------------------------------------------------------------------------------- Fix Number: FJSVfsep-POOL2-13-1301-4.el7.x86_64 Product Names and Versions: FUJITSU Enterprise Postgres Pgpool-II 13 Product Names and Versions: FUJITSU Enterprise Postgres Pgpool-II 13SP1 Product Names and Versions: FUJITSU Enterprise Postgres Pgpool-II 13SP1A Creation date: 26.12.2023 ------------------------------------------------------------------------------- [High Risk Activity] The Customer acknowledges and agrees that the Product is designed, developed and manufactured as contemplated for general use, including without limitation, general office use, personal use, household use, and ordinary industrial use, but is not designed, developed and manufactured as contemplated for use accompanying fatal risks or dangers that, unless extremely high safety is secured, could lead directly to death, personal injury, severe physical damage or other loss (hereinafter "High Safety Required Use"), including without limitation, nuclear reaction control in nuclear facility, aircraft flight control, air traffic control, mass transport control, medical life support system, missile launch control in weapon system. The Customer, shall not use the Product without securing the sufficient safety required for the High Safety Required Use. In addition, Fujitsu (or other affiliate's name) shall not be liable against the Customer and/or any third party for any claims or damages arising in connection with the High Safety Required Use of the Product. Product and company names mentioned in this manual are the trademarks or registered trademarks of their respective owners. Copyright 2021-2023 FUJITSU LIMITED ------------------------------------------------------------------------------- [Notes] - This is the readme for RHEL 7. - This fix is applicable to environments where the following are installed. FUJITSU Enterprise Postgres Pgpool-II 13 - Please ensure that the following steps are carried out before applying or deleting this patch. - Stop the running Pgpool-II. - After this patch is applied, SSL connections from the client to the DB server might fail if you use SSL connections with the PostgreSQL ssl parameter enabled. A list matching the list of cipher suites provided by OpenSSL 3.0 SECLEVEL=1 must be available to the client. If the list of cipher suites used by a client cannot be changed, SSL connections can be made by changing ssl_ciphers from its default value (HIGH:MEDIUM:+3DES:!aNULL). Note that if you specify SECLEVEL=0, the security strength may be reduced by allowing cryptographic algorithms that were deprecated in OpenSSL3.0. For example, for the Oracle JDK: - If you are using Oracle JDK 1.6 ssl_ciphers with 'HIGH:MEDIUM:+3DES:!aNULL:!DH@SECLEVEL=0' - If you are using Oracle JDK 1.7 ssl_ciphers with 'HIGH:MEDIUM:+3DES:!aNULL@SECLEVEL=0' ------------------------------------------------------------------------------- [Patch Description] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-13-1301-4.el7.x86_64 01 PH22902 [ ]Security failure [ ]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description When a emergency modification of FUJITSU Enterprise Postgres is applied, The following folder and file owners and groups are changed to non-root values. - /var/opt/FJSVfupde/backup//PKG - /var/opt/FJSVfupde/backup//TOOL - Requirements to reproduce this issue 1) Install the following products, and FUJITSU Enterprise Postgres Advanced Enterprise Server Edition 14SP1 FUJITSU Enterprise Postgres Advanced Edition 12 - 14SP1 FUJITSU Enterprise Postgres Standard Edition 12 - 14SP1 Symfoware Server Enterprise Extended Edition(Postgres) V12.5.0 - V12.7.0 Symfoware Server Enterprise Edition(Postgres) V12.4.1 - V12.7.0 Symfoware Server Standard Edition(Postgres) V12.4.1 - V12.7.0 2) Apply an emergency modification to a product of 1). - Action Modify owner and group to root. - Compatibility Information None. 02 PH23344 [*]Security failure [*]Serious failure ([ ]Degradation) [ ]Incompatibility does not exist / [*]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description This fix reflects fixes up to OpenSSL 3.0.12 in this product and does not indicate any specific symptoms. - Requirements to reproduce this issue This fix reflects fixes up to OpenSSL 3.0.12 in this product and has no specific occurrence conditions. The version of OpenSSL in which this product reflects the correction is as follows. - Enterprise Postgres 12, 12SP1, 12SP1A, 12SP1B, 13, 13SP1, 13SP1A 14, 14SP1,15, 15SP1 1.1.1t - Symfoware Server V12.4.1, V12.5.0, V12.6.0, V12.6.0A, V12.7.0 1.1.1t To check the details of the changes up to OpenSSL 3.0.12, see the OpenSSL release notes. https://www.openssl.org/docs/man3.0/man7/migration_guide.html - Action Apply OpenSSL changes to the product. - Compatibility Information - Summary Change the version of OpenSSL in this product to 3.0.12. Along with this, the following changes have been made: 1. Some of the available encryption algorithms are no longer available by default. 2. The use of certificates signed using SHA-1 is now prohibited. - Environment 1. 1) Apply the patches which including PH23344, and 2) Use one of the following encryption algorithms using the pgcrypto module. -BF -CAST5 -DES-ECB -DES-CBC -MD4 - Whirlpool 2. 1) Apply the patches which including PH23344, and 2) For certificate authentication, specify a certificate signed using SHA1. - Products combination of this compatibility problem If the patches which including PH23344 is applied and the conditions listed in "Environment" apply. - Reason of conflictions This is because of a specification change associated with the version upgrade of OpenSSL in this product. - Impacts 1. Functions of pgcrypto module cause errors. 2. Connection using certificate authentication results in an error. - Functional items (Summary, Before/After of migration) 1. When using legacy algorithms in pgcrypto, an extension module for PostgreSQL, you need to prepare an OpenSSL configuration file and add parameters to the database server configuration file. [Before] In pgcrypto, encryption algorithms that have become legacy algorithms in the OpenSSL3 can be used with default settings. [After] In pgcrypto, encyption algorithms that have become legacy algorithms in the OpenSSL3 can not be used with default settings. 2. Certificates signed using SHA1 cannot be used for certificate authentication. [Before] You can connect to a database server using a certificate signed using SHA1. [After] You can not connect to a database server using a certificate signed using SHA1. - Preventive Method 1. Change the state to use the legacy algorithm by setting the following parameters in the database server configuration file postgresql.conf and restarting the server. There is no need to change any settings on the client side. * openssl_conf(string) Specify the OpenSSL configuration file. Legacy algorithms are available by specifying a valid configuration file. Please prepare the configuration file in any directory, referring to the example below. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. [example of OpenSSL configuration file] ===================== openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 ===================== [example of parameter setting] openssl_conf = '/path/to/openssl.conf' * openssl_modules(string) Specifies the directory where additional OpenSSL modules are stored. Legacy algorithms can be used by specifying 'server installation directory/lib/ossl-modules'. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. This parameter sets the environment variable OPENSSL_MODULES that applies to the server process. Please do not set the environment variable OPENSSL_MODULES using any method other than setting this parameter, as this may result in abnormal behavior. [example of parameter setting] openssl_modules = '/opt/fsepv15server64/lib/ossl-modules' 2. Please reissue the certificate used for certificate authentication with SHA2 or higher. -Back out method of the functions None. - User action It is the same as the Preventive Method. ------------------------------------------------------------------------------- [Accumulated Patches] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-13-1301-3.el7.x86_64 01 PH21679 [ ]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.2.7 and 4.2.8 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.2.7 and 4.2.8 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/42/en/html/release-4-2-7.html https://www.pgpool.net/docs/42/en/html/release-4-2-8.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. Fix Number: FJSVfsep-POOL2-13-1301-2.el7.x86_64 01 PH21384 [*]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.2.2, 4.2.3, 4.2.4, 4.2.5 and 4.2.6 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.2.2, 4.2.3, 4.2.4, 4.2.5 and 4.2.6 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/42/en/html/release-4-2-2.html https://www.pgpool.net/docs/42/en/html/release-4-2-3.html https://www.pgpool.net/docs/42/en/html/release-4-2-4.html https://www.pgpool.net/docs/42/en/html/release-4-2-5.html https://www.pgpool.net/docs/42/en/html/release-4-2-6.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. Fix Number: FJSVfsep-POOL2-13-1301-1.el7.x86_64 01 PH20784 [ ]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.2.1 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.2.1 to FUJITSU Enterprise Postgres. You can see applied changes in the below URL. https://www.pgpool.net/docs/42/en/html/release-4-2-1.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. ------------------------------------------------------------------------------- [List of fixed files] Files replaced by the patch: $INS_DIR/bin/pcp_attach_node $INS_DIR/bin/pcp_detach_node $INS_DIR/bin/pcp_health_check_stats $INS_DIR/bin/pcp_node_count $INS_DIR/bin/pcp_node_info $INS_DIR/bin/pcp_pool_status $INS_DIR/bin/pcp_proc_count $INS_DIR/bin/pcp_proc_info $INS_DIR/bin/pcp_promote_node $INS_DIR/bin/pcp_recovery_node $INS_DIR/bin/pcp_reload_config $INS_DIR/bin/pcp_stop_pgpool $INS_DIR/bin/pcp_watchdog_info $INS_DIR/bin/pg_enc $INS_DIR/bin/pg_md5 $INS_DIR/bin/pgpool $INS_DIR/bin/pgpool_setup $INS_DIR/bin/pgproto $INS_DIR/bin/watchdog_setup $INS_DIR/bin/wd_cli $INS_DIR/etc/escalation.sh.sample $INS_DIR/etc/failover.sh.sample $INS_DIR/etc/follow_primary.sh.sample $INS_DIR/etc/pcp.conf.sample $INS_DIR/etc/pgpool.conf.sample $INS_DIR/etc/pgpool.conf.sample-logical $INS_DIR/etc/pgpool.conf.sample-raw $INS_DIR/etc/pgpool.conf.sample-replication $INS_DIR/etc/pgpool.conf.sample-slony $INS_DIR/etc/pgpool.conf.sample-snapshot $INS_DIR/etc/pgpool.conf.sample-stream $INS_DIR/etc/pgpool_remote_start.sample $INS_DIR/etc/pool_hba.conf.sample $INS_DIR/etc/product.inf $INS_DIR/etc/recovery_1st_stage.sample $INS_DIR/etc/recovery_2nd_stage.sample $INS_DIR/include/libpcp_ext.h $INS_DIR/include/pcp.h $INS_DIR/include/pool_process_reporting.h $INS_DIR/include/pool_type.h $INS_DIR/lib/libpcp.a $INS_DIR/lib/libpcp.la $INS_DIR/lib/libpcp.so.2.0.0 $INS_DIR/share/pgpool-II/insert_lock.sql $INS_DIR/share/pgpool-II/pgpool.pam -------------------------------------------------------------------------------