This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
aix:aix_internet_updates [2024/06/07 11:48] manu |
aix:aix_internet_updates [2025/02/19 14:59] (current) manu [Efix DB location] |
||
---|---|---|---|
Line 6: | Line 6: | ||
* **emgr_check_ifixes** | * **emgr_check_ifixes** | ||
* **emgr_download_ifix** | * **emgr_download_ifix** | ||
+ | * **emgr_sec_patch** | ||
+ | |||
+ | FIXME currently (02-2025) you can't set a proxy to download ! Only direct connections to internet are supported | ||
+ | |||
<cli prompt='#'> | <cli prompt='#'> | ||
# emgr_check_ifixes | # emgr_check_ifixes | ||
Line 32: | Line 36: | ||
</cli> | </cli> | ||
- | emgr_check_ifixes | + | **emgr_check_ifixes** |
- | * -D automatically download the required fixes to the host in /tmp/ifix_ ${PID} | + | * **-D** automatically download the required fixes to the host in /tmp/ifix_${PID} |
Download a specific efix | Download a specific efix | ||
# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P . | # emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P . | ||
+ | |||
+ | <cli prompt='#'> | ||
+ | # emgr -lv3 | tail -18 | ||
+ | |||
+ | APAR information: | ||
+ | ================= | ||
+ | APAR number: IJ49378 | ||
+ | APAR abstract: crl download fails after change in certificate server | ||
+ | APAR number: IJ49379 | ||
+ | APAR abstract: emgr_download_ifix fails with ssl connection failed | ||
+ | APAR number: IJ49220 | ||
+ | APAR abstract: default download path of emgr_check_ifixes is /tmp/ifix | ||
+ | |||
+ | Description: | ||
+ | ============ | ||
+ | IJ49378 - crl download fails after change in certificate server | ||
+ | IJ49379 - emgr_download_ifix fails with ssl connection failed | ||
+ | IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix | ||
+ | </cli> | ||
+ | |||
+ | ===== Efix detailed info ===== | ||
+ | |||
+ | View the content of an efix package | ||
+ | <cli prompt='>'> | ||
+ | [root@aix001]/export/software/efix/openssh_fix15> emgr -d -v3 -e 38408m9a.230811.epkg.Z | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Efix Manager Initialization | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Initializing log /var/adm/ras/emgr.log ... | ||
+ | Efix package file is: /export/software/efix/openssh_fix15/38408m9a.230811.epkg.Z | ||
+ | MD5 generating command is /usr/bin/csum | ||
+ | MD5 checksum is d44fd5020b283c0e3fc121daacabaa03 | ||
+ | Accessing efix metadata ... | ||
+ | Verifying efix control file ... | ||
+ | Unpacking efix package file ... | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Efix Attributes | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | LABEL: 38408m9a | ||
+ | PACKAGING DATE: Fri Aug 11 06:51:30 CDT 2023 | ||
+ | ABSTRACT: Ifix for openssh vulnerabilities | ||
+ | PACKAGER VERSION: 7 | ||
+ | VUID: 00F787C74C00081106082923 | ||
+ | REBOOT REQUIRED: no | ||
+ | BUILD BOOT IMAGE: no | ||
+ | LU CAPABLE: yes | ||
+ | PRE-REQUISITES: yes | ||
+ | SUPERSEDE: no | ||
+ | PACKAGE LOCKS: no | ||
+ | E2E PREREQS: no | ||
+ | FIX TESTED: no | ||
+ | EFIX FILES: 11 | ||
+ | |||
+ | Install Scripts: | ||
+ | PRE_INSTALL: no | ||
+ | POST_INSTALL: no | ||
+ | PRE_REMOVE: no | ||
+ | POST_REMOVE: no | ||
+ | |||
+ | File Number: 1 | ||
+ | LOCATION: /usr/bin/ssh | ||
+ | FILE TYPE: Standard (file or executable) | ||
+ | INSTALLER: installp | ||
+ | SIZE: 5480 | ||
+ | ACL: DEFAULT | ||
+ | CKSUM: 49408 | ||
+ | PACKAGE: openssh.base.client | ||
+ | MOUNT INST: no | ||
+ | |||
+ | ... | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Efix Description | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Ifix for CVE_2023_38408 and fix for sftp Allow/Deny Files Security Vulnerability | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Displaying Configuration File "PREREQ" | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | openssh.base.client 8.1.102.2106 8.1.102.2106 | ||
+ | openssh.base.server 8.1.102.2106 8.1.102.2106 | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Displaying Configuration File "APARREF" | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | NONE | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Operation Summary | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Log file is /var/adm/ras/emgr.log | ||
+ | |||
+ | EPKG NUMBER LABEL OPERATION RESULT | ||
+ | =========== ============== ================= ============== | ||
+ | 1 38408m9a DISPLAY SUCCESS | ||
+ | |||
+ | Return Status = SUCCESS | ||
+ | </cli> | ||
+ | |||
+ | View the content of an installed efix | ||
+ | <cli prompt='>'> | ||
+ | [root@aix001]/root> emgr -P | ||
+ | |||
+ | PACKAGE INSTALLER LABEL | ||
+ | ======================================================== =========== ========== | ||
+ | invscout.rte installp is22026s1a | ||
+ | oss.lib.libcurl installp 853sa | ||
+ | openssh.base.client installp 9211224a | ||
+ | openssh.base.server installp 9211224a | ||
+ | openssl.base installp 3013sa | ||
+ | |||
+ | [root@aix001]/root> emgr -l -v3 -L is22026s1a | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | EFIX ID: 1 | ||
+ | EFIX LABEL: is22026s1a | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | LABEL: is22026s1a | ||
+ | STATE: STABLE | ||
+ | UPDATED BY: | ||
+ | ABSTRACT: invscout fix for CVE-2024-27260 | ||
+ | VUID: 00F7CD554C00051412053724 | ||
+ | PACKAGER VERSION: 7 | ||
+ | INSTALL DATE: 08/01/24 13:47:05 | ||
+ | EPKG VERSION: 7 | ||
+ | REBOOT REQUIRED: no | ||
+ | BUILD BOOT IMAGE: no | ||
+ | LU CAPABLE: yes | ||
+ | PACKAGE LOCKS: no | ||
+ | SUPERSEDE: no | ||
+ | INSTALLP PREREQUISITES: yes | ||
+ | E2E PREREQUISITES: no | ||
+ | FIX TESTED: no | ||
+ | FILES: 1 | ||
+ | |||
+ | Install Scripts | ||
+ | =============== | ||
+ | PRE_INSTALL: no | ||
+ | POST_INSTALL: no | ||
+ | PRE_REMOVE: no | ||
+ | POST_REMOVE: no | ||
+ | |||
+ | FILE NUMBER: 1 | ||
+ | LOCATION: /usr/sbin/invscout | ||
+ | FILE TYPE: Standard (file or executable) | ||
+ | INSTALLER: installp | ||
+ | SIZE: 1044 | ||
+ | CKSUM: 51101 | ||
+ | ACL: DEFAULT | ||
+ | PACKAGE: invscout.rte | ||
+ | MOUNT INST: no | ||
+ | |||
+ | Installp Prerequisite Information: | ||
+ | ================================== | ||
+ | PREREQUISITE NUM: 1 | ||
+ | FILESET: invscout.rte | ||
+ | MINIMAL LEVEL: 2.2.0.25 | ||
+ | MAXIMUM LEVEL: 2.2.0.26 | ||
+ | TYPE: PREREQ | ||
+ | LEVEL AT INSTALL: 2.2.0.26 | ||
+ | |||
+ | Efix to Efix Prerequisite Information: | ||
+ | ====================================== | ||
+ | No efix to efix prerequisites data. | ||
+ | |||
+ | APAR information: | ||
+ | ================= | ||
+ | No APAR numbers listed. | ||
+ | |||
+ | Description: | ||
+ | ============ | ||
+ | invscout fix - CVE-2024-27260 | ||
+ | </cli> | ||
+ | |||
+ | ===== Efix DB location ===== | ||
+ | |||
+ | Efix inventory is stored in a text file: “/usr/emgrdata/DBS/efix.db” and “/usr/emgrdata/DBS/pkglck.db” | ||
+ | <cli prompt='#'> | ||
+ | [root@aix01]/root# cat /usr/emgrdata/DBS/efix.db | ||
+ | IJ36810s3a|:|IJ36810 Potential security issue|:|.|:|.|:|.|:|.|:|0|:|1|:|00F7CD554C00121710122121|:|1|:|05/02/22 12:21:09|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|. | ||
+ | 1022103a|:|Ifix for Openssl CVE-2022-0778|:|.|:|.|:|.|:|.|:|0|:|1|:|00F787C74C00042206045322|:|5|:|06/30/22 08:52:53|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|. | ||
+ | |||
+ | [root@aix01]/root# cat /usr/emgrdata/DBS/pkglck.db | ||
+ | IJ36810s3a|:|1|:|/usr/bin/lscore|:|bos.rte.security|:|1|:|1|:|050212051122|:|7.2.5.101 | ||
+ | 1022103a|:|1|:|/usr/lib/libcrypto.a|:|openssl.base|:|1|:|5|:|063008060322|:|1.0.2.2103 | ||
+ | 1022103a|:|2|:|/usr/lib/libssl.a|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103 | ||
+ | 1022103a|:|3|:|/usr/lib/libcrypto.a.min|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103 | ||
+ | 1022103a|:|4|:|/usr/bin/openssl|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103 | ||
+ | 1022103a|:|5|:|/usr/bin/openssl64|:|openssl.base|:|1|:|5|:|063008060522|:|1.0.2.2103 | ||
+ | </cli> | ||
+ | |||
+ | ===== Efix TAR installation ===== | ||
+ | |||
+ | To install an efix based on TAR efix package, use the following command | ||
+ | <cli prompt='#'> | ||
+ | # /usr/sbin/emgr_sec_patch kernext_fix.tar | ||
+ | ... | ||
+ | Efix State | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Setting efix state to: STABLE | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Operation Summary | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Log file is /var/adm/ras/emgr.log | ||
+ | |||
+ | EPKG NUMBER LABEL OPERATION RESULT | ||
+ | =========== ============== ================= ============== | ||
+ | 1 IJ52610m2a INSTALL SUCCESS | ||
+ | |||
+ | Return Status = SUCCESS | ||
+ | Done | ||
+ | em+-----------------------------------------------------------------------------+ | ||
+ | Checking System Level Prerequisites | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s2a.241113.epkg.Z | ||
+ | gr -PSkipping ifix | ||
+ | See /var/adm/ras/emgr.log for more details | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Checking System Level Prerequisites | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s3a.241113.epkg.Z | ||
+ | Skipping ifix | ||
+ | See /var/adm/ras/emgr.log for more details | ||
+ | </cli> |