PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

Hi Robert;

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

> That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

> Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

Hi Robert;

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

> That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

> Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

In contexq of Q2.

Simplify:
VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

VIOS 3.1.3.x and 3.1.4.x are based on AIX 7.2 and not contain python in default instalation.
(I ommit prevous releases of VIOS, case at this moment (June 2024) they are reached of date of Fix Support (EoFS)).

Referenes:
https://www.ibm.com/support/pages/virtual-io-server-vios-maintenance-strategy
https://www.ibm.com/support/pages/powervm-vios-lifecycle-information

Quoted Security Buletin contains information about Affected Products:

 
Regards,

Michal

Hi Robert;

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

> That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

> Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

Hi,

VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

>> Hmmm.. I have VIOS image built from Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso..and don't have python there..?

Br,

tommi

In contexq of Q2.

Simplify:
VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

VIOS 3.1.3.x and 3.1.4.x are based on AIX 7.2 and not contain python in default instalation.
(I ommit prevous releases of VIOS, case at this moment (June 2024) they are reached of date of Fix Support (EoFS)).

Referenes:
https://www.ibm.com/support/pages/virtual-io-server-vios-maintenance-strategy
https://www.ibm.com/support/pages/powervm-vios-lifecycle-information

Quoted Security Buletin contains information about Affected Products:

 
Regards,

Michal

Hi Robert;

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

> That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

> Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

Hi Tommi,

I don't know if during install VIOS from flash.iso you can choose to install or not python. I think that in defaul,t python is installed.
Based on other thread in this community, I know (but also I didn't test it) that python can be removed from AIX 7.3 without problems.

Unfortunaltely I have no posiblility now to check installation, but installation iso contains python.

#csum -h MD5 /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso0a913fef967529d7decf650ff0969de6  /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso#loopmount -i /home/padmin/Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso -o "-V udfs -o ro" -m /mnt# mount | grep mnt         /dev/loop0       /mnt             udfs   Jun 20 12:20 ro#lsmksysb -f /mnt/usr/sys/inst.images/mksysb_image | grep python3New volume on /mnt/usr/sys/inst.images/mksysb_image:Cluster size is 51200 bytes (100 blocks).The volume number is 1.The backup date is: Sat Oct 28 00:46:00 IST 2023Files are backed up by name.The user is .          30 ./usr/bin/python3          37 ./usr/bin/python3-config          30 ./usr/bin/python3.9          37 ./usr/bin/python3.9-config           0 ./usr/lpp/python3.9.base<..>       85249 ./lpp/python3.9.base/deinstl/python3.9.base.secThe number of archived files is 69566. 

Regards,

Michal

Hi,

VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

>> Hmmm.. I have VIOS image built from Virtual_IO_Server_Base_Install_4.1.0.10_Flash_112023_LCD8292400.iso..and don't have python there..?

Br,

tommi

In contexq of Q2.

Simplify:
VIOS 4.1.0 is based on AIX 7.3 and contains python in default instalation.

VIOS 3.1.3.x and 3.1.4.x are based on AIX 7.2 and not contain python in default instalation.
(I ommit prevous releases of VIOS, case at this moment (June 2024) they are reached of date of Fix Support (EoFS)).

Referenes:
https://www.ibm.com/support/pages/virtual-io-server-vios-maintenance-strategy
https://www.ibm.com/support/pages/powervm-vios-lifecycle-information

Quoted Security Buletin contains information about Affected Products:

 
Regards,

Michal

Hi Robert;

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

> That is correct; If lslpp does not return anything ; U don't have the package installed, and are not affected. Some vulnerabilities however might be related to rpm packages too ; so U might want to do some doublecheck with rpm -qa |grep -I something.something cmd . Python3.9 afaik is installed with installp cmd nowadays, so it should be visible on lslpp listing if you have it installed.

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

> Python3.9 is not included in base AIX / VIOS packages, but needs to be downloaded from IBM Web Download Page and installed separately. Many people use e.g Ansible on VIOS etc nowadays, and Python is pre-req for having that working, therefore folks install python to VIOS too. 

There was a community discussion on which all "extra" SW is supported to be installed on VIOS, eventhough it is closed appliance like U mentioned. 

PowerVM

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

When I look at a VIOS CVE it often has a section like:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i something.something

So if I do that example, and the particular something.something simply returns null like this example:

$ oem_setup_env
# lslpp -L | grep -i python3.9.base
#
# oslevel -s
7200-05-07-2346
#

Q1:  Then this means that I do not have that particular something.something and there's no need for me to apply that fix?

Q2:  Since VIOS is kind of like a closed appliance, why would some systems have that file and other's not?

This is not the first fix that didn't find a hit on my system.  So, since this fix clearly states that my VIOS has to be at 4.1 for me to risk having this issue is the reason on this issue doesn't make the Q1 irrelevant 

Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757) (ibm.com)

------------------------------
Robert Berendt IBMChampion
------------------------------