Month: January 2022

Posted on

Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x)

Multiple sub-components of IBM i ship log4j version v1.x files making them vulnerable to the issue described in the vulnerability details section. IBM Navigator for i – heritage version uses log4j v1.x and cannot be updated to log4j v2.x. The CVE can be mitigated by not using the heritage version of IBM Navigator for i. Integrated Web Server (IWS) V2.6 contains unused references to log4j v1.x packages. IBM i 7.2 – Integrated Application Server (IAS) V7.1 & V8.1 and Integrated Web Server (IWS) V1.3 & V1.5 use log4j v1.x and cannot be updated to log4j v2.x. The CVE can be mitigated by not using these servers. IBM i Access Client Solutions (ACS) version 1.1.8.6 and earlier included an unused log4j v1.x jar file. IBM i has addressed the applicable CVE as described in the Remediation/Fixes section or customers can address the applicable CVE as described in the Workarounds and Mitigations section for each of the impacted sub-components.

Posted on

IBM i Open Source Updates July 2021

Back with another overdue update, this time for July. Big news this month, which had been hinted at for a while. Did you figure it out ahead of time?

New Packages

Python 3.9

In addition to the existing Python 2.7 and 3.6, you can now use Python 3.9 on IBM i. We’ve spent a significant amount of time running through the Python test suite and fixing issues found so this should be the most stable version of Python on the platform yet! If you’re wondering what’s new with 3.9, there’s the official docs as well as some great summaries like this one.

In addition to the Python 3.9 interpreter and runtime, we’ve ported the following Python 3.6 packages over:

dateutil
paramiko
pytz
six
Pillow
bcrypt
cffi
cryptography
ibm_db
itoolkit
psycopg2
pycparser
pynacl
pip
setuptools
wheel
pyodbc

Some of these packages have been updated to the most recent version. In addition, cython has been packaged for Python 3.9 for dependencies while others like idna2 and asn1crypto were not brought over since they are no longer needed.

At this point, the only Python 3.6 packages we still have not brought to Python 3.9 are the ML-related packages:

numpy
pandas
scikit-learn
scipy

With Python 3.6 going EOL in December, it’s recommended to start porting code to 3.9 as soon as possible.

By default upon installation, it will set /QOpenSys/pkgs/bin/python3 to point to python3.9. For more info on handling Python on IBM i refer to our docs.

Package Updates

ncurses

The ncurses package was updated to ship pkg-config files in ncurses-devel. This can help when building packages which rely on pkg-config to determine the ncurses link and cflags instead of using ncurses’ bespoke ncurses6-config script.

python-rpm-macros

The %py_install_wheel macro was updated to adjust the INSTALLER file created by pip to show that the package was installed by rpm.

Other Updates

libsodium was updated to 1.0.18

Closing

Another month down, 5 more to go. Come back next Monday for August updates!

Posted on

?Tuesday Jan 11 @ 6:30PM is the next meeting of @CTXiUG. We are fortunate to have Liam Allen, IBM Champion & designer of many cool open source tools, presenting. Meeting is online & FREE. Register at -> #AS400 #CTXiUG #Texas #CentralTexas #IBMiLUG

?Tuesday Jan 11 @ 6:30PM is the next meeting of @CTXiUG. We are fortunate to have Liam Allen, IBM Champion & designer of many cool open source tools, presenting. Meeting is online & FREE. Register at -> ctxiug.blogspot.com
#IBMi #AS400 #CTXiUG #Texas #CentralTexas #IBMiLUG pic.twitter.com/cQXMZYKV4b

– Central Texas IBM i User Group (@CTXiUG)06:15 – Jan 08, 2022

Verified by MonsterInsights