Originally posted by: thibex

Hi

Is IBM going to release more frequently proper LPPs for opens and openssl ? Those 2 packages need constant attention in term of security and patching. I would find more easy to get LPPs rather than ifixes. It would be more easy to manage!

Thanks ! 

Originally posted by: SandeepUmesh

Short Answer, Yes, for openSSH and openSSL we will provide two filesets every year - one in the month of May and another in the month of October. This will be available in the web download site.

As you might be aware, lot of vulnerabilities gets reported in these packages through out the year. It will be a time consuming activity If we are to ship fileset for every set of vulnerabilities we receive. Hence, to ensure that AIX customers are not vulnerable for a longer period of time, we provide a immediate ifix within a short period of time and later when we create the fileset, we ensure that all the ifixes released during that duration of time is part of the fileset.

We would also like to clarify one more point that - ifixes are cumulative. So, for a particular CVE if we have released ifix1 and if another CVE is reported then we ensure that ifix1 is also a part of the next ifix. So, customers need not have to maintain multiple ifixes. Apply only the latest ifix ensures that customers are patched for all CVEs.

Please let us know if you have any further concerns. Thanks

Originally posted by: thibex

Hi

Thanks for your answer. I understand that developping and testing is time consuming. My point is only about the fact that we prefer to get filesets than ifixes, its more easy to manage.  

Thanks 

Thibault