×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
Let me ask this then, if a vulnerability is discovered in IBM i, AND a fix
is generated for it, then you will see an APAR and a PTF with something
like ptf SI46993, available at:
http://www-912.ibm.com/a_dir/as4ptf.nsf/86acab6961d02f8386257707005030d2/d61f9a1c51e3854486257a14005d921d?OpenDocument
referencing apar SE52070, which is NOT available at:
http://www-912.ibm.com/n_dir/nas4apar.nsf/nas4aparhome
So since we can only see PTF's which fix their vulnerabilities, and we
cannot see the APAR that it fixed, and we can't even see APARs which are
not yet fixed (IBM internal only), how would we be able to find such a
list of known vulnerabilities with obsolete versions of IBM i?
I can understand IBM not publishing some of this (others will disagree and
hate "security by obscurity"). For example, if there was a back door to
ftp where you could sign on as joshua (like the movie) would you really
expect IBM to publish that?
Or a general one on the web which says applies to open systems, but IBM
discovers they have this same vulnerability in PASE but it's after the
date that maintenance died on that version of IBM i? Who would maintain a
list that says that "V4R5 of IBM has this vulnerability where..."? I
wouldn't rely upon IBM to maintain such a list. And IDK how hard it would
be to use someone else's list. Then again, I try to keep my OS current.
Rob Berendt
midrange.com
