• Rocket Open AppDev for Z v2.0.2 releases

    Hello users of our z/OS open-source ports,

    I am pleased to announce the release of Rocket Open AppDev for Z v2.0.2.  This release includes version currency updates of PHP, gettext, libssh2, nghttp2, and zlib, as well as a long list of security fixes and other fixes for most of our ports.  For customers on support contract, these latest builds are already available via conda and will be available at the end of this week for those using SMP/E. For users not on support, these builds will be made available on our public conda channel server on April 30, 2023.

    Version Currency Updates:

    • PHP v8.1.1=10   This is a major version update (previous version supported on z/OS was v7.0.5)
    • gettext v0.21=0
    • libssh2 v1.10.0=0
    • nghttp2 v1.48.0=0
    • zlib v1.2.12=1

    CVE and other fixes:

     - CVE-2022-22576, CVE-2021-22924, CVE-2021-22945, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-30115, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208, CVE-2022-35252, BDSA-2022-0504, BDSA-2022-1120, BDSA-2022-1130, BDSA-2022-1336 fixes
     - Rebuilt with new version of kerberos, libssh2 and nghttp2 (to fix a group of CVEs)
     - CVE-2022-24765, CVE-2022-29187, CVE-2022-39253, CVE-2022-39260 fixes
     - CVE-2022-0778, CVE-2021-4160, CVE-2022-1292, CVE-2022-2068 fixes
     - fix the issue: pkg-config files for OpenSSL are unreadable after installation
     - Add init_attr_stdio fixes a encoding in datasets (fix an issue with perl and datasets when called from BPXBATCH).
     - CVE-2019-14287, CVE-2019-18634, CVE-2021-2323, WS-2021-0493 fixes.
     - Rebuilt with the new version of kerberos (to fix a group of CVEs).
     - Fixed issue with ASCII stdout when called from a batch job.
     - CVE-2019-14287, CVE-2019-18634, CVE-2021-2323, WS-2021-0493 fixes.
     - Fixed issue with ASCII stdout when called from a batch job.
    - CVE-2014-8139, CVE-2014-8140, CVE-2014-8141, CVE-2014-9636, CVE-2014-9913, CVE-2015-7696, CVE-2015-7697, CVE-2016-9844, CVE-2018-1000035, CVE-2018-18384, CVE-2019-13232 fixes
    The following Debian patches are also applied:
    - Update section number in manpages
    - Set maintainer to Debian "Branding patch": UnZip by Debian. Original by Info-ZIP.
    - Handle the PKWare verification bit. Handle the PKWare verification bit of internal attributes.
    - Fix UID/GID handling. Restore uid and gid information when requested.
    - Initialize the symlink flag. When unzipping some large zipfiles with many entries, unzip may sometimes treat regular files as symlinks if a symlink appeared earlier in the zipfile. The problem seems to be that unzip reuses memory without properly reinitializing it.
    - Allow zip format version >=10. Do not crash when 'hostver' value is >= 100.
    - Prevent unsigned overflow on invalid input.
    - Do not ignore extra fields with Unix Timestamps.
    - Fix incorrect parsing of 64-bit value. The makeint64() function parses 64-bit values incorrectly - it ignores the 5th byte. Because of it "unzip -l" and "zipinfo" report an incorrect size.
    - Detect and reject a zip bomb using overlapped entries. This detects an invalid zip file that has at least one entry that overlaps with another entry or with the central directory to the end of the file. A Fifield zip bomb uses overlapped local entries to vastly increase the potential inflation ratio. Such an invalid zip file is rejected.
    - Do not raise a zip bomb alert for a misplaced central directory. There is a zip-like file in the Firefox distribution, omni.ja, which is a zip container with the central directory placed at the start of the file instead of after the local entries as required by the zip standard.
    - Avoid zipgrep errors when no members are present.

     -  CVE-2018-19211, CVE-2021-39537, CVE-2019-17594, CVE-2019-17595 fixes