[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tgsv50 and AIX patch info



Mike,

Thank you (and all the other Unidata staffers who have worked on this issue)
for your investigation on the AIX upgrade issues that have negatively
affected LDM.  Unfortunately, the reason for our AIX upgrade was to address
security requirements, including the DOS Vulnerability for RPC.  We are
required to meet certain goals mandated by the Federal Information Security
Management Act, including maintaining systems at current security patch
levels.  A back-level AIX installation is not an option for us.  We have
fielded our Regional Radar Image Distribution Systems on mid-range IBM
RS/6000 servers running AIX.  To date, we have had very limited success in
running SuSE Linux on the PowerPC architecture.  Acqusition of different
systems would be difficult at this time.  More importantly, the CONDUIT root
server is a high-end RS/6000 M80 system (PowerPC architecture) also running
AIX O/S.  We must upgrade this system to a current maintenance level as soon
as possible, given its presence on Internet2.

If there is no expectation that Unidata will be addressing the LDM execution
problem under AIX then we will need to begin discussion of how to support
CONDUIT.  If the principle roadblock in the investigation is availability of
an AIX system to use for testing, NWS/TOC can work with you to provide a
remotely accessable AIX system with admin support.

Thanks again for your support to date.  I hope to hear from you Thursday
with information about the possibility of going forward to a resolution of
the problem.

Regards,
Allan



Mike Schmidt wrote:

> Everyone,
>
> Here's my summary of the situation with tgsv50.  Based on conversations
> with Gini and Frances, here are a few choices for getting a backup LDM
> system up-and-running;
>
>  - load tgsv50 with either AIX 4.3.3/ML10 or AIX 5.1/ML4 (details below)
>  - move to an available Linux system
>
> mike
>
> -----------------------------------------------------------------------
>
> It's my observation that one of the following AIX patches contain a
> RPC libc change that's incompatible with the existing LDM code;
>
>  AIX 4.3  AIX 5.1
>  -------  --------
>  IY36463  IY36507    SECURITY: RPC Service DOS Vulnerability
>  IY38541  IY38471    Change libc TCP RPC to use non-blocking I/O
>
> Installation of these patches can be verified with the following;
>
>  instfix -ivk <patch id>
>
> The following is known;
>
>  - our AIX 4.3.3 system (gale) appeared to be working with bos.rte.libc
>    4.3.3.87, but was not working with 4.3.3.92
>
>  - tgsv50 was working with bos.rte.libc 4.3.3.82, but not with 4.3.3.92
>
>  - our AIX 5.1 system (zasu) worked with bos.rte.libc 5.1.0.35, but was
>    not working with 5.1.0.55
>
>  - "RPC DOS" patch was introduced in bos.rte.libc 4.3.3.88/5.1.0.37
>
>  - "non-blocking" patch was introduced in bos.rte.libc 4.3.3.89/5.1.0.38
>
> Since the two patches appear in differing patch levels, one could test
> to verify which of the two patches cause the problem.  Unidata will not
> be conducting this test as we do not have the resources to restore
> either of our systems from tape to try again.
>
> Based on the above information, an AIX server must be at or below the
> following maintenance level (ML) or bos.rte.libc to have a working
> LDM 6.0.14 installation until a resolution is found;
>
>  AIX 4.3.3              <= ML10         <= bos.rte.libc 4.3.3.87
>  AIX 5.1                <= ML4          <= bos.rte.libc 5.1.0.36
begin:vcard 
n:Darling;Allan
tel;fax:301-608-0911
tel;work:301-713-0882 x114
x-mozilla-html:FALSE
org:NOAA's National Weather Service;Office of the CIO, Telecommunication 
Operations Center
version:2.1
email;internet:address@hidden
title:Chief, Telecommunication Software Branch
adr;quoted-printable:;;SSMC2, Station 5146=0D=0A1325 East-West Hwy;Silver 
Spring;MD;20912;
fn:Allan Darling
end:vcard