Differences

This shows you the differences between two versions of the page.

--- aix:aix_internet_updates [2024/06/07 11:48]
manu
+++ aix:aix_internet_updates [2025/09/22 17:00] (current)
manu [FLRTVC.ksh (generate security reports)]
@@ Line 6: / Line 6: @@
   * **emgr_check_ifixes**
   * **emgr_download_ifix**
+  * **emgr_sec_patch**
+FIXME currently (02-2025) you can't set a proxy to download ! Only direct connections to internet are supported
 <cli prompt='#'>
 # emgr_check_ifixes
@@ Line 32: / Line 36: @@
 </cli>
-emgr_check_ifixes
+**emgr_check_ifixes**
-  * -D automatically download the required fixes to the host in /tmp/ifix_ ${PID}
+  * **-D** automatically download the required fixes to the host in /tmp/ifix_${PID}
 Download a specific efix
   # emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .
+<cli prompt='#'>
+# emgr -lv3 | tail -18
+APAR information:
+=================
+APAR number:      IJ49378
+APAR abstract:    crl download fails after change in certificate server
+APAR number:      IJ49379
+APAR abstract:    emgr_download_ifix fails with ssl connection failed
+APAR number:      IJ49220
+APAR abstract:    default download path of emgr_check_ifixes is /tmp/ifix
+Description:
+============
+IJ49378 - crl download fails after change in certificate server
+IJ49379 - emgr_download_ifix fails with ssl connection failed
+IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix
+</cli>
+===== Efix detailed info =====
+View the content of an efix package
+<cli prompt='>'>
+[root@aix001]/export/software/efix/openssh_fix15> emgr -d -v3 -e 38408m9a.230811.epkg.Z
++-----------------------------------------------------------------------------+
+Efix Manager Initialization
++-----------------------------------------------------------------------------+
+Initializing log /var/adm/ras/emgr.log ...
+Efix package file is: /export/software/efix/openssh_fix15/38408m9a.230811.epkg.Z
+MD5 generating command is /usr/bin/csum
+MD5 checksum is d44fd5020b283c0e3fc121daacabaa03
+Accessing efix metadata ...
+Verifying efix control file ...
+Unpacking efix package file ...
++-----------------------------------------------------------------------------+
+Efix Attributes
++-----------------------------------------------------------------------------+
+LABEL:            38408m9a
+PACKAGING DATE:   Fri Aug 11 06:51:30 CDT 2023
+ABSTRACT:         Ifix for openssh vulnerabilities
+PACKAGER VERSION: 7
+VUID:             00F787C74C00081106082923
+REBOOT REQUIRED:  no
+BUILD BOOT IMAGE: no
+LU CAPABLE:       yes
+PRE-REQUISITES:   yes
+SUPERSEDE:        no
+PACKAGE LOCKS:    no
+E2E PREREQS:      no
+FIX TESTED:       no
+EFIX FILES:       11
+Install Scripts:
+   PRE_INSTALL:   no
+   POST_INSTALL:  no
+   PRE_REMOVE:    no
+   POST_REMOVE:   no
+File Number:      1
+   LOCATION:      /usr/bin/ssh
+   FILE TYPE:     Standard (file or executable)
+   INSTALLER:     installp
+   SIZE:          5480
+   ACL:           DEFAULT
+   CKSUM:         49408
+   PACKAGE:       openssh.base.client
+   MOUNT INST:    no
+...
++-----------------------------------------------------------------------------+
+Efix Description
++-----------------------------------------------------------------------------+
+Ifix for CVE_2023_38408 and fix for sftp Allow/Deny Files Security Vulnerability
++-----------------------------------------------------------------------------+
+Displaying Configuration File "PREREQ"
++-----------------------------------------------------------------------------+
+openssh.base.client 8.1.102.2106 8.1.102.2106
+openssh.base.server 8.1.102.2106 8.1.102.2106
++-----------------------------------------------------------------------------+
+Displaying Configuration File "APARREF"
++-----------------------------------------------------------------------------+
+NONE
++-----------------------------------------------------------------------------+
+Operation Summary
++-----------------------------------------------------------------------------+
+Log file is /var/adm/ras/emgr.log
+EPKG NUMBER       LABEL               OPERATION              RESULT
+===========       ==============      =================      ==============
+                 38408m9a            DISPLAY                SUCCESS
+Return Status = SUCCESS
+</cli>
+View the content of an installed efix
+<cli prompt='>'>
+[root@aix001]/root> emgr -P
+PACKAGE                                                  INSTALLER   LABEL
+======================================================== =========== ==========
+invscout.rte                                             installp    is22026s1a
+oss.lib.libcurl                                          installp    853sa
+openssh.base.client                                      installp    9211224a
+openssh.base.server                                      installp    9211224a
+openssl.base                                             installp    3013sa
+[root@aix001]/root> emgr -l -v3 -L is22026s1a
++-----------------------------------------------------------------------------+
+EFIX ID: 1
+EFIX LABEL: is22026s1a
++-----------------------------------------------------------------------------+
+LABEL:                  is22026s1a
+STATE:                  STABLE
+UPDATED BY:
+ABSTRACT:               invscout fix for CVE-2024-27260
+VUID:                   00F7CD554C00051412053724
+PACKAGER VERSION:       7
+INSTALL DATE:           08/01/24 13:47:05
+EPKG VERSION:           7
+REBOOT REQUIRED:        no
+BUILD BOOT IMAGE:       no
+LU CAPABLE:             yes
+PACKAGE LOCKS:          no
+SUPERSEDE:              no
+INSTALLP PREREQUISITES: yes
+E2E PREREQUISITES:      no
+FIX TESTED:             no
+FILES:                  1
+Install Scripts
+===============
+PRE_INSTALL:            no
+POST_INSTALL:           no
+PRE_REMOVE:             no
+POST_REMOVE:            no
+FILE NUMBER:      1
+   LOCATION:      /usr/sbin/invscout
+   FILE TYPE:     Standard (file or executable)
+   INSTALLER:     installp
+   SIZE:          1044
+   CKSUM:         51101
+   ACL:           DEFAULT
+   PACKAGE:       invscout.rte
+   MOUNT INST:    no
+Installp Prerequisite Information:
+==================================
+PREREQUISITE NUM:      1
+   FILESET:            invscout.rte
+   MINIMAL LEVEL:      2.2.0.25
+   MAXIMUM LEVEL:      2.2.0.26
+   TYPE:               PREREQ
+   LEVEL AT INSTALL:   2.2.0.26
+Efix to Efix Prerequisite Information:
+======================================
+No efix to efix prerequisites data.
+APAR information:
+=================
+No APAR numbers listed.
+Description:
+============
+invscout fix - CVE-2024-27260
+</cli>
+===== FLRTVC.ksh (generate security reports) =====
+The [[https://esupport.ibm.com/customercare/sas/f/flrt3/FLRTVC-0.8.12.zip|FLRTVC]] script can generate multiple kind of output
+Flags for this script:
+<code>
+-d = Change delimiter for compact reporting
+-f = File selection for *.csv file
+-q = Quiet mode, hide compact reporting header
+-s = Skip download, use default apar.csv file
+-v = Verbose, full report (for piping to email)
+-g = Grep for filesets with phrase, useful for verbose mode
+-t = Type of APAR [hiper | sec]
+-l = Enter a custom LSLPP output file, must match lslpp -Lqc
+-e = Enter a custom EMGR output file, must match emgr -lv3
+-x = Skip EFix processing
+-a = Show all fixed and non-fixed HIPER/Security vulnerabilities
+-p = Convert FTP protocol to HTTP for bulletin and efix download links
+-r = Enter PROXY URL to be used by wget or curl, the same can be provided through HTTP_PROXY environment variable. This option value takes precedence over environment variable. Ex: http://user:password@hostIPorName:port or http://hostIPorName:port
+</code>
+Example, create 2 files whith the output of the following commands, and compare to the latest [[https://esupport.ibm.com/customercare/flrt/doc?page=aparCSV|apar file]]
+  emgr -lv3 > /tmp/emgr.txt
+  lslpp -Lcq > /tmp/lslpp.txt
+  flrtvc.ksh -a -l /tmp/lslpp.txt -e /tmp/emgr.txt -f /path_to_aparcsv/shared_data/APAR.csv
+The **-a** flag, give an output for what is fixed, and what is note, output can be imported in excel.
+===== Efix DB location =====
+Efix inventory is stored in a text file: “/usr/emgrdata/DBS/efix.db” and “/usr/emgrdata/DBS/pkglck.db”
+<cli prompt='#'>
+[root@aix01]/root# cat /usr/emgrdata/DBS/efix.db
+IJ36810s3a|:|IJ36810 Potential security issue|:|.|:|.|:|.|:|.|:|0|:|1|:|00F7CD554C00121710122121|:|1|:|05/02/22 12:21:09|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
+1022103a|:|Ifix for Openssl CVE-2022-0778|:|.|:|.|:|.|:|.|:|0|:|1|:|00F787C74C00042206045322|:|5|:|06/30/22 08:52:53|:|S|:|0|:|7|:|.|:|.|:|.|:|0|:|1|:|1|:|.
+[root@aix01]/root# cat /usr/emgrdata/DBS/pkglck.db
+IJ36810s3a|:|1|:|/usr/bin/lscore|:|bos.rte.security|:|1|:|1|:|050212051122|:|7.2.5.101
+1022103a|:|1|:|/usr/lib/libcrypto.a|:|openssl.base|:|1|:|5|:|063008060322|:|1.0.2.2103
+1022103a|:|2|:|/usr/lib/libssl.a|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
+1022103a|:|3|:|/usr/lib/libcrypto.a.min|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
+1022103a|:|4|:|/usr/bin/openssl|:|openssl.base|:|1|:|5|:|063008060422|:|1.0.2.2103
+1022103a|:|5|:|/usr/bin/openssl64|:|openssl.base|:|1|:|5|:|063008060522|:|1.0.2.2103
+</cli>
+===== Efix TAR installation =====
+To install an efix based on TAR efix package, use the following command
+<cli prompt='#'>
+# /usr/sbin/emgr_sec_patch kernext_fix.tar
+...
+Efix State
++-----------------------------------------------------------------------------+
+Setting efix state to: STABLE
++-----------------------------------------------------------------------------+
+Operation Summary
++-----------------------------------------------------------------------------+
+Log file is /var/adm/ras/emgr.log
+EPKG NUMBER       LABEL               OPERATION              RESULT
+===========       ==============      =================      ==============
+                 IJ52610m2a          INSTALL                SUCCESS
+Return Status = SUCCESS
+Done
+em+-----------------------------------------------------------------------------+
+Checking System Level Prerequisites
++-----------------------------------------------------------------------------+
+calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s2a.241113.epkg.Z
+gr -PSkipping ifix
+See /var/adm/ras/emgr.log for more details
++-----------------------------------------------------------------------------+
+Checking System Level Prerequisites
++-----------------------------------------------------------------------------+
+calling emgr -p -e /tmp/emgr_12321112/kernext_fix/IJ52977s3a.241113.epkg.Z
+Skipping ifix
+See /var/adm/ras/emgr.log for more details
+</cli>

wiki

User Tools

Site Tools

Differences

Page Tools