impacted IBM i. However, the fixes for older CVEs that did
impact IBM i support such as DNS BIND, OpenSSL, Web and Application
Servers, Lotus Products, Java and the IBM i OS and LIC have been created
and approved for use on supported releases. Examples of the older CVEs
that have been fixed include these DNS BIND CVEs (CVE-2012-1667,
CVE-2012-3817, CVE-2012-4244, CVE-2012-5166 and CVE-2013-4854).


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.