AIX Open Source

 View Only
  • 1.  perl_advisory7 query

    Posted Thu July 25, 2024 08:58 AM

    Hello,

    Hope someone can help.

    When running the IBM FLRTVC tool on our AIX LPAR it reports that fileset "perl.rte" has a security vulnerability which is described here : https://aix.software.ibm.com/aix/efixes/security/perl_advisory7.asc

    We have downloaded the iFixes contained within perl_fix7.tar.

    Within this tar file is contained "Advisory.asc" which states :

    AFFECTED PRODUCTS AND VERSIONS:
            AIX 7.2, 7.3
            VIOS 3.1
            The following fileset levels are vulnerable:
            key_fileset = aix
            Fileset                 Lower Level  Upper Level KEY
            ---------------------------------------------------------
            perl.rte                5.28.0.0     5.28.1.7    key_w_fs


    However, when we try and install 31484m6a.231020.epkg.Z it gives this error:

    +-----------------------------------------------------------------------------+
    Installp Prerequisite Verification
    +-----------------------------------------------------------------------------+
    Verifying prerequisite file ...
    Checking prerequisites ...
    Prerequisite Number: 1
       Fileset: perl.rte
       Minimal Level: 5.28.1.0
       Maximum Level: 5.28.1.6
       Actual Level: 5.28.1.7
       Type: PREREQ
       Requisite Met: no
    emgr: 0645-050 Prerequisite number 1 did not pass all checks. Please see
    details above.
    emgr: 0645-035 Efix package did not pass all preview checks.


    Does anyone know how we can fix the security vulnerability in perl.rte?

    Thanks in advance



    ------------------------------
    Stephen Eccles
    ------------------------------


  • 2.  RE: perl_advisory7 query

    Posted Mon July 29, 2024 03:06 AM

    Hi Stephen,

    As per the advisory, the fix when running on 5.28.1.7 is to upgrade the perl.rte fileset to 5.28.1.8 to resolve the vulnerability. 

    That ifix you tried to apply is for systems running 5.28.1.6 and earlier - that have a dependency on older OpenSSL and do not want to upgrade to OpenSSL 3.0. 

    You can download the new perl.rte from MRS here:  

    https://www.ibm.com/resources/mrs/assets?source=aixbp

    Cheers,

    Alan



    ------------------------------
    Alan
    ------------------------------



  • 3.  RE: perl_advisory7 query

    Posted Mon July 29, 2024 03:34 AM

    Hi Alan

    Thanks for the reply.

    It wasn't originally clear to me in the advisory that the fix was to update 5.28.1.7 to 5.28.1.8 but I see this now and have updated the fileset.

    Thanks again

    Stephen



    ------------------------------
    Stephen Eccles
    ------------------------------