For planning and testing purposes, I am desperately waiting for the first FixPack for Db2 v 11.5
Sadly, so far, only the GA version (v.11.5.0.0) is available (through Passport Advantage) for on-premise Db2 customers.
By coincidence I found out, there is a "Special Build 39398 for DB2 11.5.0 Fix Pack 0" (Released 2019/11/12). ( for for Linux/x86-64
https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=special_39398_DB2-linuxx64-universal_fixpack-11.5.0.0-FP000&continue=1 )
Questions:
1) When will the first ModPack and/or FixPack for v11.5 arrive (for on-premise customers) ?
for what I heard, that could be as late as march / april 2020 ....
2) What's the difference between the Db2 11.5 GA (11.5.0.0) and this Special Build 39398 ?
- Is it fully tested by IBM ?
It seems (only) these APAR's , or are there more ?
- IT30143: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4584)
- IT30432: SECURITY: DB2 IS VULNERABLE TO PRIVILEGE ESCALATION (CVE-2019-4587)
- IT30157: SECURITY: DB2 EXPOSES SENSITIVE INFORMATION WHEN USING ADMIN_CMDWITH LOAD OR UPDATE ALERT CFG (CVE-2019-4524)
Notice: usually Special Builds are not downloadable for the public, and also undergo limited IBM testing
(compared to regular Fixpacks and Interim Fix packs , see
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.trb.doc/doc/c0020824.html : Test fix = a.k.a "special build" )
3) it is unclear, if "Special Build 39398 for DB2 11.5.0 Fix Pack 0" also includes the Security issues that were fixed in "Db2 Version 11.1 Mod 4 Fix Pack 5"
The latest Db2 v11.1.4.5 (Release Date: 28.Nov.2019) includes these Security APARs :
they only (?) seem applicable for Db2 11.1.x ( internally know as "B10") , Db2 11.5 internally is known as "B50"
- IT29115: SECURITY: DB2 AFFECTED BY BUFFER OVERFLOW VULNERABILITIES (CVE-2019-4322)
- IT29350: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4386)
- IT28440: SECURITY: DB2 IS VULNERABLE TO A BUFFER OVERFLOW (CVE-2019-4154)
- IT28267: SECURITY: DB2 DOES NOT EXPLICITLY FORBID A WEAKER THAN EXPECTED 3DES CIPHER WHEN CONFIGURED TO USE SSL (CVE-2019-4102)
- IT28255: SECURITY: DB2 IS VULNERABLE TO A DENIAL OF SERVICE (CVE-2019-4101)
- IT27203: SECURITY: PRIVILEGE ESCALATION DURING ROUTINE EXECUTION IN FENCED MODE (CVE-2019-4057)
- IT27328: SECURITY: DB2 IS VULNERABLE TO BUFFER OVERFLOW LEADING TO PRIVILEGE ESCALATION (CVE-2019-4014)
Because of Db2 licensing (PVU versus VPC license) and Costs issues, IBM more or less is enforcing us to upgrade from Db2 v11.1 to v11.5 , and this within 3 months...
Before that can even happen, of course, we need (pre)testings of all our applications and server setup.
Sure hope IBM will deliver the first FixPack for v11.5 Db2 on-premise very soon !regards,
Erwin Hattingh
------------------------------
Erwin Hattingh
Systems Engineer / Db2 DBA
Triodos Bank
------------------------------
#Db2