Does an update contain the official fix for an APAR?

Under Construction

Working with AIX > Advanced Administration > Interim Fixes > Automatic Ifix Removal

Does an update contain the official fix for an APAR?

In order for an installed ifix to be automatically removed during an update (TL, SP or PTF update), the following three requirements must be met:

1. The installed ifix must have the property to be removed automatically.
2. The update to be installed must contain the official fix for the APAR of the installed ifix.
3. The fileset that contains the official fix for the APAR must be an update fileset! (There can also be multiple filesets.)

For the three example ifixes, we found that the OpenSSH ifix (81112ma) is not automatically removable, but the other two ifixes (IJ50424s7a and IJ52366s7a) are automatically removable. The updates must contain the official fixes for the following two APARs: IJ50424 and IJ52366.

The example system is at version 7200-05-07-2346 and shall be updated to 7200-05-08-2420. We have mounted the LPP source with this AIX version under /mnt/aix720508lpp:

# ls -l /mnt/aix720508lpp
total 0
drwxr-xr-x    3 root     system          256 Jun 10 2024  RPMS
drwxr-xr-x    3 root     system          256 Jun 19 2024  emgr
drwxr-xr-x    3 root     system          256 Jun 10 2024  installp
drwxr-xr-x    3 root     system          256 Jun 18 2024  ismp
drwxr-xr-x    3 root     system          256 Jun 10 2024  usr
#

Regarding the automatic removal of the example ifixes, the question now arises as to whether these are automatically removed during an update with the AIX version mentioned. For the OpenSSH ifix, it is already clear that this is not the case, and the ifix 81112ma must be removed manually, at least if the update contains a newer OpenSSH version. For the other two ifixes, we can use the command “installp -A” to check whether the LPP source mounted under /mnt/aix720508lpp contains the necessary APARs (IJ50424 and IJ52366). To do this, you need the information about which fileset the official fix is in. This fileset (there can be several filesets) is locked by the installed ifix and can be displayed with “emgr -P” (package view):

# emgr -P

PACKAGE                                                  INSTALLER   LABEL
======================================================== =========== ==========
openssh.base.client                                      installp    81112ma
openssh.base.server                                      installp    81112ma
bos.net.tcp.sendmail                                     installp    IJ50424s7a
bos.net.tcp.client_core                                  installp    IJ52366s7a
#

Let’s first check this for the installed ifix IJ50424s7a, the corresponding fileset in the update is bos.net.tcp.sendmail. The installp command offers the option of listing the APARs contained in a fileset using the “-A” option. We do this for the fileset mentioned and specifically search for the APAR IJ50424:

# installp -Ad /mnt/aix720508lpp bos.net.tcp.sendmail 2>/dev/null | grep -p IJ50424
fix:
        name = IJ50424
        abstract = A potential security issue exists
        type = f
        filesets = "bos.net.tcp.sendmail:7.2.5.201\n\
"
        symptom = " This APAR addresses a potential security issue.  Any relevant\n\
information will be released via My Notifications.\n\
https://www.ibm.com/support/mynotifications\n\
"
#

The APAR is included in the update in version 7.2.5.201 of the fileset bos.net.tcp.sendmail. This means that the installed ifix IJ50424s7a will be automatically removed during the update.

We repeat the check for the third installed ifix (IJ52366s7a) and the associated fileset bos.net.tcp.client_core:

# installp -Ad /mnt/aix720508lpp bos.net.tcp.client_core 2>/dev/null | grep -p IJ52366
#

The official fix for the APAR IJ52366 is not included in the update. Therefore, the installed ifix IJ52366s7a is not automatically removed during an update.

Whether the installed ifix IJ52366s7a has to be removed manually before the update, depends on whether the fileset bos.net.tcp.client_core, which is blocked by this ifix, is updated by the update or not. We briefly check the currently installed version of this fileset:

# lslpp -l bos.net.tcp.client_core
  Fileset                      Level  State      Description        
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.net.tcp.client_core  7.2.5.204  COMMITTED  TCP/IP Client Core Support
                                      EFIXLOCKED

Path: /etc/objrepos
  bos.net.tcp.client_core  7.2.5.204  COMMITTED  TCP/IP Client Core Support
                                      EFIXLOCKED
#

The installed version is 7.2.5.204. We now check, which version of this fileset is available in the update:

# installp -Ld /mnt/aix720508lpp | grep bos.net.tcp.client_core
bos.net:bos.net.tcp.client_core:7.2.0.0::I:T:::::b:TCP/IP Client Core Support ::::0:1543:
…
bos.net.tcp.client_core:bos.net.tcp.client_core:7.2.5.205::I:T:::::b:TCP/IP Client Core Support ::::0:2419:
#

The update includes the higher version 7.2.5.205. This means that the installed ifix IJ52366s7a must be removed manually before an update.

We summarize the results of the investigations:

- The installed ifix 81112ma must be removed manually, because there is no reference to an APAR. (This means it is not possible to check whether an update contains the official fix or not.)
- The installed ifix IJ50424s7a will be automatically removed during the update, because the referenced APAR IJ50424 is included in the update.
- The installed ifix IJ52366s7a is not automatically removed during the update, because the referenced APAR IJ52366 is not included in the update. The ifix must be uninstalled manually before the update, because the update contains a newer version of bos.net.tcp.client_core.