Date: 04 April 2012
References: ASB-2011.0016 ESB-2011.0192 ESB-2011.0194 ESB-2011.0253 ESB-2011.0259 ESB-2011.0282 ASB-2011.0031 ASB-2011.0070 ESB-2011.0902
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0340
Tivoli Directory Server 6.2 & 6.3 Interfim Fixes
4 April 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Directory Server
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4476
Reference: ASB-2011.0070
ASB-2011.0031
ASB-2011.0016
ESB-2011.0902
ESB-2011.0282
ESB-2011.0259
ESB-2011.0253
ESB-2011.0194
ESB-2011.0192
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg24032290
http://www-01.ibm.com/support/docview.wss?uid=swg24032291
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Tivoli Directory Server, Version 6.3.0.11-ISS-ITDS-IF0011
Downloadable files
Abstract
Tivoli Directory Server 6.3 interim fix 6.3.0.11. Includes all APARs listed
below.
Download Description
Naming conventions:
As of 6.3.0.11, package names have been changed from "-TIV-ITDS-" to
"-ISS-ITDS-" to reflect that Tivoli Directory Server (TDS) is now part of the
IBM Security Systems (ISS) division.
Prior to version 6.3.0.8, TDS fixes used separate fix pack and interim fix
numbers. All the fixes before the first fix pack were named "6.3.0.0-..."
meaning "6.3.0 fix pack 0".
Starting with version 6.3.0.8, the fix name and version number are the same.*
Version 6.3.0.8 is named "6.3.0.8-...". The "FP", "IF" or "TF" in the name
indicates the level of testing applied to the build.
FP: Fix packs are formally verified and regression tested by an independent
test team. The most recent OS patches, as well as WebSphere, GSKit and DB2
updates are certified during fix pack testing and the tested environments are
documented in the fix pack README.
IF: Interim fixes are verified by support and development and recommended
for all users. Most fixes are delivered as IF's.
Fix packs and interim fixes are available to all entitled users and can be
downloaded directly from fix central.
LA: Limited availability interim fixes are used to deliver APARs before a
more formal interim fix or fix pack is released. They are intended for a
limited audience and supported until a more formal fix is published.
TF: Test fixes are special purpose builds used to diagnose a specific
problem or validate a specific fix. They are not generally available or
supported beyond their intended use.
Limited availability and test fixes are never published to fix central and can
only be obtained directly from IBM support.
* There are separate versions for TDS (6.3.0.x) and the webadmin tool (6.x).
Installing the TDS fix does not automatically deploy the updated webadmin tool
to the WebSphere application server (WAS). This requires additional steps which
are documented in the installation instructions at the end of the README.
New Features in 6.3.0.10 or later:
SSL enabled versions of TDS 6.3.0.10 or later require GSKit 8.0.14.11 or later
to be installed first. Please refer to APAR IO15653 and technote #1578564:
"Using SHA-2 or salted SHA-2 encryption scheme with Tivoli Directory Server
Version 6.3 fix pack 10 (6.3.0.10)"
Existing messages were changed and new messages were added in 6.3.0.10. English
messages are included, but language packs must be updated separately. Please
refer to APAR IO15656 and download #4031943: "Tivoli Directory Server Language
Pack, Version 6.3.0.10-TIV-ITDS-LANGPK"
APAR IO15626 adds a new feature to enable pass through authentication via proxy
or compare operations as documented in technote #1578293: "Supporting
pass-through authentication with Proxy server in Tivoli Directory Server
Version 6.3 fix pack 10 (6.3.0.10)"
APAR IO15655 adds the capability to run DB2 9.7 fix pack 4 without root
privileges. For detailed instructions, see technote #1578295: "Supporting
Tivoli Directory Server version 6.3 fix pack 10 (6.3.0.10) with non-root DB2
Version 9.7 fix pack 4 product"
APAR IO15659 adds the capability to replicate certain password policy related
operational attributes from read-only consumers. This feature is disabled by
default. For details, see technote #1578288: "Supporting replication of
security attributes between master and replica server in Tivoli Directory
Server Version 6.3 fix pack 10 (6.3.0.10)"
Problem Tracking Information:
The APAR number and abstract for all changes included in this fix are listed
below. Further detail on individual APARs can be found by searching for the
APAR number on the Tivoli Directory Server Support Web page.
APARs from 6.3.0.11-ISS-ITDS-IF0011 (webadmin 6.0006)
- -------------------------------------------------------
APAR IO15758 (CMVC 112632)
ibmdiradm.log falsely reports that the online backup failed
APAR IO15761 (CMVC 112684)
NULL-MD5 and NULL-SHA ciphers are enabled in default TLS
configuration
APAR IO15910 (CMVC 112713)
ibmdirctl start results in rc=-1 operations error on RHEL 6
APAR IO15951 (CMVC 112706)
[MDVREGR IO15653] "ids_detectGskitVersion file does not exist."
APAR IO15963 (CMVC 112698)
idsdbrestore may fail to restore online backup db
APAR IO15985 (CMVC 112697)
Configurable LOG LEVEL for idslogmgmt tool.
APAR IO15988 (CMVC 112559)
Client library leaks memory, if any error in referral chase.
APAR IO15991 (CMVC 112591)
core on libpthreads.a while using secldap
APAR IO15993 (CMVC 112668)
ldapsearch client gives memory fault on 64 bit Linux systems
when used with -L option on an image file.
APAR IO15996 (CMVC 112579)
Incorrect results for wildcard search of DN ending w/ ','
APAR IO15998 (CMVC 112558)
ldapsearch/modify/add/delete of specific entry fails with rc=85
(if left running long enough)
APAR IO16002 (CMVC 112656)
PAGED SEARCH REQUESTS MIGHT CAUSE LDAP CRASH.
APAR IO16012 (CMVC 112437 112678 112681 112691)
consistent time stamps in log files
APAR IO16015 (CMVC 112521)
Repeated Enable/Disable of password policy in webadmin fails
with error GLPWSA040E
APAR IO16016 (CMVC 112529)
XSS vulnerability with the Web Admin Tool.
APAR IO16022 (CMVC 112688)
ibmslapd may core when shutting down
APAR IO16023 (CMVC 112592)
IBMSLAPD/IBMDIRADM fail to start after disabling FIPS mode
APAR IO16024 (CMVC 112699)
Web admin tool support for TLSv1 SSLContext algorithm.
APAR IO16026 (CMVC 112703)
PTA bind receives server busy error from MSAD.
APAR IO16040 (CMVC 112722)
configured cipher list is not honored for TLSv1
APAR IO16043 (CMVC 112683)
minor updates to idsNonRootDB2Install informational messages
APAR IO16044 (CMVC 112665)
6.3.0.10 ibmdiradm logs GLPSRV220I and GSLPSRV221I on startup
APAR IO16049 (CMVC 112686)
ids_nonroot_DataImport does not copy custom schema files
APAR IO16056 (CMVC 112700)
Failure message logged though user bind was successful with PTA
APAR IO16057 (CMVC 112693 112695 112710)
Routine build maintenance
APARs from 6.3.0.10-TIV-ITDS-FP0010 (webadmin 6.0005)
- -------------------------------------------------------
APAR IO14318 (CMVC 112435 112436)
WebAdmin does not show images on panel in some scenarios.
APAR IO15552 (CMVC 112581 112608)
[MDVREGR IO15420] "ibmdiradm -k" fails on Solaris, "ibmslapd -k"
fails on AIX if 'srv_max_crypto' is not installed.
APAR IO15556 (CMVC 112030 112071 112111 112170
112438 112497 112534 112527 112528)
Routine build maintenance
APAR IO15626 (CMVC 112009.01 112009.02 112009.03 112009.04
112009.05 112048 112065 112094 112095
112109 112173 112538.01)
Pass Through Authentication (PTA) with Proxy or compare op
APAR IO15634 (CMVC 112040)
Webadmin does not validate SSL key database configuration
APAR IO15636 (CMVC 112310)
idsldapsearch does not return any results with TLS.
APAR IO15638 (CMVC 112500)
SSL search fails using GSKit 8.0.14.x when under load
APAR IO15639 (CMVC 112509)
TLS and SSL connections hang/fail with GSKit 8.0.14.x releases
APAR IO15653 (CMVC 112181 112212.01 112212.02 112228
112516 112516.01 112542 112543 112543.01)
FIPS certified SHA-2 support and EAL4 recertification
APAR IO15655 (CMVC 112044.01 112044.02 112054 112069
112075 112083 112084 112085 112086
112088 112089 112090 112096 112160
112161 112240 112418 112571 112573
112584 112585 112587)
Install TDS with non-root DB2 database
APAR IO15656 (CMVC 112399 112401 112403 112406 112410
112412 112414 112419 112420 112421
112422 112423 112426 112432 112440
112451)
Localization of messages
APAR IO15657 (CMVC 112262)
idsdbmaint not working properly with DB2 9.7 fix pack 04
APAR IO15658 (CMVC 112538)
Proxy Server hangs on bind ops when PTA server down
APAR IO15659 (CMVC 112178.01 112178.02 112178.03 112294
112295 112299 112308 112347 112352
112353 112353.01 112353.2 112355
112358 112363 112394 112397 112485
112486)
Replication of security attributes from read-only consumers
APAR IO15660 (CMVC 112540 112541)
Serviceability - memory leak analysis and prevention
APAR IO15661 (CMVC 111955 111956 111957 111958
111963 111964 111965 112101
112114 112169)
Secure Engineering Framework (SEF) compliance
APAR IO15663 (CMVC 112570)
[MDVREGR IO14031] Errors extracting java-*-TDS.tar on AIX, HP or
Solaris
APARs from 6.3.0.9-TIV-ITDS-IF0009 (webadmin 6.0003)
- -------------------------------------------------------
APAR IO15185 (CMVC 112480)
Default timeout for pass-through authentication (PTA) too short
APAR IO15265 (CMVC 112524)
idsbulkload fails on RHEL 6 with GLPBLK108E error
APAR IO15416 (CMVC 112482 112492 112494)
idsxinst may crash on a system with more than 10 network
interfaces
APAR IO15419 (CMVC 112472)
Script 'tbindmsg' calls itself when it fails and gets into
infinite loop
APAR IO15420 (CMVC 112520 112561)
TDS instance fails to start with error GLPCTL088E
APAR IO15423 (CMVC 112489)
TDS schema with multi-line attribute descriptions are corrupted
by migration
APAR IO15425 (CMVC 112502)
idsinstall force update fails on client-only install
APAR IO15431 (CMVC 112491)
Crash in ldap_simple_bind() with dn=NULL and trace enabled
APAR IO15437 (CMVC 112568)
Routine build maintenance
APARs from 6.3.0.8-TIV-ITDS-IF0008 (webadmin 6.0003)
- -------------------------------------------------------
APAR IO14908 (CMVC 112378)
ldapsearch fails to load GSKit 8.0.14.12, rc=118
APAR IO15081 (CMVC 108339)
GLPRDB004E after idsdbrestore if DB home different from TDS home
APAR IO15082 (CMVC 112433 112458 112459 112460)
IBMSLAPD CRASH
APAR IO15083 (CMVC 112449)
ldapsearch behaves erratically if attribute cache is enabled.
APAR IO15084 (CMVC 111820)
LDAP clients fail to chase referral on bind operation
APAR IO15085 (CMVC 112064 112455 112464)
The Changelog cleanup code cannot remove incomplete entries in
the changelog db.
APAR IO15086 (CMVC 112063)
RootDSE search may incorrectly calculate the firstchangenumber
APAR IO15087 (CMVC 112015)
Resuming replication does not retry last change if it failed
APAR IO15088 (CMVC 112396)
AIX install of idsldap.cltjava63.rte fileset will not report
insufficient disk space errors.
APAR IO15089 (CMVC 112417)
blank line needed after last entry in timdelref.conf file.
APAR IO15090 (CMVC 112361 112395)
idsldapchangepwd can fail to replicate if SSHA encryption is
used on the supplier
APAR IO15091 (CMVC 112324)
- -x option of idsdb2ldif command is not described correctly
APAR IO15092 (CMVC 112251)
adding duplicate ibm-memberGroup value in modify causes deadlock
in DN cache
APAR IO15093 (CMVC 112334)
ldap client hangs when chasing referrals.
APAR IO15094 (CMVC 112427)
ibmslapd crashes in initialization of paged search connection
APAR IO15095 (CMVC 112377)
duplicate pre-op numbers in audit log
APAR IO15096 (CMVC 112371)
ldap client hangs when chasing referrals.
APAR IO15097 (CMVC 112430)
Include paged search info in audit log
APAR IO15098 (CMVC 112448)
Audit timestamp is always "+00.00" offset from UTC
APAR IO15099 (CMVC 111942 112446 112447)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0007 (6.3.0.7 / 6.0003)
- -------------------------------------------------------
APAR IO14380 (CMVC 112200)
[MDVREGR IO14213] "No search results were found." from webadmin
and "Unknown error" from sorted search (-o)
APAR IO14643 (CMVC 112252)
superfluous informational messages in ibmslapd.log
APAR IO14652 (CMVC 112008)
Server memory leak during search operations
APAR IO14653 (CMVC 112168)
ldap_ssl_client_init failed! rc == -1 "Unknown SSL error"
APAR IO14655 (CMVC 112216)
replication operations intermittently do not replicate to all
consumers
APAR IO14656 (CMVC 112229)
Memory leak if establishing an SSL connection fails
APAR IO14657 (CMVC 112186 112220 112227)
SSL error GLPSSL019E on Windows after installing TDS 6.3.0.5-6
APAR IO14658 (CMVC 112230)
Incorrect error upon adding entry with attribute using langtags
APAR IO14659 (CMVC 112239)
Memory leak if Non-SSL client receives SSL referral
APAR IO14660 (CMVC 112242)
Memory leak if SSL client receives non-SSL referral
APAR IO14661 (CMVC 112256)
TDS client does not reject empty string as invalid search filter
APAR IO14662 (CMVC 112246)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0006 (6.3.0.6 / 6.0003)
- -------------------------------------------------------
APAR IO13875 (CMVC 111888)
TDS 6.3 idswmigr shows unwanted message
APAR IO14341 (CMVC 112112)
Allow PTA connection errors at server startup
APAR IO14343 (CMVC 112113 112138)
*str* filter does not match if 'str' is beyond first or last 240
bytes of attribute value
APAR IO14352 (CMVC 112073)
ibm-allGroups/ibm-allMembers search on proxy requires global
admin group privileges
APAR IO14353 (CMVC 112143)
idsldap.clt_max_crypto32bit63 requires 64-bit GSKit to install
APAR IO14355 (CMVC 112127 112130 112137)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0005 (6.3.0.5 / 6.0002)
- -------------------------------------------------------
APAR IO14033 (CMVC 111952)
Migration fails to copy custom schema files
APAR IO14323 (CMVC 111885)
Complex search filter containing encrypted attribute fails to
return results.
APAR IO14328 (CMVC 111917 112024)
Expanding non-leaf node in WAT gives error GLPWDM041E - A leaf
node can't be expanded
APAR IO14330 (CMVC 111983)
webadmin fails to apply password policy on group entry
APAR IO14332 (CMVC 112007)
IDSWebApp: Unauthenticated Log File Access
APAR IO14335 (CMVC 112017)
Fail to migrate standard objectclass if new attribute is added
APAR IO14337 (CMVC 111941)
unable to assign password policy without expire time to a group
of users.
APAR IO14339 (CMVC 112025)
IDSWebApp password field with auto-complete enabled - need
explicitly disable the auto-complete feature.
APAR IO14345 (CMVC 111868)
modifytimestamp changes on replica when an ldapcompare is run
APAR IO14348 (CMVC 111798)
start -> all programs -> itds 6.2 -> WAT (secure) displays error
on page
APAR IO14350 (CMVC 111972)
SSL handshake timed out before the actual Time-out value.
APAR IO14351 (CMVC 111979)
db2Ldif is not exporting data (fails) with no error messages
APAR IO14354 (CMVC 111996 112028 112038)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0004 (6.3.0.4 / 6.0001)
- -------------------------------------------------------
APAR IO14018 (CMVC 111978)
Java JRE update for CVE-2010-4476
APAR IO14099 (CMVC 111998 112016)
[MDVREGR IO13574] Sever leaks memory if audit log enabled
APAR IO14211 (CMVC 111765)
ibmslapd process cores when conflict resolution enabled
APAR IO14212 (CMVC 111988)
modifiersname may not get updated on entry modification
APAR IO14213 (CMVC 112033 112043)
Performance enhancement for VLV search of 'objectclass=*'
APAR IO14214 (CMVC 112034 112036 112037)
idsrunstats does not honor IBMSLAPD_USE_SELECTIVITY=YES
APAR IO14216 (CMVC 112029)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0003 (6.3.0.3 / 6.0001)
- -------------------------------------------------------
APAR IO13788 (CMVC 111722)
LDAP server leaks memory when database codepage is not UTF8
APAR IO14008 (CMVC 111859)
Bind may randomly fail w/ rc=82 (LDAP_LOCAL_ERROR) if Password
Policy is enabled.
APAR IO14009 (CMVC 111837 111889 111905)
TDS Remote Code Execution Vulnerability
APAR IO14028 (CMVC 111915 111948)
Mask sensitive data in audit log and server trace
APAR IO14031 (CMVC 111898 111904 111909 111922 111925 111950 111980)
Routine build maintenance
APARs from 6.3.0.0-TIV-ITDS-IF0002 (6.3.0.2 / 6.0001)
- -------------------------------------------------------
APAR IO13404 (CMVC 111661 111740)
GSKIT_CLIENT_VERSION env variable does not work on Windows.
APAR IO13574 (CMVC 111691)
Proxy server crashes if backend server is down.
APAR IO13575 (CMVC 111732)
Custom passwd. policy plugin fails with schema violation error.
APAR IO13737 (CMVC 111804)
ldap_set_option returns error 89 for LDAP_OPT_CONNECT_TIMEOUT.
APAR IO13814 (CMVC 108545)
idsinstall script doesn't update msg package.
APAR IO13815 (CMVC 111460)
After upgrade two java client versions are visible.
APAR IO13816 (CMVC 111499)
Enhance GLPSRV165E Pass-through authentication timeout message.
APAR IO13817 (CMVC 111553)
LDAP server memory leak in replication-supplier.
APAR IO13818 (CMVC 111813)
Infinite loop encountered as a result of a bad search filter.
APAR IO13819 (CMVC 111760)
Object class violation error, if first attribute is encrypted.
APAR IO13820 (CMVC 111395 111806)
Routine build maintenance.
APARs from 6.3.0.0-TIV-ITDS-IF0001 (6.3.0.1 / 6.0001)
- -------------------------------------------------------
APAR IO13310 (CMVC 110083)
IDSWebApp displays incorrect icon and tooltip for topology.
APAR IO13366 (CMVC 111323)
Migration fails in case of missing perftune stats log file.
APAR IO13367 (CMVC 111359)
Webadmin sends attribute name in lower case on modify operation.
APAR IO13375 (CMVC 106054)
Attribute is unusable after increasing attribute length.
APAR IO13399 (CMVC 111669)
TDS client libraries version info on Windows.
APAR IO13424 (CMVC 105239)
Bad BER request could potentially crash Tivoli Directory Server.
APAR IO13426 (CMVC 110424)
Small memory leak when IBMSLAPD_PREOP_AUDIT=YES and audit is ON.
APAR IO13430 (CMVC 111038 111534)
Allow for customized kerberos principal name.
APAR IO13432 (CMVC 111188)
Update bundled JDK on AIX and Linux PPC for POWER7 compatibility.
APAR IO13434 (CMVC 111316)
ACCESSIBILITY:Not able to read the dialog box on idsxinst.
APAR IO13438 (CMVC 111343)
Fix memory leaks in audit w/preop ON.
APAR IO13441 (CMVC 111349)
Auth. against CRL server fails with valid password.
APAR IO13442 (CMVC 111382)
Edit attribute panel fails to launch.
APAR IO13444 (CMVC 111426 111427 111428 111678)
Routine build maintenance.
APAR IO13445 (CMVC 111457)
idsbulkload -S fails w/ GLPCOM013E Attribute pwdGroupPolicyDN
not found in schema.
APAR IO13446 (CMVC 111470)
idslogmgmnt.cmd uses non-existent commands.
APAR IO13448 (CMVC 111486)
replication hangs in "active" state for one or more consumers in
a replication context.
APAR IO13449 (CMVC 111509)
User template changes are not being saved.
APAR IO13450 (CMVC 111522)
In rare cases, performance auditing attribute timeonworkQ may be
incorrectly calculated.
APAR IO13451 (CMVC 111262)
Proxy server core due to paged results search.
APAR IO13454 (CMVC 111333)
ldapcompare skipping password compare if pwdReset=true.
APAR IO13455 (CMVC 111537)
Memory leak in ldap_result client API.
APAR IO13459 (CMVC 111413 111425)
inconsistent search results with filter uid=<val> and uid=<val>*.
APAR IO13466 (CMVC 111513)
Unable to delete multiple entries selected on multiple pages.
APAR IO13471 (CMVC 111549)
idsxcfg:optimize db fails if local & global ldapdb.prop differs.
Created/Revised by Date of Creation/Update Summary of Changes
brookh 2012/03/30 created
Prerequisites
Tivoli Directory Server 6.3
Installation Instructions
Please refer to the full README for installation instructions.
Download director is required when downloading Common Criteria certified
products.
Download package
6.3.0.11-ISS-ITDS-IF0011
Problems (APARS) fixed
IO13310, IO13366, IO13367, IO13375, IO13399, IO13404, IO13424, IO13426,
IO13430, IO13432, IO13434, IO13438, IO13441, IO13442, IO13444, IO13445,
IO13446, IO13448, IO13449, IO13450, IO13451, IO13454, IO13455, IO13459,
IO13466, IO13471, IO13574, IO13575, IO13737, IO13788, IO13814, IO13815,
IO13816, IO13817, IO13818, IO13819, IO13820, IO13875, IO14008, IO14009,
IO14018, IO14028, IO14031, IO14033, IO14099, IO14211, IO14212, IO14213,
IO14214, IO14216, IO14318, IO14323, IO14328, IO14330, IO14332, IO14335,
IO14337, IO14339, IO14341, IO14343, IO14345, IO14348, IO14350, IO14351,
IO14352, IO14353, IO14354, IO14355, IO14380, IO14643, IO14652, IO14653,
IO14655, IO14656, IO14657, IO14658, IO14659, IO14660, IO14661, IO14662,
IO14908, IO15081, IO15082, IO15083, IO15084, IO15085, IO15086, IO15087,
IO15088, IO15089, IO15090, IO15091, IO15092, IO15093, IO15094, IO15095,
IO15096, IO15097, IO15098, IO15099, IO15185, IO15265, IO15416, IO15419,
IO15420, IO15423, IO15425, IO15431, IO15437, IO15552, IO15556, IO15626,
IO15634, IO15636, IO15638, IO15639, IO15653, IO15655, IO15656, IO15657,
IO15658, IO15659, IO15660, IO15661, IO15663, IO15758, IO15761, IO15910,
IO15951, IO15963, IO15985, IO15988, IO15991, IO15993, IO15996, IO15998,
IO16002, IO16012, IO16015, IO16016, IO16022, IO16023, IO16024, IO16026,
IO16040, IO16043, IO16044, IO16049, IO16056, IO16057
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- ------------------------------------------------------------------------------
Tivoli Directory Server, Version 6.2.0.22-ISS-ITDS-IF0022
Downloadable files
Abstract
Tivoli Directory Server 6.2 interim fix 6.2.0.22. Includes all APARs listed
below.
Download Description
Naming conventions:
As of 6.2.0.22, package names have been changed from "-TIV-ITDS-" to
"-ISS-ITDS-" to reflect that Tivoli Directory Server (TDS) is now part of the
IBM Security Systems (ISS) division.
Prior to version 6.2.0.19, TDS fixes used separate fix pack and interim fix
numbers. Fix packs were numbered sequentially, and interim fixes were restarted
from '1' after every fix pack. But the actual version (V.R.M.F) number was
strictly sequential, and unrelated to either the fix pack or interim fix
numbers.
For example: 6.2.0-TIV-ITDS-FP0002 was "the 2nd fix pack" even though it was
version 6.2.0.8, and 6.2.0.2-TIV-ITDS-IF0005 was "the 5th interim fix after the
2nd fix pack" even though it was version 6.2.0.13.
Starting with version 6.2.0.19, TDS fixes have only 1 version number.* Fix
packs and interim fixes do not have a separate numbering sequence, and the
"FP", "IF" or "TF" in the name is merely a label indicating the level of
testing applied to the build. 6.2.0.19-TIV-ITDS-FP0019 can now be understood
as "version 6.2.0.19 is a fix pack", not "the 19th fix pack".
FP: Fix packs are formally verified and regression tested by an independent
test team. The most recent OS patches, as well as WebSphere, GSKit and DB2
updates are certified during fix pack testing and the tested environments are
documented in the fix pack README.
IF: Interim fixes are verified by support and development and recommended
for all users. Most fixes are delivered as IF's.
Fix packs and interim fixes are available to all entitled users and can be
downloaded directly from fix central.
LA: Limited availability interim fixes are used to deliver APARs before a
more formal interim fix or fix pack is released. They are intended for a
limited audience and supported until a more formal fix is published.
TF: Test fixes are special purpose builds used to diagnose a specific
problem or validate a specific fix. They are not generally available or
supported beyond their intended use.
Limited availability and test fixes are never published to fix central and can
only be obtained directly from IBM support.
* There are separate versions for TDS (6.2.0.x) and the webadmin tool (5.x).
Installing the TDS fix does not automatically deploy the updated webadmin tool
to the WebSphere application server (WAS). This requires additional steps which
are documented in the installation instructions at the end of the README.
Problem Tracking Information:
The APAR number and abstract for all changes included in this fix are listed
below. Further detail on individual APARs can be found by searching for the
APAR number on the Tivoli Directory Server Support Web page.
APARs from 6.2.0.22-ISS-ITDS-IF0022 (webadmin 5.0015)
- ---------------------------------------------------------
APAR IO14306 (CMVC 112521)
Repeated Enable/Disable of password policy in webadmin fails
with error GLPWSA040E
APAR IO14508 (CMVC 112529)
XSS vulnerability with the Web Admin Tool.
APAR IO14957 (CMVC 112437 112678 112681 112691)
consistent time stamps in log files
APAR IO15449 (CMVC 112688)
ibmslapd may core when shutting down
APAR IO15529 (CMVC 112592)
IBMSLAPD/IBMDIRADM fail to start after disabling FIPS mode
APAR IO15530 (CMVC 112581 112608)
[MDVREGR IO15259] "ibmdiradm -k" fails on Solaris, "ibmslapd -k"
fails on AIX if 'srv_max_crypto' is not installed.
APAR IO15650 (CMVC 112632)
ibmdiradm.log falsely reports that the online backup failed
APAR IO15734 (CMVC 112699)
Web admin tool support for TLSv1 SSLContext algorithm.
APAR IO15934 (CMVC 112703)
PTA bind receives server busy error from MSAD.
APAR IO15948 (CMVC 112310 112500)
idsldapsearch gives error with TLS using GSKit 8.0.14.x
APAR IO15984 (CMVC 112697)
Configurable LOG LEVEL for idslogmgmt tool.
APAR IO15987 (CMVC 112559)
Client library leaks memory, if any error in referral chase.
APAR IO15990 (CMVC 112591)
core on libpthreads.a while using secldap
APAR IO15992 (CMVC 112668)
ldapsearch client gives memory fault on 64 bit Linux systems
when used with -L option on an image file.
APAR IO15994 (CMVC 112579)
Incorrect results for wildcard search of DN ending w/ ','
APAR IO15997 (CMVC 112558)
ldapsearch/modify/add/delete of specific entry fails with rc=85
(if left running long enough)
APAR IO16000 (CMVC 112698 112718)
SQL4970N error in db2cli.log from failed idsdbrestore
APAR IO16001 (CMVC 112656)
Paged search requests might cause ldap crash.
APAR IO16006 (CMVC 112538)
Proxy Server hangs on bind ops when PTA server down
APAR IO16009 (CMVC 112713)
ibmdirctl start results in rc=-1 operations error on RHEL 6
APAR IO16036 (CMVC 112684)
NULL-MD5 and NULL-SHA ciphers are enabled in default TLS
configuration
APAR IO16039 (CMVC 112722)
configured cipher list is not honored for TLSv1
APAR IO16042 (CMVC 112692 112694 112709)
Routine build maintenance
APARs from 6.2.0.21-TIV-ITDS-IF0021 (webadmin 5.0014)
- ---------------------------------------------------------
APAR IO15046 (CMVC 112472)
Script 'tbindmsg' calls itself when it fails and gets into
infinite loop
APAR IO15126 (CMVC 112482 112492 112494)
idsxinst may crash on a system with more than 10 network
interfaces
APAR IO15128 (CMVC 112531)
External proxy catches user DN passed in POST URL.
APAR IO15259 (CMVC 112520 112561)
TDS instance fails to start with error GLPCTL088E
APAR IO15411 (CMVC 112491)
Crash in ldap_simple_bind() with dn=NULL and trace enabled
APAR IO15421 (CMVC 112378)
ldapsearch fails to load GSKit 8.0.14.12, rc=118
APAR IO15422 (CMVC 112489)
TDS schema with multi-line attribute descriptions are corrupted
by migration
APAR IO15424 (CMVC 112502)
idsinstall force update fails on client-ony install
APAR IO15427 (CMVC 112480)
Default timeout for passthrough authentication (PTA) too short
APAR IO15429 (CMVC 112524)
idsbulkload fails on RHEL 6 with GLPBLK108E error
APAR IO15432 (CMVC 112562 112563 112567)
Routine build maintenance
APARs from 6.2.0.20-TIV-ITDS-IF0020 (webadmin 5.0013)
- ---------------------------------------------------------
APAR IO13728 (CMVC 112433)
IBMSLAPD CRASH
APAR IO13805 (CMVC 111820)
LDAP clients fail to chase referral on bind operation
APAR IO14820 (CMVC 112361 112395 112457)
idsldapchangepwd can fail to replicate if SSHA encryption is
used on the supplier
APAR IO14901 (CMVC 112427)
ibmslapd crashes in initialization of paged search connection
APAR IO14934 (CMVC 112377)
duplicate pre-op numbers in audit log
APAR IO15004 (CMVC 112371)
ldap client hangs when chasing referrals.
APAR IO15048 (CMVC 112334)
ldap client hangs when chasing referrals.
APAR IO15066 (CMVC 112449)
ldapsearch behaves erratically if attribute cache is enabled.
APAR IO15067 (CMVC 112063)
RootDSE search may incorrectly calculate the firstchangenumber
APAR IO15072 (CMVC 112064 112455 112464)
The Changelog cleanup code cannot remove incomplete entries in
the changelog db.
APAR IO15073 (CMVC 112015)
Resuming replication does not retry last change if it failed
APAR IO15074 (CMVC 112396)
AIX install of idsldap.cltjava62.rte fileset will not report
insufficient disk space errors.
APAR IO15075 (CMVC 112417)
blank line needed after last entry in timdelref.conf file.
APAR IO15076 (CMVC 112430)
Include paged search info in audit log
APAR IO15077 (CMVC 112448)
Audit timestamp is always "+00.00" offset from UTC
APAR IO15078 (CMVC 112251)
adding duplicate ibm-memberGroup value in modify causes deadlock
in DN cache
APAR IO15079 (CMVC 111942 112445 112447)
Routine build maintenance
APARs from 6.2.0.19-TIV-ITDS-FP0019 (6.2.0.19 / 5.0013)
- ---------------------------------------------------------
Fix pack 6.2.0.19-TIV-ITDS-FP0019 is identical to 6.2.0.3-TIV-ITDS-IF0005.
If you have already installed 6.2.0.19, there is no need to re-install it.
APARs from 6.2.0.3-TIV-ITDS-IF0005 (6.2.0.19 / 5.0013)
- ---------------------------------------------------------
APAR IO12757 (CMVC 112191)
webadmin edit entry panels loses data on next/back/next
APAR IO13801 (CMVC 112216)
replication operations intermittently do not replicate to all
consumers
APAR IO14364 (CMVC 112008)
Server memory leak during search operations
APAR IO14417 (CMVC 112186 112220 112227)
SSL error GLPSSL019E on Windows after installing TDS 6.2.0.18
APAR IO14541 (CMVC 112229)
Memory leak if establishing an SSL connection fails
APAR IO14582 (CMVC 112230)
Incorrect error upon adding entry with attribute using langtags
APAR IO14635 (CMVC 112168)
ldap_ssl_client_init failed! rc == -1 "Unknown SSL error"
APAR IO14636 (CMVC 112192)
WebAdmin does not show images on panel in some scenarios.
APAR IO14637 (CMVC 112200)
[MDVREGR IO14065] "No search results were found." from webadmin
and "Unknown error" from sorted search (-o)
APAR IO14638 (CMVC 112239)
Memory leak if Non-SSL client receives SSL referral
APAR IO14639 (CMVC 112242)
Memory leak if SSL client receives non-SSL referral
APAR IO14640 (CMVC 112256)
TDS client does not reject empty string as invalid search filter
APAR IO14641 (CMVC 112245 112249 112254)
Routine build maintenance
APARs from 6.2.0.3-TIV-ITDS-IF0004 (6.2.0.18 / 5.0012)
- --------------------------------------------------------
APAR IO12360 (CMVC 112017)
Fail to migrate standard objectclass if new attribute is added
APAR IO13570 (CMVC 111979)
db2Ldif is not exporting data (fails) with no error messages
APAR IO13711 (CMVC 112073)
ibm-allGroups/ibm-allMembers search on proxy requires global
admin group privileges
APAR IO13718 (CMVC 111798)
start -> all programs -> itds 6.2 -> WAT (secure) displays error
on page
APAR IO13858 (CMVC 111885)
Complex search filter containing encrypted attribute fails to
return results.
APAR IO13878 (CMVC 111917 112024)
Expanding non-leaf node in WAT gives error GLPWDM041E - A leaf
node can't be expanded
APAR IO13955 (CMVC 111983)
webadmin fails to apply password policy on group entry
APAR IO14015 (CMVC 111941)
unable to assign password policy without expire time to a group
of users.
APAR IO14060 (CMVC 112007)
IDSWebApp: Unauthenticated Log File Access
APAR IO14143 (CMVC 112112)
Allow PTA connection errors at server startup
APAR IO14165 (CMVC 112025)
IDSWebApp password field with auto-complete enabled - need
explicitly disable the auto-complete feature.
APAR IO14240 (CMVC 112113 112138)
*str* filter does not match if 'str' is beyond first or last 240
bytes of attribute value
APAR IO14344 (CMVC 111868)
modifytimestamp changes on replica when an ldapcompare is run
APAR IO14347 (CMVC 112126 112129 112133)
Routine build maintenance
APAR IO14349 (CMVC 111972)
SSL handshake timed out before the actual Time-out value.
APARs from 6.2.0.3-TIV-ITDS-IF0003 (6.2.0.17 / 5.0011)
- --------------------------------------------------------
APAR IO13637 (CMVC 111765)
ibmslapd process cores when conflict resolution enabled
APAR IO14017 (CMVC 111978 112068)
Java JRE update for CVE-2010-4476
APAR IO14065 (CMVC 112033 112043)
Performance enhancement for VLV search of 'objectclass=*'
APAR IO14071 (CMVC 111998 112016)
[MDVREGR IO13263] Sever leaks memory if audit log enabled
APAR IO14196 (CMVC 111988)
[MDVREGR IO12830] modifiersname may not get updated on entry
modification
APAR IO14197 (CMVC 112034 112036 112037)
idsrunstats does not honor IBMSLAPD_USE_SELECTIVITY=YES
APAR IO14200 (CMVC 112035)
Routine build maintenance
APARs from 6.2.0.3-TIV-ITDS-IF0002 (6.2.0.16 / 5.0011)
- --------------------------------------------------------
APAR IO13717 (CMVC 111722)
LDAP server leaks memory when database codepage is not UTF8
APAR IO14007 (CMVC 111859)
[MDVREGR IO13278] Bind may randomly fail w/ rc=82
(LDAP_LOCAL_ERROR) if Password Policy is enabled.
APAR IO14010 (CMVC 111837 111889 111905)
TDS Remote Code Execution Vulnerability
APAR IO14025 (CMVC 111915 111948)
Mask sensitive data in audit log and server trace
APAR IO14030 (CMVC 111898 111903 111909 111922 111925 111950 111980 111981)
Routine build maintenance
APARs from 6.2.0.3-TIV-ITDS-IF0001 (6.2.0.15 / 5.0011)
- --------------------------------------------------------
APAR IO12456 (CMVC 111549)
idsxcfg:optimize db fails if local & global ldapdb.prop differs.
APAR IO13216 (CMVC 111499)
Enhance GLPSRV165E Pass-through authentication timeout message
APAR IO13263 (CMVC 111691)
TDS Proxy server crashes if backend server is down
APAR IO13428 (CMVC 111732)
Custom password policy plugin fails with schema violation error.
APAR IO13465 (CMVC 111760)
Object class violation error, if first attribute is encrypted.
APAR IO13740 (CMVC 111813)
Infinite loop encountered as a result of a bad search filter
APAR IO13764 (CMVC 111522)
In rare cases, performance auditing attribute timeonworkQ may
be incorrectly calculated.
APAR IO13765 (CMVC 111537)
Memory leak in failure path of LDAP_RESULT API.
APAR IO13766 (CMVC 111553)
LDAP server memory leak in replication-supplier
APAR IO13767 (CMVC 111805)
Routine build maintenance
APARs from 6.2.0-TIV-ITDS-FP0003 (6.2.0.14 / 5.0011)
- --------------------------------------------------------
APAR IO13581 (CMVC 111434)
idsinstall script doesn't update msg package on HP-UX.
APAR IO13582 (CMVC 111460)
After upgrade two java client versions are visible.
APAR IO13583 (CMVC 111661 111740)
GSKIT_CLIENT_VERSION env variable does not work on Windows
APAR IO13584 (CMVC 111395 111739)
Routine build maintenance
APARs from 6.2.0.2-TIV-ITDS-IF0005 (6.2.0.13 / 5.0011)
- --------------------------------------------------------
APAR IO11906 (CMVC 111482)
Attribute is unusable after increasing attribute length
APAR IO12131 (CMVC 110083)
web admin shows replicated master/gateway as a replica
APAR IO12330 (CMVC 111509)
user template changes are not being saved
APAR IO12485 (CMVC 111038 111534 111535 111536)
allow for customized kerberos principal name
APAR IO12486 (CMVC 111413 111425)
inconsistent search results with filter uid=<val> and uid=<val>*
APAR IO12925 (CMVC 111382)
Web Administration tool fails to load the edit attribute panel
for an entry.
APAR IO13155 (CMVC 111513)
unable to delete multiple entries (selected on multiple pages)
via web admin tool.
APAR IO13163 (CMVC 111457)
idsbulkload -S fails w/ GLPCOM013E Attribute pwdGroupPoliceDN
not found in schema.
APAR IO13180 (CMVC 111470)
idslogmgmt.cmd script calls "cp" and "sleep" commands on windows
APAR IO13277 (CMVC 105239)
Bad BER request could potentially crash Tivoli Directory Server
APAR IO13278 (CMVC 111206 111486)
replication hangs in "active" state for one or more consumers in
a replication context
APAR IO13279 (CMVC 111505 111506 111533)
Routine build maintenance
APARs from 6.2.0.2-TIV-ITDS-IF0004 (6.2.0.12 / 5.0010)
- --------------------------------------------------------
APAR IO12719 (CMVC 111359)
webadmin modified attributes displays lowercase attribute names
APAR IO12721 (CMVC 111323)
[Win only] migration fails if perftune_stat log file is missing
APAR IO12756 (CMVC 111262)
proxy server crash cleaning up paged search on backend
APAR IO12912 (CMVC 111333)
ldapcompare always returns true when target dn has pwdReset:
true
APAR IO12921 (CMVC 111349)
correct ibm-slapdLdapCrlUser and ibm-slapdLdapCrlPassword
function
APAR IO13137 (CMVC 110424 111343)
Small memory leak when IBMSLAPD_PREOP_AUDIT=YES and audit is on
APAR IO13139 (CMVC 111407 111411 111412)
Routine build maintenance
APARs from 6.2.0.2-TIV-ITDS-IF0003 (6.2.0.11 / 5.0009)
- --------------------------------------------------------
APAR IO10391 (CMVC 106544)
Referential integrity plugin fails operation when behind Proxy
APAR IO11717 (CMVC 110685)
idsperftune fails when ibmslapd doesn't listen on localhost.
APAR IO12080 (CMVC 109864)
In ibmslapd.log, message for the number of updates in the last
hour, 2 messages per hr if changelog is configured
APAR IO12176 (CMVC 110146)
aliasedEntryName should be an alternative of aliasedObjectName.
APAR IO12240 (CMVC 111072)
ldapsearch does not support passwords starting with the '?'
APAR IO12326 (CMVC 110669)
ibmslapd will core dump during a compare operation if dn in NULL
and audit.log is enabled.
APAR IO12505 (CMVC 110993)
Add missing groups that group password policy applies to.
APAR IO12621 (CMVC 111131)
Search request cores when schema has changed.
APAR IO12642 (CMVC 111119)
Add/Mod of "ldaps" URL fails for "ibm-replicareferralurl" attr.
APAR IO12814 (CMVC 108790)
Server may trap if active password policy entries does not have
policy start time attribute.
APAR IO12817 (CMVC 109251)
deploy_idswebapp script reports war file is not valid
APAR IO12826 (CMVC 109311)
Handling memory leak issue in ITDS.
APAR IO12827 (CMVC 109411)
Search gives DB2 Tablename as attribute name with hyphen char.
APAR IO12830 (CMVC 110051 111287)
Replicated failed compare updates modifytimestamp and which
causes replication confilct on next operation.
APAR IO12833 (CMVC 110090)
idsldif2db may coredump on program exit if ibm-slapdReplDBConns
is set in ibmslapd.conf
APAR IO12862 (CMVC 110698)
LDAP_GET_OPTION() with option LDAP_OPT_ERROR_STRING fails.
APAR IO12863 (CMVC 110701)
idsimigr fails to parse schema files in unicode locales on AIX
APAR IO12864 (CMVC 110703)
idsadsync fails with "Entry has no value for required TDS
attribute UID" after applying TDS 6.1.1 FP06
APAR IO12965 (CMVC 106606)
Loading of MD5 data double encrypts.
APAR IO12966 (CMVC 109212)
Windows idsxinst fails if encryption salt contains pipe (|)
APAR IO12967 (CMVC 109396)
GLPRPL024E error message requires additional information.
APAR IO12972 (CMVC 110170)
Schema checking fails for Operational Attributes when using
bulkload.
APAR IO12973 (CMVC 110210)
Audit bind PREOP RECORD not generated when PREOP AUDITING is
enabled.
APAR IO12974 (CMVC 110291 110857)
[MDVPARTL IO12394] High CPU when stopping server using "-k"
APAR IO12975 (CMVC 110317)
[MDVREGR IO11213] Server will become suggish and can apper to be
hung when replication PASSWORD POLICY related attributes.
APAR IO12976 (CMVC 99823)
DSML - modify Filter.java to correctly process NOT filters
APAR IO12977 (CMVC 110447)
pwdReset:true replicated to consumet when not set on supplier.
APAR IO12979 (CMVC 110908)
ldtrc should find tfi files without TRCTFIDIR.
APAR IO12982 (CMVC 111008)
ibmslapd cores intermittently.
APAR IO12984 (CMVC 109948)
ITDS randomly cores
APAR IO12985 (CMVC 110025)
Different Timestamps in db2cli.log file.
APAR IO12987 (CMVC 111070)
Wrong timestamps in db2cli.log
APAR IO12989 (CMVC 111096 111263)
System cores when DIGEST-MD5 connection are attempted.
APAR IO12990 (CMVC 111141)
DB2 password appears twice in ldapinst.log
APAR IO12992 (CMVC 111189)
Inconsistent search results when attribute cache enabled.
APAR IO12993 (CMVC 111256)
free(): invalid next size
APAR IO12994 (CMVC 108018 110343 111272 111273 111275)
Routine build maintenance
APAR IO12996 (CMVC 110434)
attr cache entries added to conf file when editing entry cache.
APAR IO13001 (CMVC 110764)
Server Hang, crash issue with paged search.
APAR IO13008 (CMVC 111218)
idsldif2db only imports the first entry with operational
attribute.
APARs from 6.2.0.2-TIV-ITDS-IF0002 (6.2.0.10 / 5.0008)
- --------------------------------------------------------
APAR IO11942 (CMVC 106845 109152)
idsdbrestore may fail to restore an online backup db.
APAR IO12589 (CMVC 110998 110999 111036 111186 111188)
Update bundled JDK on AIX and Linux PPC for POWER7 compatibility
APAR IO12590 (CMVC 110704 111000)
Routine build maintenance
APAR IO12691 (CMVC 110370)
idsinstall fails installing ITDS v6.2 update when 6.0.0.62
installed.
APARs from 6.2.0.2-TIV-ITDS-LA0001 (6.2.0.9 / 5.0008)
- -------------------------------------------------------
APAR IO12374 (CMVC 110827)
client code corrupts arabic search filter by stripping 0xD8 byte
from leading character
APAR IO12407 (CMVC 110828)
Routine build maintenance
APARs from 6.2.0-TIV-ITDS-FP0002 (6.2.0.8 / 5.0008)
- -------------------------------------------------------
APAR IO11301 (CMVC 108545)
idslogmgmt.log permission conflict if run as root and inst owner
APAR IO11635 (CMVC 108669 109780)
base64 encoded pwds not returned in ldapsearch
APAR IO11706 (CMVC 108865)
schema violation when adding entries with boolean attributes via
the web admin
APAR IO11712 (CMVC 109036)
62 proxy server fails to reconnect to 62 backend
APAR IO11790 (CMVC 109104 109566)
TDS 6.2 does not replicate delete operation and does not keep
entry in change table.
APAR IO11833 (CMVC 108963)
idsimigr changes customer-defined attribute value for entry
"cn=Connection Management, cn=Front End, cn=Configuration".
APAR IO11840 (CMVC 109360)
eSIP IBM20100125-1140: LDAP do_extendedOp DoS vulnerability
APAR IO11879 (CMVC 109336)
Extra cn=NULL appears in db2ldif output.
APAR IO11907 (CMVC 108931)
Realm doesn't work for boolean valued user template.
APAR IO11988 (CMVC 109620)
[MDVREGR IO11593] Server hung using paged searches with
GLPSRV203W messages in ibmslapd.log
APAR IO12101 (CMVC 109297)
[MDVREGR IO10983] ibmslapd crashes while shutting down.
APAR IO12266 (CMVC 108104 109037)
LDAP client libraries for releases 6.1 and later now honor the
LDAP_UTF8_XLATE_ON option.
APAR IO12294 (CMVC 109155)
deploy_idswebapp doesn't work when called with absolute path
APAR IO12375 (CMVC 108864)
deadlock encountered when reconfiguring replication topology.
APAR IO12376 (CMVC 109375)
LDAP client hangs because server fails to pass back RETURN CODE
APAR IO12382 (CMVC 108303)
Webadmin fails to connect to server with new OS name "IBM i" for
OS400.
APAR IO12385 (CMVC 108392 108544)
Remove ServerConfigGroup and ServerStartStopGroup roles on
"IBM i" OS.
APAR IO12386 (CMVC 108406 108793)
Web Admin shows wrong message when deleting entry from group.
APAR IO12388 (CMVC 108393)
"start/stop tracing" and "start/stop log management"
links from webadmin are not valid for "IBM i" OS.
APAR IO12391 (CMVC 108434)
Webadmin tool should display only valid encrypted attributes.
APAR IO12392 (CMVC 107225)
Wrappers may throw "access denied" error on Win2008.
APAR IO12393 (CMVC 107814)
idsideploy fails with DB2v9.7.
APAR IO12394 (CMVC 108271)
Server doesn't stop immediately after ibmslapd -k exits.
APAR IO12401 (CMVC 106605.04 106605.05 107120 108780 108792 110287)
[MDVREGR IO11572] idscfgdb fails after remote migration
APAR IO12402 (CMVC 108785 108786 108818 109035 109186 109379)
Routine build maintenance
APARs from 6.2.0.1-TIV-ITDS-IF0004 (6.2.0.7 / 5.0007)
- -------------------------------------------------------
APAR IO11208 (CMVC 107809)
memory leak if ldap_explode_dn() is called with an empty string
APAR IO11244 (CMVC 108072)
[MDVREGR IO10444] idscfgchglg fails with "Memory fault" if run
w/out -I parameter
APAR IO11266 (CMVC 108088)
[MDVREGR IO10412] idscfgchglg sets local directory for changelog
db alias incorrectly
APAR IO11358 (CMVC 107997)
GLPCTL110E from idsdbback if ITDS and DB2 instance owners are
not the same
APAR IO11406 (CMVC 107792)
idsldif2db cores after successfully loading all entries
APAR IO11468 (CMVC 107453)
ibmslapd crashes on Solaris 10 for SPARC
APAR IO11470 (CMVC 108255)
User add fails for user which uses Realm with user template.
APAR IO11520 (CMVC 108339)
GLPRDB004E after idsdbrestore if DB home different from TDS home
APAR IO11561 (CMVC 108259)
audit log incorrectly reporting unauthenticated binds when using
pre-op bind plugin
APAR IO11570 (CMVC 106347)
Configuring proxy server fails when running webadmin on WAS 7
APAR IO11572 (CMVC 106941 106941.1)
idscfgdb fails after remote migration
APAR IO11573 (CMVC 107232)
Excessive communications errors in ibmslapd.log file when using
some load balancers.
APAR IO11576 (CMVC 107307)
Server core shows SIGSEGV in entry_cache_get_entry_with_buffer()
APAR IO11577 (CMVC 107422)
[MDVPARTL IO10673] Other vendors' clients cannot parse password
policy response control from TDS server
APAR IO11579 (CMVC 107468)
Cannot add ibm-nestedGroup if ibm-membergroup = parent DN
APAR IO11582 (CMVC 107856)
Realm administrator can't add user into existing realm
APAR IO11588 (CMVC 107858)
[MDVPARTL IO10921] upgrade from 52 to 62 using idsxinst tries to
configure database
APAR IO11589 (CMVC 107878)
Schema management errors when running webadmin on WAS 7
APAR IO11590 (CMVC 107947)
timeout error starting Windows services which depend on TDS
APAR IO11591 (CMVC 107958)
Custom passwd policy outside cn=ibmpolicies cannot be applied
after server restart
APAR IO11592 (CMVC 108011)
boolean attribute modified in WebAdmin not saved
APAR IO11593 (CMVC 108251)
LDAP server may crash under heavy load with paged searches
APAR IO11595 (CMVC 108044 108076 108533)
Routine build maintenance
APARs from 6.2.0.1-TIV-ITDS-IF0003 (6.2.0.6 / 5.0006)
- -------------------------------------------------------
APAR IO11186 (CMVC 106995)
SUBSTR and ORDERING definitions removed by schema migration
APAR IO11187 (CMVC 107256)
modifydn operation may fail with operations error
APAR IO11200 (CMVC 107348)
TDS 6.0 FP05 traps on Suse Linux 9
APAR IO11201 (CMVC 107469)
TDS client trace update
APAR IO11203 (CMVC 107361)
warning message may not display properly in the web admin tool
APAR IO11207 (CMVC 107364)
Setting password policy for a dynamic group fails in TDS Web
Administration
APAR IO11213 (CMVC 107386)
The 'modifiersname' operational attribute of an entry gets out
of sync. during replication if password policy is enabled.
APAR IO11215 (CMVC 107390)
pass-through authentication (PTA) fails with PKCS#11 enabled
APAR IO11216 (CMVC 107231 107681 107704 107707)
Routine build maintenance
APAR IO11237 (CMVC 107553)
TDS 6.1 ibmslapd cores while building effective password policy
for member of nested group
APAR IO11238 (CMVC 107631)
Cannot migrate if IBMAttributeTypes is incomplete
APARs from 6.2.0.1-TIV-ITDS-IF0002 (6.2.0.5 / 5.0005)
- -------------------------------------------------------
APAR IO10875 (CMVC 107040)
TDS 6.x proxy does not dereference alias request.
APAR IO10908 (CMVC 106367)
unable to configure adsync solution via idsadscfg on Unix
APAR IO10920 (CMVC 106875)
Java class GroupAuthorizationControl throws exception "Mismatch
of constructed encoding terminations"
APAR IO10921 (CMVC 106883)
upgrade from 52 to 62 using idsxinst tries to configure database
APAR IO10925 (CMVC 106907)
idsldapdiff usage gives Exception for Danish locale.
APAR IO10928 (CMVC 106961)
webadmin - replicated peer server role may be shown as replica
APAR IO10929 (CMVC 106980)
attribute cache may return inconsistent search results
APAR IO10959 (CMVC 105937)
ldapchangepwd shows error 'invalid pointer'
APAR IO10960 (CMVC 106165)
ldapexop and ibmdirctl show error 'invalid pointer' using TLS
APAR IO10962 (CMVC 106403)
ibmslapd crash (SIGSEGV) with heavy load of 1000's transactions
APAR IO10963 (CMVC 106768)
WebAdmin cannot configure pass-through authentication (PTA) to
AD Global Catalog
APAR IO10966 (CMVC 106938)
Server cores (SIGSEGV) while running password policy related
update requests.
APAR IO10972 (CMVC 106949 106991 106993)
Adding a nested group which contains it's own parent will hang
the server
APAR IO10974 (CMVC 106982)
Server slows down and effectively hangs when multiple concurrent
operations are initiated.
APAR IO10983 (CMVC 107183)
ibmslapd core dumps on Linux 64 during shutdown with -k option.
APAR IO10991 (CMVC 107184 106955 106958)
Routine build maintenance
APAR IO10995 (CMVC 106495)
TDS returns wrong result on first idsldapsearch request after
starting or restarting ibmslapd.
APAR IO10997 (CMVC 107095 107212)
TDS server consumes high CPU and may become unresponsive
APARs from 6.2.0.1-TIV-ITDS-IF0001 (6.2.0.4 / 5.0004)
- -------------------------------------------------------
APAR IO10541 (CMVC 106734)
client does not correctly translate \00 to null as per rfc 4515
APAR IO10548 (CMVC 106766)
TDS client hangs under heavy load
APAR IO10569 (CMVC 106865)
significant performance degradation in TDS 6.2 as compared to
TDS 5.2
APAR IO10574 (CMVC 106484)
GLPSRV153W message is incorrectly reported in ibmslapd.log
APAR IO10644 (CMVC 106464)
[WIN] idsimigr error: '[...]\IBM\SQLLIB' is not recognized ...
APAR IO10666 (CMVC 106477 106598)
idsicrt fails on system with /etc/group containing large groups
APAR IO10671 (CMVC 106722)
webadmin removes matchingrule upon attribute indexing
APAR IO10673 (CMVC 106739 106863 106872)
TDS client cannot parse password policy response control from
other servers, such as Sun or openLDAP.
APAR IO10681 (CMVC 106767)
webadmin doesn't display matching rules in view attributes
panel if schema uses descriptive names instead of OIDs
APAR IO10684 (CMVC 106781)
TDS migration fails if the db2 instance has an _ in the instance
name
APAR IO10685 (CMVC 106792)
ibmslapd may start in config mode after enabling encrypted
attributes feature.
APAR IO10701 (CMVC 105958)
[Windows Only] idsdbmaint command fails with Error GLPDBA048E
APAR IO10703 (CMVC 106226)
The PasswordAdmin role cannot search password related attributes
APAR IO10705 (CMVC 106590)
NAS does not start after migration from TDS 5.2/6.0 to TDS 6.1
APAR IO10706 (CMVC 106614)
SSL Replication does not work after restarting replica instance
APAR IO10707 (CMVC 106705)
error GLPCFG144E when adding a new suffix using idsxcfg
APAR IO10708 (CMVC 106725)
Error GLPWDM026E from "Manage users" if user DN contains '/'
APAR IO10709 (CMVC 106798 106802 106838)
TDS server may not sort national language characters properly
APAR IO10710 (CMVC 106801)
TDS for 64 bit windows is missing 32bit libibmldapdbgstatic.lib
APAR IO10714 (CMVC 106351 106353 106700 106709 106861)
Routine build maintenance
APAR IO10718 (CMVC 106456)
32k tablespace fails to be created when running the idscfgchglg
command as the ldap instance owner user in a multi-user env
APARs from 6.2.0-TIV-ITDS-FP0001 (6.2.0.3 / 5.0003)
- -------------------------------------------------------
APAR IO10324 (CMVC 106346)
bulkload/ldif2db fails if attr value length is > 4096 in a line
APAR IO10325 (CMVC 106390)
idscfgdb fails if the TDS and DB2 instances are different.
APAR IO10360 (CMVC 106419)
ibmslapd crash deleting entry w/ attribute not in schema
APAR IO10411 (CMVC 105707)
WhitePages: Can not add Manager to an entry.
APAR IO10412 (CMVC 106112)
Create changelog database as indirect instead of remote
APAR IO10413 (CMVC 106113)
Server does not detect conflicting OID's in schema
APAR IO10415 (CMVC 106228)
replication of schema changes blocks with error GLPRPL033E
"schema modify terminated with unauthorized user".
APAR IO10417 (CMVC 106265 106289)
IBM Support Assistant ver. 4
APAR IO10418 (CMVC 106266)
TDS 6.x idsdb2ldif does not export pwdHistory attribute
APAR IO10419 (CMVC 106274 106448)
Deletions are not replicated if tombstone feature is enabled
APAR IO10420 (CMVC 106293)
rootDSE search returns incorrect lastChangeNumber attribute
APAR IO10421 (CMVC 106307)
Memory leaks in TDS 6.1 & 6.2 client libraries
APAR IO10423 (CMVC 106336)
Server seems hang. Msg "operation error" is returned for any
database related operation being requested.
APAR IO10424 (CMVC 106415)
passthrough authentication (PTA) timeout precluded by an error
APAR IO10426 (CMVC 106469)
SSL errors in other WAS applications after logging into TDS
webadmin
APAR IO10427 (CMVC 106478)
idsldapdiff fails with error "GLPJBP043E Exception occurred"
APAR IO10429 (CMVC 106562)
deploy_IDSWebApp.bat fails on Windows 2008
APAR IO10430 (CMVC 106573)
Enable pass-through authentication (PTA) to AD Global Catalog
APAR IO10431 (CMVC 106300 106304 106426 106487 106489)
Routine build maintenance
APAR IO10434 (CMVC 106327)
TDS server cores during the import of TIM adapter profile
APAR IO10440 (CMVC 106435 106528)
idsinstall fails if multiple TDS versions or non-en msgs are
installed
APAR IO10444 (CMVC 106479)
idscfgchglg command fails if instance owner's home and instance
home are different.
APARs from 6.2.0.0-TIV-ITDS-IF0002 (6.2.0.2 / 5.0001)
- -------------------------------------------------------
APAR IO09831 (CMVC 106202)
6.2 fails to migrate 6.0 instance with user specified location.
APAR IO09906 (CMVC 105987 106130)
Support for DB2 v9.1 FP5+ and v9.5 FP2+
APAR IO09917 (CMVC 106054)
idsimigr tool doesn't handle multiple objectclass names
APAR IO09936 (CMVC 106195)
jservice.exe does not exit during silent install of ITDS 6.2
APAR IO10110 (CMVC 105962)
master server loses search authority if explicit ACLs are set on
replication context
APAR IO10112 (CMVC 106134)
Unable to start server in SSL as instance owner on HPIA64
APAR IO10114 (CMVC 106255)
Routine build maintenance
APARs from 6.2.0.0-TIV-ITDS-LA0001 (6.2.0.1 / 5.0001)
- -------------------------------------------------------
APAR IO09845 (CMVC 105787)
TDS 6.x - idsdb2ldif -s cn=schema core dumps
APAR IO09847 (CMVC 105844)
[WIN] Error GLPWRP013E after migrating to 6.2 using ISMP install
APAR IO09850 (CMVC 105913)
6.2 Webadmin search of cn=changelog returns no results
APAR IO09851 (CMVC 105921)
Search on cn=changelog returns "Unknown error" if isDeleted or
lastKnownParent attributes are requested
APAR IO09882 (CMVC 105935)
Binary values missing from search via TDS 6.2 proxy server
APAR IO09883 (CMVC 105968)
Server appears unresponsive after 15 minutes
APAR IO09884 (CMVC 105994)
Corrections to IDSWebApp version info (IDSWebAppInfo.xml)
APAR IO09885 (CMVC 106068)
TDS 6.2 crashes at startup in debug mode w/ libdelref plugin
APAR IO09887 (CMVC 106042)
When ibm-pwdGroupAndIndividualEnabled is enabled, password
policy stops working.
APAR IO09888 (CMVC 105929 105978 105985 105995
105996 105998 105999 106029)
Routine build maintenance
Created/Revised by Date of Creation/Update Summary of Changes
brookh 2012/01/03 created
Prerequisites
Tivoli Directory Server 6.2
Installation Instructions
Please refer to the full README for installation instructions.
Download director is required when downloading Common Criteria certified
products.
Download package
6.2.0.22-ISS-ITDS-IF0022
Problems (APARS) fixed
IO09831, IO09845, IO09847, IO09850, IO09851, IO09882, IO09883, IO09884,
IO09885, IO09887, IO09888, IO09906, IO09917, IO09936, IO10110, IO10112,
IO10114, IO10324, IO10325, IO10360, IO10391, IO10411, IO10412, IO10413,
IO10415, IO10417, IO10418, IO10419, IO10420, IO10421, IO10423, IO10424,
IO10426, IO10427, IO10429, IO10430, IO10431, IO10434, IO10440, IO10444,
IO10541, IO10548, IO10569, IO10574, IO10644, IO10666, IO10671, IO10673,
IO10681, IO10684, IO10685, IO10701, IO10703, IO10705, IO10706, IO10707,
IO10708, IO10709, IO10710, IO10714, IO10718, IO10875, IO10908, IO10920,
IO10921, IO10925, IO10928, IO10929, IO10959, IO10960, IO10962, IO10963,
IO10966, IO10972, IO10974, IO10983, IO10991, IO10995, IO10997, IO11186,
IO11187, IO11200, IO11201, IO11203, IO11207, IO11208, IO11213, IO11215,
IO11216, IO11237, IO11238, IO11244, IO11266, IO11301, IO11358, IO11406,
IO11468, IO11470, IO11520, IO11561, IO11570, IO11572, IO11573, IO11576,
IO11577, IO11579, IO11582, IO11588, IO11589, IO11590, IO11591, IO11592,
IO11593, IO11595, IO11635, IO11706, IO11712, IO11717, IO11790, IO11833,
IO11840, IO11879, IO11906, IO11907, IO11942, IO11988, IO12080, IO12101,
IO12131, IO12176, IO12240, IO12266, IO12294, IO12326, IO12330, IO12360,
IO12374, IO12375, IO12376, IO12382, IO12385, IO12386, IO12388, IO12391,
IO12392, IO12393, IO12394, IO12401, IO12402, IO12407, IO12456, IO12485,
IO12486, IO12505, IO12589, IO12590, IO12621, IO12642, IO12691, IO12719,
IO12721, IO12756, IO12757, IO12814, IO12817, IO12826, IO12827, IO12830,
IO12833, IO12862, IO12863, IO12864, IO12912, IO12921, IO12925, IO12965,
IO12966, IO12967, IO12972, IO12973, IO12974, IO12975, IO12976, IO12977,
IO12979, IO12982, IO12984, IO12985, IO12987, IO12989, IO12990, IO12992,
IO12993, IO12994, IO12996, IO13001, IO13008, IO13137, IO13139, IO13155,
IO13163, IO13180, IO13216, IO13263, IO13277, IO13278, IO13279, IO13428,
IO13465, IO13570, IO13581, IO13582, IO13583, IO13584, IO13637, IO13711,
IO13717, IO13718, IO13728, IO13740, IO13764, IO13765, IO13766, IO13767,
IO13801, IO13805, IO13858, IO13878, IO13955, IO14007, IO14010, IO14015,
IO14017, IO14025, IO14030, IO14060, IO14065, IO14071, IO14143, IO14165,
IO14196, IO14197, IO14200, IO14240, IO14306, IO14344, IO14347, IO14349,
IO14364, IO14417, IO14508, IO14541, IO14582, IO14635, IO14636, IO14637,
IO14638, IO14639, IO14640, IO14641, IO14820, IO14901, IO14934, IO14957,
IO15004, IO15046, IO15048, IO15066, IO15067, IO15072, IO15073, IO15074,
IO15075, IO15076, IO15077, IO15078, IO15079, IO15126, IO15128, IO15259,
IO15411, IO15421, IO15422, IO15424, IO15427, IO15429, IO15432, IO15449,
IO15529, IO15530, IO15650, IO15734, IO15934, IO15948, IO15984, IO15987,
IO15990, IO15992, IO15994, IO15997, IO16000, IO16001, IO16006, IO16009,
IO16036, IO16039, IO16042
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT3uy8e4yVqjM2NGpAQJ04g//S8O1YURruDIW9dHWQlHzSLBL+S2zmMnd
J6wKgA1+MdLvU/us2fucGRYJIEzbvEoUKjkeEZYDMdLiGI8ns4YoTZDVgS/NhYdB
E3dfWFu39t0ThdWqgBe/uieM/i4OyiLmWKoDIwlUp6vI+iXfAiXl6GXBwxsfn1UK
dbWD2zmjfhL9kFo2VgsyeQcyhmeNwxWitH5GFQ0YqNXslDTvHfB7Z6k4R5i/2DUs
chGe7T2bLGUFf4OZMvbvtcogcg7JNQAwOpTBWM7K0AVxj/sT47PAwevW5MjFzzpJ
tc5V8XHx9qHzc8yNRcXpwjT8x8uDSYkwBd6TiDqCnUejcKUBVMPla/Hd6ZbzIKUr
5GBLBKwiXfjPltnDyN9++eZMUogtkjWKwQHE/iCR5dmunG781HZILsuC5ZdVIubf
aKf5jpavCsIsg3xDFsiTPSlOzSgDbGcH6Hut/YaWPrr7ztVJKSDzgh2+d+zzk+Mh
xwCSaGvLqULpRRPZkmAZNp70AUPATB5PaNQbypsAo05cnpXunU5cYAnl8g+bgXXn
xvnngLX8YhORVff2Mg/Bti6EkZglGuU7bKqg4qz5T5j+hU/ueuZ5s+GqROtkmmbD
5G3KOEuifVmmvGH9DAltrG6ATLUTBuZ2wFWjffFVNlJigMizzCytYN2i210K1HxO
ET9xJ6hvR90=
=EqCs
-----END PGP SIGNATURE-----
|