> all RSU levels are the same No. The HOLDDATA change multiple times between levels.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of Itschak Mugzach [[email protected]] Sent: Tuesday, January 18, 2022 2:28 AM To: [email protected] Subject: Re: More of LOG4J Thanks David, 1. Even if you are right about the version numbers, we still have 5 different versions here. 2. Your claim about the sub-version is interesting. So Z/OS 2.4, just fir example, all RSU levels are the same. I don't think so, and so do the NVD administrators. Read the range of the affected versions. it includes all three levels. 3. I am sure your company does a great job with versioning. 4. The major issue with open source is that there is no formal life cycle. Usually it is a vendor product that you need to completely upgrade instead of installing a PTF. See your offering such as BASH. It is downloaded and installed. no service exists. Do you expect the user to check every day if there is a new version? ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/18jw22Iixgzti-EBXxg6vWn0F3OY5r5Gp8oO1oKVHF5_kUxYP1KB7fHFTQdXVgRIeqX1IuucbHKPxPh8qqPDIldAePAQO89Ts1FThaNo1aodm8nKlD6m8R4wK0QI6pUXAo4hOsFR815-StTt-LTTZ735ZXz_RuNKLZtfxB8QQkfnB-8g344vQzERl9qrJDSQsY90UFWKSPDnUa226Pjj1nnz32kG9-AvqTg5hQItx21pE7AUvWL1XppaTzIHS9tR0O6BXhjnPGf1R1fEJPuF7Zn1dSfoGN-qoYaUD4DCjy5bsttJT1aN9gLyUg-EhqewCDPIxtOMDjzIUmfVNpBNZjQPOCKAd5d6y42XB8tpi8FC9MAnBdaY_t315WjDsQtj7B_IBDRX60triI3xvhNq1cPstw0g1DWw2pgFBvmqIx0Or1TEUc7xrwv9zv-x0dPXR/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Jan 18, 2022 at 4:52 AM David Crayford <[email protected]> wrote: > On 17/1/22 10:34 pm, ITschak Mugzach wrote: > > Hi, > > > > We took the time to dive into the wider issue of open source and z/os. > USS > > is a scary jungle! > > Only to the ignorant. > > > > > > Without many details on the how, we discovered that on our z/os 2.3 there > > are 19 (!) different versions of Apache Ant: 1.5.3, 1.6.2, 1.6.5, 1.7.0, > > 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.2, 1.8.2, 1.8.3 ,1.8.4, 1.9.0, 1.9.2, > 1.9.3 > > ,1.9.4, 1.9.6 ,1.9.7, 1.9.8 used by 1000 plus jar files and sharing 4 > CVEs. > > I take it you don't understand the concept of semantic versioning. Those > are not all different versions, the last digit is the patch. We do this > in our (mainframe) products too. > In fact, we go further and add the Git commit hash to the version > message so we can track the version the customer is running down to a > line of code. > > Apache Ant is a build system and not part of a runtime. I don't share > your concerns. > > > > > > Nice divers... and as others may say "What you don't know doesn't hurt > you". > > > > ITschak > > > > ITschak Mugzach > > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
