User Tools

Site Tools


aix:aix_internet_updates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aix:aix_internet_updates [2024/06/07 11:48]
manu
aix:aix_internet_updates [2025/02/19 14:59] (current)
manu [Efix DB location]
Line 6: Line 6:
   * **emgr_check_ifixes**   * **emgr_check_ifixes**
   * **emgr_download_ifix**   * **emgr_download_ifix**
 +  * **emgr_sec_patch**
 +
 +FIXME currently (02-2025) you can't set a proxy to download ! Only direct connections to internet are supported
 +
 <cli prompt='#'>​ <cli prompt='#'>​
 # emgr_check_ifixes # emgr_check_ifixes
Line 32: Line 36:
 </​cli>​ </​cli>​
  
-emgr_check_ifixes +**emgr_check_ifixes** 
-  * -D automatically download the required fixes to the host in /tmp/ifix_ ${PID}+  ​* **-D** automatically download the required fixes to the host in /​tmp/​ifix_${PID}
  
 Download a specific efix Download a specific efix
   # emgr_download_ifix -L https://​aix.software.ibm.com/​aix/​efixes/​security/​ntp_fix14.tar -P .   # emgr_download_ifix -L https://​aix.software.ibm.com/​aix/​efixes/​security/​ntp_fix14.tar -P .
 +
 +<cli prompt='#'>  ​
 +# emgr -lv3 | tail -18
 +
 +APAR information:​
 +=================
 +APAR number: ​     IJ49378
 +APAR abstract: ​   crl download fails after change in certificate server
 +APAR number: ​     IJ49379
 +APAR abstract: ​   emgr_download_ifix fails with ssl connection failed
 +APAR number: ​     IJ49220
 +APAR abstract: ​   default download path of emgr_check_ifixes is /tmp/ifix
 +
 +Description:​
 +============
 +IJ49378 - crl download fails after change in certificate server
 +IJ49379 - emgr_download_ifix fails with ssl connection failed
 +IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix
 +</​cli>​
 +
 +===== Efix detailed info =====
 +
 +View the content of an efix package
 +<cli prompt='>'>​
 +[root@aix001]/​export/​software/​efix/​openssh_fix15>​ emgr -d -v3 -e 38408m9a.230811.epkg.Z
 ++-----------------------------------------------------------------------------+
 +Efix Manager Initialization
 ++-----------------------------------------------------------------------------+
 +Initializing log /​var/​adm/​ras/​emgr.log ...
 +Efix package file is: /​export/​software/​efix/​openssh_fix15/​38408m9a.230811.epkg.Z
 +MD5 generating command is /​usr/​bin/​csum
 +MD5 checksum is d44fd5020b283c0e3fc121daacabaa03
 +Accessing efix metadata ...
 +Verifying efix control file ...
 +Unpacking efix package file ...
 +
 ++-----------------------------------------------------------------------------+
 +Efix Attributes
 ++-----------------------------------------------------------------------------+
 +LABEL: ​           38408m9a
 +PACKAGING DATE:   Fri Aug 11 06:51:30 CDT 2023
 +ABSTRACT: ​        Ifix for openssh vulnerabilities
 +PACKAGER VERSION: 7
 +VUID:             ​00F787C74C00081106082923
 +REBOOT REQUIRED: ​ no
 +BUILD BOOT IMAGE: no
 +LU CAPABLE: ​      yes
 +PRE-REQUISITES: ​  yes
 +SUPERSEDE: ​       no
 +PACKAGE LOCKS: ​   no
 +E2E PREREQS: ​     no
 +FIX TESTED: ​      no
 +EFIX FILES: ​      11
 +
 +Install Scripts:
 +   ​PRE_INSTALL: ​  no
 +   ​POST_INSTALL: ​ no
 +   ​PRE_REMOVE: ​   no
 +   ​POST_REMOVE: ​  no
 +
 +File Number: ​     1
 +   ​LOCATION: ​     /​usr/​bin/​ssh
 +   FILE TYPE:     ​Standard (file or executable)
 +   ​INSTALLER: ​    ​installp
 +   ​SIZE: ​         5480
 +   ​ACL: ​          ​DEFAULT
 +   ​CKSUM: ​        49408
 +   ​PACKAGE: ​      ​openssh.base.client
 +   MOUNT INST:    no
 +
 +...
 +
 ++-----------------------------------------------------------------------------+
 +Efix Description
 ++-----------------------------------------------------------------------------+
 +Ifix for CVE_2023_38408 and fix for sftp Allow/Deny Files Security Vulnerability
 +
 ++-----------------------------------------------------------------------------+
 +Displaying Configuration File "​PREREQ"​
 ++-----------------------------------------------------------------------------+
 +openssh.base.client 8.1.102.2106 8.1.102.2106
 +openssh.base.server 8.1.102.2106 8.1.102.2106
 +
 ++-----------------------------------------------------------------------------+
 +Displaying Configuration File "​APARREF"​
 ++-----------------------------------------------------------------------------+
 +NONE
 +
 ++-----------------------------------------------------------------------------+
 +Operation Summary
 ++-----------------------------------------------------------------------------+
 +Log file is /​var/​adm/​ras/​emgr.log
 +
 +EPKG NUMBER ​      ​LABEL ​              ​OPERATION ​             RESULT
 +=========== ​      ​============== ​     ================= ​     ==============
 +1                 ​38408m9a ​           DISPLAY ​               SUCCESS
 +
 +Return Status = SUCCESS
 +</​cli>​
 +
 +View the content of an installed efix
 +<cli prompt='>'>​
 +[root@aix001]/​root>​ emgr -P
 +
 +PACKAGE ​                                                 INSTALLER ​  LABEL
 +======================================================== =========== ==========
 +invscout.rte ​                                            ​installp ​   is22026s1a
 +oss.lib.libcurl ​                                         installp ​   853sa
 +openssh.base.client ​                                     installp ​   9211224a
 +openssh.base.server ​                                     installp ​   9211224a
 +openssl.base ​                                            ​installp ​   3013sa
 +
 +[root@aix001]/​root>​ emgr -l -v3 -L is22026s1a
 ++-----------------------------------------------------------------------------+
 +EFIX ID: 1
 +EFIX LABEL: is22026s1a
 ++-----------------------------------------------------------------------------+
 +LABEL: ​                 is22026s1a
 +STATE: ​                 STABLE
 +UPDATED BY:
 +ABSTRACT: ​              ​invscout fix for CVE-2024-27260
 +VUID:                   ​00F7CD554C00051412053724
 +PACKAGER VERSION: ​      7
 +INSTALL DATE:           ​08/​01/​24 13:47:05
 +EPKG VERSION: ​          7
 +REBOOT REQUIRED: ​       no
 +BUILD BOOT IMAGE: ​      no
 +LU CAPABLE: ​            yes
 +PACKAGE LOCKS: ​         no
 +SUPERSEDE: ​             no
 +INSTALLP PREREQUISITES:​ yes
 +E2E PREREQUISITES: ​     no
 +FIX TESTED: ​            no
 +FILES: ​                 1
 +
 +Install Scripts
 +===============
 +PRE_INSTALL: ​           no
 +POST_INSTALL: ​          no
 +PRE_REMOVE: ​            no
 +POST_REMOVE: ​           no
 +
 +FILE NUMBER: ​     1
 +   ​LOCATION: ​     /​usr/​sbin/​invscout
 +   FILE TYPE:     ​Standard (file or executable)
 +   ​INSTALLER: ​    ​installp
 +   ​SIZE: ​         1044
 +   ​CKSUM: ​        51101
 +   ​ACL: ​          ​DEFAULT
 +   ​PACKAGE: ​      ​invscout.rte
 +   MOUNT INST:    no
 +
 +Installp Prerequisite Information:​
 +==================================
 +PREREQUISITE NUM:      1
 +   ​FILESET: ​           invscout.rte
 +   ​MINIMAL LEVEL: ​     2.2.0.25
 +   ​MAXIMUM LEVEL: ​     2.2.0.26
 +   ​TYPE: ​              ​PREREQ
 +   LEVEL AT INSTALL: ​  ​2.2.0.26
 +
 +Efix to Efix Prerequisite Information:​
 +======================================
 +No efix to efix prerequisites data.
 +
 +APAR information:​
 +=================
 +No APAR numbers listed.
 +
 +Description:​
 +============
 +invscout fix - CVE-2024-27260
 +</​cli>​
 +
 +===== Efix DB location =====
 +
 +Efix inventory is stored in a text file: “/​usr/​emgrdata/​DBS/​efix.db” and “/​usr/​emgrdata/​DBS/​pkglck.db”
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ cat /​usr/​emgrdata/​DBS/​efix.db
 +IJ36810s3a|:​|IJ36810 Potential security issue|:​|.|:​|.|:​|.|:​|.|:​|0|:​|1|:​|00F7CD554C00121710122121|:​|1|:​|05/​02/​22 12:​21:​09|:​|S|:​|0|:​|7|:​|.|:​|.|:​|.|:​|0|:​|1|:​|1|:​|.
 +1022103a|:​|Ifix for Openssl CVE-2022-0778|:​|.|:​|.|:​|.|:​|.|:​|0|:​|1|:​|00F787C74C00042206045322|:​|5|:​|06/​30/​22 08:​52:​53|:​|S|:​|0|:​|7|:​|.|:​|.|:​|.|:​|0|:​|1|:​|1|:​|.
 +
 +[root@aix01]/​root#​ cat /​usr/​emgrdata/​DBS/​pkglck.db
 +IJ36810s3a|:​|1|:​|/​usr/​bin/​lscore|:​|bos.rte.security|:​|1|:​|1|:​|050212051122|:​|7.2.5.101
 +1022103a|:​|1|:​|/​usr/​lib/​libcrypto.a|:​|openssl.base|:​|1|:​|5|:​|063008060322|:​|1.0.2.2103
 +1022103a|:​|2|:​|/​usr/​lib/​libssl.a|:​|openssl.base|:​|1|:​|5|:​|063008060422|:​|1.0.2.2103
 +1022103a|:​|3|:​|/​usr/​lib/​libcrypto.a.min|:​|openssl.base|:​|1|:​|5|:​|063008060422|:​|1.0.2.2103
 +1022103a|:​|4|:​|/​usr/​bin/​openssl|:​|openssl.base|:​|1|:​|5|:​|063008060422|:​|1.0.2.2103
 +1022103a|:​|5|:​|/​usr/​bin/​openssl64|:​|openssl.base|:​|1|:​|5|:​|063008060522|:​|1.0.2.2103
 +</​cli>​
 +
 +===== Efix TAR installation =====
 +
 +To install an efix based on TAR efix package, use the following command
 +<cli prompt='#'>​
 +# /​usr/​sbin/​emgr_sec_patch kernext_fix.tar
 +...
 +Efix State
 ++-----------------------------------------------------------------------------+
 +Setting efix state to: STABLE
 +
 ++-----------------------------------------------------------------------------+
 +Operation Summary
 ++-----------------------------------------------------------------------------+
 +Log file is /​var/​adm/​ras/​emgr.log
 +
 +EPKG NUMBER ​      ​LABEL ​              ​OPERATION ​             RESULT
 +=========== ​      ​============== ​     ================= ​     ==============
 +1                 ​IJ52610m2a ​         INSTALL ​               SUCCESS
 +
 +Return Status = SUCCESS
 +Done
 +em+-----------------------------------------------------------------------------+
 +Checking System Level Prerequisites
 ++-----------------------------------------------------------------------------+
 +calling emgr -p -e /​tmp/​emgr_12321112/​kernext_fix/​IJ52977s2a.241113.epkg.Z
 +gr -PSkipping ifix
 +See /​var/​adm/​ras/​emgr.log for more details
 +
 ++-----------------------------------------------------------------------------+
 +Checking System Level Prerequisites
 ++-----------------------------------------------------------------------------+
 +calling emgr -p -e /​tmp/​emgr_12321112/​kernext_fix/​IJ52977s3a.241113.epkg.Z
 +Skipping ifix
 +See /​var/​adm/​ras/​emgr.log for more details
 +</​cli>​
aix/aix_internet_updates.1717753697.txt.gz · Last modified: 2024/06/07 11:48 by manu