------------------------------------------------------------------------------- Fix Number: FJSVfsep-POOL2-12-1201-4.el8.s390x Product Names and Versions: FUJITSU Enterprise Postgres Pgpool-II 12 *1 *1 It is bundled to the server package of the following product. FUJITSU Software Enterprise Postgres Advanced Edition 12 SP1 for Linux on Z Creation date: 20.11.2023 ------------------------------------------------------------------------------- [High Risk Activity] The Customer acknowledges and agrees that the Product is designed, developed and manufactured as contemplated for general use, including without limitation, general office use, personal use, household use, and ordinary industrial use, but is not designed, developed and manufactured as contemplated for use accompanying fatal risks or dangers that, unless extremely high safety is secured, could lead directly to death, personal injury, severe physical damage or other loss (hereinafter "High Safety Required Use"), including without limitation, nuclear reaction control in nuclear facility, aircraft flight control, air traffic control, mass transport control, medical life support system, missile launch control in weapon system. The Customer, shall not use the Product without securing the sufficient safety required for the High Safety Required Use. In addition, Fujitsu (or other affiliate's name) shall not be liable against the Customer and/or any third party for any claims or damages arising in connection with the High Safety Required Use of the Product. Product and company names mentioned in this manual are the trademarks or registered trademarks of their respective owners. Copyright 2021-2022 FUJITSU LIMITED ------------------------------------------------------------------------------- [Notes] - This is the readme for RHEL 8. - This fix is applicable to environments where the following are installed. FUJITSU Enterprise Postgres Pgpool-II 12 - Please ensure that the following steps are carried out before applying or deleting this patch. - Do not set the library path of FUJITSU Enterprise Postgres (*1) to the environment variable(*2). (*1) /lib (*2) LD_LIBRARY_PATH and LD_LIBRARY_PATH_32. - Stop the running Pgpool-II. - If the application and restoration of this correction fail, collect the following materials and contact our technical staff. - /var/log/fsep_POOL2_1201_patch.log - /var/opt/FJSVfupde/log (All files in log directory) - Perform a recovery procedure of return to the pre-apply and pre-restore state if. 1) Failed to apply or restore this fix. and 2) The following log files exist. and /var/log/fsep_POOL2_1201_patch.log 3) The log file ends with one of the following. ROLLBACK(U): was failed(non-0 return value). ROLLBACK(I): was failed(non-0 return value). [Recovery procedure] 1) Run the following command to switch to the superuser on the system. $ su - Password:****** 2) Verify that the package is installed by running the following command. If it was not installed, run of "4)". # rpm -q FJSVfsep-POOL2-12 3) Run the following command to uninstall the package. # rpm -e FJSVfsep-POOL2-12 --nodeps To confirm the uninstallation, run the following command. # rpm -q FJSVfsep-POOL2-12 4) Run the following command to install the package. # cd /PKG # rpm -i FJSVfsep-POOL2-12-*.rpm(*1) \ --prefix= --nodeps 5) To confirm the installation, run the following command. # rpm -q FJSVfsep-POOL2-12 (*1)File names are different on apply failure and restore failure. - After this patch is applied, SSL connections from the client to the DB server might fail if you use SSL connections with the PostgreSQL ssl parameter enabled. A list matching the list of cipher suites provided by OpenSSL 3.0 SECLEVEL=1 must be available to the client. If the list of cipher suites used by a client cannot be changed, SSL connections can be made by changing ssl_ciphers from its default value (HIGH:MEDIUM:+3DES:!aNULL). Note that if you specify SECLEVEL=0, the security strength may be reduced by allowing cryptographic algorithms that were deprecated in OpenSSL3.0. For example, for the Oracle JDK: - If you are using Oracle JDK 1.6 ssl_ciphers with 'HIGH:MEDIUM:+3DES:!aNULL:!DH@SECLEVEL=0' - If you are using Oracle JDK 1.7 ssl_ciphers with 'HIGH:MEDIUM:+3DES:!aNULL@SECLEVEL=0' ------------------------------------------------------------------------------- [Patch Description] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-12-1201-4.el8.s390x 01 PH23344 [*]Security failure [*]Serious failure ([ ]Degradation) [ ]Incompatibility does not exist / [*]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description This fix reflects fixes up to OpenSSL 3.0.12 in this product and does not indicate any specific symptoms. - Requirements to reproduce this issue This fix reflects fixes up to OpenSSL 3.0.12 in this product and has no specific occurrence conditions. The version of OpenSSL in which this product reflects the correction is as follows. - Enterprise Postgres Advanced Edition 12 SP1 for Linux on Z 1.1.1t To check the details of the changes up to OpenSSL 3.0.12, see the OpenSSL release notes. https://www.openssl.org/docs/man3.0/man7/migration_guide.html - Action Apply OpenSSL changes to the product. - Compatibility Information - Summary Change the version of OpenSSL in this product to 3.0.12. Along with this, the following changes have been made: 1. Some of the available encryption algorithms are no longer available by default. 2. The use of certificates signed using SHA-1 is now prohibited. - Environment 1. 1) Apply the patches which including PH23344, and 2) Use one of the following encryption algorithms using the pgcrypto module. -BF -CAST5 -DES-ECB -DES-CBC -MD4 - Whirlpool 2. 1) Apply the patches which including PH23344, and 2) For certificate authentication, specify a certificate signed using SHA1. - Products combination of this compatibility problem If the patches which including PH23344 is applied and the conditions listed in "Environment" apply. - Reason of conflictions This is because of a specification change associated with the version upgrade of OpenSSL in this product. - Impacts 1. Functions of pgcrypto module cause errors. 2. Connection using certificate authentication results in an error. - Functional items (Summary, Before/After of migration) 1. When using legacy algorithms in pgcrypto, an extension module for PostgreSQL, you need to prepare an OpenSSL configuration file and add parameters to the database server configuration file. [Before] In pgcrypto, encryption algorithms that have become legacy algorithms in the OpenSSL3 can be used with default settings. [After] In pgcrypto, encyption algorithms that have become legacy algorithms in the OpenSSL3 can not be used with default settings. 2. Certificates signed using SHA1 cannot be used for certificate authentication. [Before] You can connect to a database server using a certificate signed using SHA1. [After] You can not connect to a database server using a certificate signed using SHA1. - Preventive Method 1. Change the state to use the legacy algorithm by setting the following parameters in the database server configuration file postgresql.conf and restarting the server. There is no need to change any settings on the client side. * openssl_conf(string) Specify the OpenSSL configuration file. Legacy algorithms are available by specifying a valid configuration file. Please prepare the configuration file in any directory, referring to the example below. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. [example of OpenSSL configuration file] ===================== openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 ===================== [example of parameter setting] openssl_conf = '/path/to/openssl.conf' * openssl_modules(string) Specifies the directory where additional OpenSSL modules are stored. Legacy algorithms can be used by specifying 'server installation directory/lib/ossl-modules'. If this parameter is not specified, an empty string will be assumed. This parameter can only be set by specifying the parameter when starting the instance. It cannot be dynamically changed during instance startup. This parameter sets the environment variable OPENSSL_MODULES that applies to the server process. Please do not set the environment variable OPENSSL_MODULES using any method other than setting this parameter, as this may result in abnormal behavior. [example of parameter setting] openssl_modules = '/opt/fsepv15server64/lib/ossl-modules' 2. Please reissue the certificate used for certificate authentication with SHA2 or higher. -Back out method of the functions None. - User action It is the same as the Preventive Method. ------------------------------------------------------------------------------- [Accumulated Patches] The following fixes are included in this patch: Fix Number: FJSVfsep-POOL2-12-1201-3.el8.s390x 01 PH21676 [ ]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.1.10 and 4.1.11 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.1.10 and 4.1.11 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/41/en/html/release-4-1-10.html https://www.pgpool.net/docs/41/en/html/release-4-1-11.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. Fix Number: FJSVfsep-POOL2-12-1201-2.el8.s390x 01 PH21383 [*]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.1.8 and 4.1.9 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.1.8 and 4.1.9 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/41/en/html/release-4-1-8.html https://www.pgpool.net/docs/41/en/html/release-4-1-9.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. Fix Number: FJSVfsep-POOL2-12-1201-1.el8.s390x 01 PH20783 [ ]Security failure [*]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There is no particular issue because bug corrections in Pgpool-II 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6 and 4.1.7 apply to FUJITSU Enterprise Postgres. - Requirements to reproduce this issue There is no particular condition because this fix applies the changes of Pgpool-II 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6 and 4.1.7 to FUJITSU Enterprise Postgres. You can see applied changes in the below URLs. https://www.pgpool.net/docs/41/en/html/release-4-1-1.html https://www.pgpool.net/docs/41/en/html/release-4-1-2.html https://www.pgpool.net/docs/41/en/html/release-4-1-3.html https://www.pgpool.net/docs/41/en/html/release-4-1-4.html https://www.pgpool.net/docs/41/en/html/release-4-1-5.html https://www.pgpool.net/docs/41/en/html/release-4-1-6.html https://www.pgpool.net/docs/41/en/html/release-4-1-7.html - Action Apply the changes of Pgpool-II to FUJITSU Enterprise Postgres. - Compatibility Information None. ------------------------------------------------------------------------------- [List of fixed files] Files replaced by the patch: $INS_DIR $INS_DIR/bin $INS_DIR/bin/pcp_attach_node $INS_DIR/bin/pcp_detach_node $INS_DIR/bin/pcp_node_count $INS_DIR/bin/pcp_node_info $INS_DIR/bin/pcp_pool_status $INS_DIR/bin/pcp_proc_count $INS_DIR/bin/pcp_proc_info $INS_DIR/bin/pcp_promote_node $INS_DIR/bin/pcp_recovery_node $INS_DIR/bin/pcp_stop_pgpool $INS_DIR/bin/pcp_watchdog_info $INS_DIR/bin/pg_enc $INS_DIR/bin/pg_md5 $INS_DIR/bin/pgpool $INS_DIR/bin/pgpool_setup $INS_DIR/bin/pgproto $INS_DIR/bin/watchdog_setup $INS_DIR/etc $INS_DIR/etc/failover.sh.sample $INS_DIR/etc/follow_master.sh.sample $INS_DIR/etc/pcp.conf.sample $INS_DIR/etc/pgpool.conf.sample $INS_DIR/etc/pgpool.conf.sample-logical $INS_DIR/etc/pgpool.conf.sample-master-slave $INS_DIR/etc/pgpool.conf.sample-replication $INS_DIR/etc/pgpool.conf.sample-stream $INS_DIR/etc/pgpool_remote_start.sample $INS_DIR/etc/pool_hba.conf.sample $INS_DIR/etc/product.inf $INS_DIR/etc/recovery_1st_stage.sample $INS_DIR/etc/recovery_2nd_stage.sample $INS_DIR/include $INS_DIR/include/libpcp_ext.h $INS_DIR/include/pcp.h $INS_DIR/include/pool_process_reporting.h $INS_DIR/include/pool_type.h $INS_DIR/lib $INS_DIR/lib/libcom_err.so.3 $INS_DIR/lib/libcrypto.so $INS_DIR/lib/libcrypto.so.3 $INS_DIR/lib/libgssapi_krb5.so.2 $INS_DIR/lib/libk5crypto.so.3 $INS_DIR/lib/libkrb5.so.3 $INS_DIR/lib/libkrb5support.so.0 $INS_DIR/lib/liblber-2.5.so.0 $INS_DIR/lib/libldap-2.5.so.0 $INS_DIR/lib/libpcp.a $INS_DIR/lib/libpcp.la $INS_DIR/lib/libpcp.so $INS_DIR/lib/libpcp.so.1 $INS_DIR/lib/libpcp.so.1.0.0 $INS_DIR/lib/libpq.so.5 $INS_DIR/lib/libssl.so $INS_DIR/lib/libssl.so.3 $INS_DIR/share $INS_DIR/share/pgpool-II $INS_DIR/share/pgpool-II/insert_lock.sql $INS_DIR/share/pgpool-II/pgpool.pam -------------------------------------------------------------------------------