The reason that I asked about getting an up-to-date version of OpenSSL is because a customer of ours asked whether Vulnerabilities CVE-2015-1788 and CVE-2015-1789 were applicable to z/OS. Since OpenSSL is delivered as part of IBM Ported Tools, that is a reasonable question. I did not ask about updating OpenSSH - that is a different question and has been well discussed in respect of Heartbleed.
So it may be that what I need is a definitive statement that the Vulnerabilities CVE-2015-1788 and CVE-2015-1789 do not apply to IBM Ported Tools because OpenSSL can not be used directly from IBM Ported Tools libraries. I agree that it would be better to use the supported SYSTEM SSL, but again that was not the question. Obviously OpenSSL code may be used by other non-IBM products or provided through other products, but that is a different question. regards, Anthony Fletcher - NZ MIITP Team Lead NZ SMM (AirNZ, Westpac NZ , NWM AU) IBM Strategic Outsourcing Delivery Server Systems Operations Server Management Mainframe Mainframe Software Program Manager NZ z/OS Technical Lead A/NZ Ph: Direct +64 4 576 8142, tieline 61 929 8142, ITN *869298142, mobile +64 21 464 864, Fax +64 4 576 5808. Internet: [email protected], Sametime: [email protected] "The biggest threat to effective communication is the belief that it has occurred" "Winners make commitments, Losers make promises" From: Charles Mills <[email protected]> To: [email protected] Date: 22/06/2015 10:30 Subject: Re: OpenSSL for z/OS Sent by: IBM Mainframe Discussion List <[email protected]> Walt, your first premise would appear to be sort-of correct. http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html says "the free unsupported version of OpenSSL previously offered here is no longer available. Instead, we refer you to the functionally equivalent version available from the official OpenSSL project website." So what you say is now correct, but the OP may have such a library that he obtained from the Ported Tools portal when it was available there. Nonetheless, I would say any customer is responsible for any software they install, whether distributed by IBM or not, and especially software distributed with the disclaimer "there are no warranties of any kind, and there is no service or technical support available for these from IBM" as the ported tools portal states. Any software on any customer machine is pretty much "one they installed themselves." But the OP did not ask "when and where is IBM going to fix OpenSSL?" He asked "where an up to date verson [sic] of OpenSSL that will run on z/OS can be found." If he is worried about OpenSSH or other Ported Tools, then it appears he has nothing to worry about. But my point was that he did not say that. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: Sunday, June 21, 2015 1:03 PM To: [email protected] Subject: Re: OpenSSL for z/OS On Sun, 21 Jun 2015 10:53:39 -0700, Charles Mills <[email protected]> wrote: >Do we know that the OP's only interest is in updating (unnecessarily, it would appear) the IBM Tools that use OpenSSL internally? Kirk and Walt seem to assume so. > >I OTOH (and perhaps David?) made the assumption -- perhaps incorrectly -- that he had an interest in using the OpenSSL library as part of some other project. > >I don't see an indication either way in the OP. As I understand it, Charles, IBM Ported Tools does not provide an OpenSSL library that is usable by the customer. Therefore, if the OP has any such library it must be one he already installed himself, and for which he takes responsibility. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
