On 8 May 2012 18:57, Walt Farrell <[email protected]> wrote: > On Tue, 8 May 2012 18:31:56 -0400, Tony Harminc <[email protected]> wrote: > >>One can learn quite a bit from these published documents, not least >>lists of fixes that must be applied in order to pass the claimed >>security specifications, from which one might reasonably infer that >>the fixes are for software vulnerabilities. > > Sometimes the fixes that IBM lists in that document represent > vulnerabilities, but sometimes they are merely PTFs that provide > late-shipping functional changes. IBM is required for Common Criteria > purposes to run the tests with the "final" version of the system, and if > functional changes to a component are made via PTF after the "GA" ServerPac > tape is produced then the customers who want to run the evaluated/certified > version of z/OS are also required to install those PTFs if IBM used them > during testing.
One can get some idea of the relative numbers of each kind of fix by searching the publicly available APAR database for each one listed. While there may occasionally be other reasons, generally the non-appearance of a fix suggests that it is on IBM's integrity list. There is also the "in between" case where a fix (presumably of a vulnerability) has a co- or pre-req that doesn't fix a vulnerability, but is needed to cope with changed behaviour from the first that does. This leads to the amusing situation where the second fix is viewable, but its links to the first go to a 404 page, or the even stranger one where the first is findable as text in the second, but cannot itself be seen. > (Note: in the latter years of my career with IBM I was the technical > architect for our z/OS Common Criteria certification efforts and was the > person responsible for the Security Target and for input to the Planning > Guide.) [...] > As Mark mentioned, you can visit > http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html if you > are an authorized representative of a z/OS or z/VM site, and learn how to > become authorized to view the web site that has the Security/Integrity > information for z/OS or z/VM. > > -- > Walt (who no longer has access to that kind of information) Did you feel like Smiley signing his documents back in to Registry, and then walking out of the Circus for the last time...? Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
