Db2

Db2

Connect with Db2, Informix, Netezza, open source, and other data experts to gain value from your data, share insights, and solve problems.

 View Only
Back to discussions
Expand all | Collapse all

Db2 11.5 "GA" versus "Special Build 39398 for 11.5.0.0" : Stabilty ? Security APARs ?

  • 1.  Db2 11.5 "GA" versus "Special Build 39398 for 11.5.0.0" : Stabilty ? Security APARs ?

    Posted Fri January 03, 2020 05:53 AM
    Edited by System Admin Fri January 20, 2023 04:49 PM
    For planning and testing purposes, I am desperately waiting for the first FixPack for Db2 v 11.5
    Sadly, so far, only the GA version (v.11.5.0.0) is available (through Passport Advantage) for on-premise Db2 customers.

    By coincidence I found out, there is a "Special Build 39398 for DB2 11.5.0 Fix Pack 0"  (Released 2019/11/12). ( for for Linux/x86-64  https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=special_39398_DB2-linuxx64-universal_fixpack-11.5.0.0-FP000&continue=1 )

    Questions:
    1) When will the first ModPack and/or FixPack for v11.5 arrive (for on-premise customers) ?
    for what I heard, that could be as late as march / april 2020 .... 

    2) What's the difference between the Db2 11.5 GA (11.5.0.0) and this Special Build 39398  ?
    • Is it fully tested by IBM ?   
    if so, why wasn't it simply called  FixPak 1, public available as usual  ..... in https://www.ibm.com/support/pages/download-db2-fix-packs-version-db2-linux-unix-and-windows 
    • what APAR's are fixed ?
    It seems (only) these APAR's , or are there more ? 
    • IT30143: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4584)
    • IT30432: SECURITY: DB2 IS VULNERABLE TO PRIVILEGE ESCALATION (CVE-2019-4587)
    • IT30157: SECURITY: DB2 EXPOSES SENSITIVE INFORMATION WHEN USING ADMIN_CMDWITH LOAD OR UPDATE ALERT CFG (CVE-2019-4524)
    Notice: usually Special Builds are not downloadable for the public, and also undergo limited IBM testing
    (compared to regular Fixpacks and Interim Fix packs , see  https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.trb.doc/doc/c0020824.html  :   Test fix =  a.k.a "special build" )

    3) it is unclear, if "Special Build 39398 for DB2 11.5.0 Fix Pack 0" also includes the Security issues that were fixed in "Db2 Version 11.1 Mod 4 Fix Pack 5" 
    The latest Db2 v11.1.4.5 (Release Date: 28.Nov.2019) includes these Security APARs :
    they only (?) seem applicable for Db2  11.1.x ( internally know as "B10") ,  Db2 11.5  internally is known as "B50"
    • IT29115: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4322)
    • IT29350: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4386)
    • IT28440: SECURITY: DB2 IS VULNERABLE TO A BUFFER OVERFLOW (CVE-2019-4154)
    • IT28267: SECURITY: DB2 DOES NOT EXPLICITLY FORBID A WEAKER THAN EXPECTED 3DES CIPHER WHEN CONFIGURED TO USE SSL (CVE-2019-4102)
    • IT28255: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4101)
    • IT27203: SECURITY: PRIVILEGE ESCALATION DURING ROUTINE EXECUTION IN FENCED MODE (CVE-2019-4057)
    • IT27328: SECURITY: DB2 IS VULNERABLE TO BUFFER OVERFLOW LEADING TO PRIVILEGE ESCALATION (CVE-2019-4014)

    Because of Db2 licensing (PVU versus VPC license) and Costs issues, IBM more or less is enforcing us to upgrade from Db2 v11.1 to v11.5 , and this within 3 months...
    Before that can even happen, of course,  we need (pre)testings of all our applications and server setup.

    Sure hope IBM will deliver the first FixPack for  v11.5 Db2 on-premise very soon !


    regards,
    Erwin Hattingh

    ------------------------------
    Erwin Hattingh
    Systems Engineer / Db2 DBA
    Triodos Bank
    ------------------------------
    #Db2