Under Construction
Does an Ifix to be installed have the property to be removed automatically?
Before we install the 3 provided ifixes on our system, we ask ourselves whether these ifixes will be automatically removed during an update.
In IBM software (AIX, PowerHA and others), an APAR is assigned an associated ifix. Conversely, such an ifix also contains a reference to the associated APAR (or several). There are various ways to display this reference to an APAR. Here is the variant with the emgr command for the OpenSSH ifix:
# emgr -d -e 81112ma.240224.epkg.Z -v 3
…
+-----------------------------------------------------------------------------+
Displaying Configuration File "APARREF"
+-----------------------------------------------------------------------------+
none
…
#
Note: The value 3 must be specified for the “-v” option, otherwise less information is shown and the reference to an APAR is not displayed.
The section on APARREF is relevant. There is no reference to an APAR for this ifix (value here is “none”). Therefore, this ifix cannot be automatically removed during an update!
We list the second Ifix (IJ50424s7a.240315.epkg.Z) in the same way:
# emgr -d -e IJ50424s7a.240315.epkg.Z -v 3
…
+-----------------------------------------------------------------------------+
Displaying Configuration File "APARREF"
+-----------------------------------------------------------------------------+
37086|:|IJ50424|:|sendmail security vulnerability CVE-2023-51765
…
#
This time a reference to the APAR IJ50424 is listed. If an update to be installed contains the official fix for APAR IJ50424, then the ifix would be automatically removed during the update. (See later).
Let’s take a look at the third Ifix (IJ52366s7a.241113.epkg.Z):
# emgr -d -e IJ52366s7a.241113.epkg.Z -v 3
…
+-----------------------------------------------------------------------------+
Displaying Configuration File "APARREF"
+-----------------------------------------------------------------------------+
37747|:|IJ52366|:|a potential security issue exists
…
#
Here, too, a reference to an APAR is included. This means that this ifix can also be automatically removed during an update, provided the update contains the corresponding APAR (IJ52366).
Ultimately, an ifix file is just a tar file that has been compressed with the compress command. The tar file contains the references to APARs in the aparref file. You can therefore display the APAR references as follows:
# zcat IJ52366s7a.241113.epkg.Z | tar xvf - ./aparref
x ./aparref, 52 bytes, 1 tape blocks
# cat aparref
37747|:|IJ52366|:|a potential security issue exists
#
You simply extract the aparref file and then list its contents. This is a bit faster than using “emgr -d”.
So it is very easy to see whether an ifix can be automatically removed during an update or not.