-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1659.4
         Security Vulnerabilities and HIPER APARs fixed in DB2 for
              Linux, UNIX, and Windows Version 9.5 Fix Pack 5
                             29 December 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           DB2 Enterprise Server Edition
                   DB2 Workgroup Server
                   DB2 Express Server
                   DB2 Personal Edition
                   DB2 Connect Server
Publisher:         IBM
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service              -- Existing Account
                   Provide Misleading Information -- Existing Account
                   Access Confidential Data       -- Existing Account
                   Reduced Security               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-4439 CVE-2009-4438 CVE-2009-4335
                   CVE-2009-4334 CVE-2009-4333 CVE-2009-4332
                   CVE-2009-4331 CVE-2009-4330 CVE-2009-4329
                   CVE-2009-4328 CVE-2009-4327 CVE-2009-4326
                   CVE-2009-4325  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21412902

Revision History:  December 29 2009: Added CVE reference
                   December 29 2009: Added CVE reference
                   December 17 2009: Added CVE and impact information
                   December 17 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and
Windows Version 9.5 Fix Pack 5
 
Abstract
Fix Pack 5 for DB2 V9.5 is now available which includes fixes for some
security vulnerabilities and HIPER APARs. These fixes, where applicable,
are also available in Fix Pack 18 for DB2 Version 8, Fix Pack 8 for DB2
Version 9.1 and Fix Pack 1 for DB2 Version 9.7

IBM recommends that you review the APAR descriptions and deploy one of the
above fix packs to correct them on your affected DB2 installations.
 
Content
A set of security vulnerabilities was discovered in some DB2 database products.
These vulnerabilities were analyzed by the DB2 development organization and a
set of corresponding fixes was created to address the reported issues. IBM is
not currently aware of any externally reported incidents where production DB2
installations have been compromised due to these issues.

The affected DB2 UDB for Linux, UNIX, and Windows products are:

    * DB2 Enterprise Server Edition
    * DB2 Workgroup Server (all Editions)
    * DB2 Express Server (all Editions)
    * DB2 Personal Edition
    * DB2 Connect Server (all Editions)

DB2 Client component and DB2 products or components other than those listed
above are not affected.

Due to the complexity of the fixes required to eliminate the reported
service issues, it is not feasible to retrofit the same fixes into earlier
DB2 UDB Version 8, DB2 Version 9.1 and DB2 Version 9.5 fix packs.

The specifics of the Security APARs incorporated into the above DB2 fix
packs can be found in the following table:

HIPER APARs

      V8 |    V9.1 |    V9.5 |    V9.7 |            ABSTRACT
    FP18 |     FP8 |     FP5 |     FP1 |
- ------------------------------------------------------------------------------
         |         | IZ55987 | IC62219 | DYNAMIC SQL STATEMENTS WITH HOST
         |         |         |         | VARIABLES, USING A REOPT ALWAYS
         |         |         |         | OPTIMIZER GUIDELINE, MAY RETURN
         |         |         |         | WRONG RESULTS
- ------------------------------------------------------------------------------
         |         | IZ47730 | IC64066 | Incorrect result with multiple IN
         |         |         |         | list to join (GENROW) plans via
         |         |         |         | transivity on SMP and MPP
         |         |         |         | environment
- ------------------------------------------------------------------------------
         | IZ53555 | IZ55552 | IC62088 | LOAD UTILITY MAY MARK A ROW BIT
         |         |         |         | INCORRECTLY CAUSING INDEX SCAN
         |         |         |         | TO RETURN INCORRECT RESULTS
- ------------------------------------------------------------------------------
         |         | IC63414 | IC63415 | OUTER JOIN OPERATION MAY RETURN
         |         |         |         | INCORRECT RESULTS WITH A PREDICATE
         |         |         |         | WITH A SUBQUERY RETURNING NOT MORE
         |         |         |         | THAN ONE ROW
- ------------------------------------------------------------------------------
         |         | IZ62791 | IC63668 | INCORRECT RESULTS WHEN ORDERED
         |         |         |         | COLUMN GROUP OR PREDICATE CAN BE
         |         |         |         | USED AS INDEX KEYS
- ------------------------------------------------------------------------------
         | IC61781 | IC64825 | IC64767 | ALTER BUFFERPOOL REDUCE OR STMM
         |         |         |         | MAY HANG IF SET WRITE SUSPEND HAD
         |         |         |         | BEEN ISSUED
- ------------------------------------------------------------------------------
 IC64680 | IC64539 | IC64540 | IC64541 | SQLSETSTMTATTRW(SQL_ATTR_CHAINING_END)
         |         |         |         | RETURNS 0, EVEN WHEN ONE OF THE
         |         |         |         | PREVIOUS CHAINED STATEMENTS
         |         |         |         | FAILED
- ------------------------------------------------------------------------------
         |         | IZ46535 |         | DATA REDISTRIBUTION WITH NOT
         |         |         |         | ROLLFORWARD RECOVERABLE PARAMETER
         |         |         |         | MIGHT CAUSE CORRUPTION IN TABLES
         |         |         |         | ENABLED FOR ROW COMPRESSION
- ------------------------------------------------------------------------------
         |         | IZ52573 |         | USE OF ESCAPE SET TO NULL MIGHT
         |         |         |         | EITHER RETURN INCORRECT RESULT OR
         |         |         |         | CAUSE INSTANCE TRAP IN CULTURALLY
         |         |         |         | CORRECT DATABASE
- ------------------------------------------------------------------------------

DB2 fix packs for all supported versions can be downloaded at the following
site: http://www.ibm.com/support/docview.wss?rs=71&uid=swg27007053

The DB2 team will continue to have a strong focus on delivering timely fixes
for newly discovered issues along with information that helps our customers to
decide on an appropriate course of action. The DB2 team regrets the
inconvenience that these issues are causing to you, our customers. We believe
that our actions are the most prudent steps to address your concerns and
remain open to suggestions on how to further improve our processes.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLObfsNVH5XJJInbgRAtwAAJ0RkYJXRIrcjkAFamepNMkOyWj0uACfdy/h
cjthB8SWwUBQ8tGs9ASpOqw=
=Lpm4
-----END PGP SIGNATURE-----