Beruflich Dokumente
Kultur Dokumente
This document provides the description including management of new features delivered in OXE version M5. Refer also to the
system documentation.
Revision History
Edition 01: April 17th, 2020 gathering all features from previous editions released during
beta campaign. Document published & transformed into ed.01
Edition 02: May 27th, 2020 changes in: chap. 2.1 & 2.2 (Dect + Wlan sets)
Edition 03: July 6th, 2020 adding info in: chap. 2.1.3 (Dect) + features brought in MD1
patch
Legal notice:
www.al-enterprise.com The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE. To view other
trademarks used by affiliated companies of ALE Holding, visit: www.al-enterprise.com/en/legal/trademarks-copyright. All other
trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither
ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein.
© Copyright 2020 ALE International, ALE USA Inc. All rights reserved in all countries.
Table of contents
1 R12.4 / M5.204 ................................................................................................................................ 4
2 New Hardware ................................................................................................................................. 4
2 New Hardware
If sets were installed in R12.3.x after migration they have to be re-registered to take advantage of SUOTA
& maintenance tools. As a telephonic point of view, they will work the same.
2.1.2 Tools
“dectsets” tool is modified to update the type of 8254 handset
"termstat" tool is modified to update the type of 8254 handset
“downstat m” is the tool used to follow the status of DECT sets download in SUOTA. This tool is adapted
to support for new DECT handset types.
The new MIPT 8158s and 8168s handsets can provide the same level service as the existing 81x8
handsets. The entry level model is the 8158s and high-end level is 8168s model. The 8158s is similar to
the existing 8118 and 8168s is similar to the existing 8128. The new handsets (8158s and 8168s) differ
from 81x8 only with respect to the software version. The user would be created as MIPT and then will be
recognized as the new phone set after registration
For backward compatibility in R12.2 & R12.3.1 (only) a specific level of oxe patch has to be installed so
the system gets the possibility to update the firmware as well as in R12.4 Today there is no plan to
backport the tools related to identify those new sets. If a set is installed in a patch that does not have
this possibility it is important to set the parameter Reset for Update Authorized to “No” to avoid a
reset of the MIPT in loop.
2.2.5 Maintenance
There is no specific MAO set type for the new handsets. The type of the MIPT set used will only be seen
by maintenance tools. No new tool would be added for 8158s and 8168s set maintenance. The following
are the tools that can be used to get the information of MIPT sets.
miptsets
miptview
ippstat
tradna
readkey
tftp_check
tradeq
eqstat
termstat
listerm
Note: The “edsbr” tool displays the type as MIPT_300 for 81x8. The same behavior is also applicable for
81x8s.
Firmware version of the set for the M5.204.7.c patch (MD1) is: 2.02.09
3.1 TELEPHONY
3.1.1 4645 - Solve missing voice prompts issue for years 2021 and beyond
We have voice guides from 2000 to 2020 to indicate the year:
If you are in January 2020 and listen to a VG recorded in December 2019, the voice guide will indicate
the year also.
If you are in Jan 2022 and listen to a VG from December 2021, we do not have a voice guide to indicate
2021 and there will be an incident.
We have decided to not create new VG for years after 2020 and we shall remove the incident.
3.1.2 8088 - remove the "new call" softkey when being in conversation
The objective of this feature is to avoid all actions such as Park the call, New call, Put on hold, Forbid
Camp On, Hold via lineman key when user is in conversation
Existing Behavior:
The display in the NOE Conversation page of a user generally displays the caller/callee details and
conversation time along with the soft keys such as Park the call, New call, Put on hold, Forbid Camp On,
Hold via lineman key. The soft keys are appearing based on rights configured in Phone COS. The user has
control over the call using configured soft keys.
Enhancement:
This feature is proposed to control the enquiry call and other features accessible through rights which
have been configured in Phone COS when user being in conversation. A new parameter is introduced in
Alcatel-Lucent 8&9 series Phone COS for this feature. If this parameter is enabled then no actions are
allowed except call release (on hook). Additionally, the hold via lineman key also not possible for this
Note:
This feature is common for all type of NOE (8&9 series) sets.
This feature is applicable only for basic users and not for advanced users such as Attendant,Agent,Hotel
This feature is applicable only for NOE sets.
Configuration procedure:
For this feature a new parameter “Forbid all actions, softkey in conv” is introduced in the path Mgr->Alcatel-Lucent
8&9 series->8&9 Series COS->Phone COS.The default value of parameter is FALSE.
Help text in GEA for Forbid all actions, softkey in conv parameter:
3.1.3 8088 - In the info screen, leave only the name and phone number information
A new parameter "INFO tab: limited display" has been added as a part of this feature.
Existing Behavior
The display in the NOE INFO page of a user generally displays the set feature related status information
(example: no. of new messages, no of non-replied calls) along with the name and phone number of the
user.
Enhancement
This feature is proposed to display the name and phone number alone in the NOE INFO page of the user.
A new parameter is introduced in Alcatel-lucent 8&9 Series, Phone COS. If this parameter is enabled then
name and phone number alone is displayed in the NOE INFO page of the user. If this parameter is
disabled then we will have the default display in the set with all the set feature related status
information.
Note:
This feature is common for all type of NOE sets: IP/TDM and also IPDSP.
When the parameter is modified the set must be rebooted to get the info screen changed.
When IPDSP ACD Operator goes out of service, timer No 386 is started.
If IPDSP ACD Operator returns in service before timer No 386 is expires, nothing is executed.
If timer No 386 expires, Log-Off of IPDSP ACD Operator is automatically executed.
To allow to keep the current way of working, if timer No 386 equals 0, timer No 386 is not started and
then the automatic Log-Off of out of service IPDSP ACD Operator will never been executed.
The automatic Log-Off of the last agent of a processing group is performed even the parameter “Log-Off
last agent” is set to false for this processing group
System Timer No 386: T_AUTOMATIC_LOGOFF_IPDSP_OOS_ACDV
3.1.5 Call to Tandem group (deskphone & DECT) with MLPP rights must take priority on sets
status – MD1
Feature to be described later (MD1 patch)
Important restrictions for the feature avoid reboot when desk sharing log on – log off
• Avoid reboot when desk sharing logon – log off feature is applicable only
o for NOE3GEEsets (8018,8008,8028s,8058s,8068s,8078s).
o when AOM is not configured in DSU/DSS
o when both DSS and DSU are in same node
o when both DSS and DSU belong to same NOE family
• When DSU is logged on
o Deleting or Modifying the DSS in mgr/8770/wbm is restricted
o Changing the set type of DSU in mgr/8770/wbm is restricted
o Configuring AOM in DSU is not recommended
• It is not recommended to configure DSS/DSU as Boss/Secretary
• The configurations of DSS and DSU like user encryption capability, set type, Language, AOM
should be homogenous on both Local and Network cases.
As reminder: no license will be consumed for DSUs. Only license for DSS is required.
Detailed explanation:
Name and directory number displayed on “info home page”.
System Option ‘Displayed Number On Secondary Sets’ set as Main Directory Number
If the “Displayed Number On Secondary Sets” option is set as Main Directory Number, the secondary
tandem set displays directory number of the main set in the directory number field on the info page.
Existing Behaviour
A new user created through “User by profile” is updated depending on the user profile. But, the value
configured in the IPSoftphone Emulation of the profile is not copied to the value of IPSoftphone
Emulation of the User.
Enhancement
Configuring IPSoftphone Emulation through “Users by Profile” Menu:
A new user created through “User by profile”, is updated depending on the user profile. The value
configured in the IPSoftphone Emulation of the profile is copied to the value of IPSoftphone Emulation of
the User.
3.1.12 MLPP: call to tandem group (deskphone + DECT) with MLPP rights MUST take
priority on Sets Status
The objective of this feature is to preempt the busy secondary tandem with low priority call for the
priority call received in main tandem, when main tandem is free.
the requirement is that OTCC-SE sends a specific SIP INFO message, respecting RFC 2976 when the first
physical user answers a SIP call received on a Routing Pilot or a RSI of this OTCC-SE from the network.
The specific SIP INFO message, on answer of the first physical user, is sent for a call to a Routing Pilot or a
RSI only if this new management parameter is set to Orange value for Routing Pilot or RSI:
CCTool:
Operations
The CCTool will provide the following capabilities:
- Launch the FTR will (and no longer from netadmin tool)
- Launch a FTR with input of the PIN code
- Display the FTR status
- Display parameters (keepalive and features )
- Force a RTR request (without waiting the planned slot)
- Display the RTR data (-> the CCTool has access to the remanents)
- Modify the log level for each feature: FRT/RTR/DC/Console/…:
4 log levels will be available: ERROR/INFO/DEBUG(default)/TRACE
Note:
Netadmin tool: “Cloud Connect” menu (19) is removed
“ftrtool” tool does not exist anymore.
The new menu takes into account both FTR and RTR operations.
Management:
Go to: “mgr-> ─Cloud Connect -> Review/Modify: Cloud Connect”
3.3.3 Command for testing web sockets connections for XMPP and SOCKS5 towards Cloud
Connect & Rainbow
In order to help the administrator to configure and enable the Cloud Connect function, a new tool script
“checkCloudConnect.sh” is provided as a help to check or detect bad configuration in OXE or in the
network environment (http proxy, dns).
The capability of the OXE to setup the secured Websocket connection which will support the XMPP link
with the server through the managed HTTPS proxy (the proxy which is declared through netadmin, if
there is one): for this purpose, the check consists in establishing an https connection through the proxy.
To make these tests in a Rainbow context, the script may be executed with a specific -rainbow option.
These tests will be executed by the CCAgent process which already has access to the netadmin data (OXE
DNS configuration and http proxy configuration) and provides the means to execute these tests.
The script checkCloudConfig.sh is executed on line and accepts zero or several arguments:
Usage
checkCloudConfig.sh can accept optional arguments:
checkCloudConfig.sh [-d=domain] [-p=port] [-x=proxy_address:proxy_port] [-rainbow]
ex:checkCloudConfig.sh
=> test on default cci (connect2.opentouch.com:80) server through proxy (from oxe config)
or checkCloudConfig.sh -rainbow
=> test on default rainbow domain (openrainbow.com:443) through proxy (from oxe config)
ex:checkCloudConfig.sh -d=qa.connect2.opentouch.com -p=1080 -x=172.25.6.149:3128
=> test on specified domain and port through specified http proxy
checkCloudConfig.sh -h: to display the optional parameters.
In the OXE, the administrator consults more naturally the incidents than the logs.
To improve the maintenance level, the CC-Agent will also have to produce incidents.
The incidents to be generated concern both operation and errors.
For error incident, an error description must be added.
For trace incident, not need to add additional details.
3.4 SECURITY
3.4.1 Connect OXE to a domain (especially Rainbow) while being in "trusted hosts mode
This feature allows the user to connect OXE to Rainbow when OXE is configured in "trusted hosts
mode"(OXE is isolated). This enables the user to connect OXE to Rainbow without having to know and
manage explicitly the IP address of “agent.openrainbow.com”.
Currently if isolation is enabled in OXE for security reasons, OXE cannot establish connection with
rainbow agent. To connect to Rainbow the domain IP address of 'agent.openrainbow.com' and proxy
server address (if configured) must be added in trusted host list. Connection to Rainbow fails, if there is a
change in IP address of the cloud server ‘agent.openrainbow.com’.
In order to prevent such cases, the IP address of ‘agent.openrainbow.com’ is periodically checked and
updated in OXE’s trust host file. By implementing this feature rainbow connection is established even
after isolation of Ethernet interface and TCP accesses. This relieves the administrator from manually
updating the IP address of ‘agent.openrainbow.com’ as and when it is changed.
With proxy:
In this case, OXE connects to rainbow server via a proxy and the DNS resolution of
agent.openrainbow.com is managed by proxy itself through DNS server.
If proxy is configured then the following steps are to be done to connect OXE to rainbow in trusted host
mode.
- Isolate the OXE
- Add the proxy address to the trusted host.
At present, if OXE is isolated after configuring the proxy, then the existing proxy address is not getting
added in the trusted host list. This issue is resolved as part of this feature implementation.
However, this problem does not occur, if proxy is configured after Ethernet Isolation.
Without Proxy:
In this case, OXE is directly connected to the internet and DNS server is configured to resolve the domain
agent.openrainbow.com.
Enhancement
This feature allows the customer to migrate from Thales modules based encryption to Native encryption
automatically (not completely) and smoothly with minimal downtime.
Description
The tool “iptsecmigration” removes Thales configurations from OXE in a single shot. The tool checks for
the security mode and if the node is secured with IP Touch Security Modules, the tool continues with the
prompt “Are you sure you want to remove IP Touch Security?” and proceed with user confirmation. In
case of the node secured with DTLS mode or not secured, the tool exits at the beginning. The tool backs
up the database before starting to disable the Thales configurations. It is not recommended to interrupt
the tool while it is running until it completes the operation. However, in case of manual interruption or
the tool fails in between, the tool stops the operation and prompt for restoration of database with user
confirmation. If user confirms the restoration, the tool enables the encryption parameter for all the
encrypted links on the link nodes which was disabled by the tool earlier (only if the connectivity is
provided between the link nodes) and the MAO database is restored automatically on next reboot. If the
node is rebooted while running the tool, the user must restore the backed-up MAO database manually
after the reboot to retain the proper Thales configurations. The node which is being separated from
Thales setup is completely delinked from the Thales environment during the entire process. Once the
tool ran successfully, the physical association of Thales boxes (SSM and MSM) must be removed from the
node manually and must be re-connected directly to the switch (for communicating over the network
again).
All the four nodes (N1, N2, N3 and N4) in the network are linked and encrypted with Thales Security
Modules (SM). For migration to Native encryption, each node must be isolated from the network. The
tool “iptsecmigration” disable the Thales encryption in OXE and associated couplers. Once the tool
“iptsecmigration” ran successfully on all nodes in network, clear communication is established over the
network (Figure 6). The association of Thales boxes (SSM and MSM) must be removed from the nodes
manually and must be re-connected directly to the switch (Figure 7).
Note:
Internode calls is not possible until the tool “iptsecmigration” is run on all nodes N1, N2, N3 and
N4. When the tool “iptsecmigration” is run on node N1 alone, link cannot be established
between N1 and other nodes (till the tool “iptsecmigration” is run on all nodes).
It is not recommended to change the MAO parameters while the tool is running.
Once the OXEs and associated couplers are connected directly to the switch, several steps must be
performed manually to configure Native encryption.
Automatic Operations
The tool performs the following operations automatically.
1. Disabling encryption on all encrypted links.
2. Disabling encryption for the particular link on associated link nodes.
3. Building Config_BT.cfg file.
4. Un-securing the lanpbx.cfg file.
5. Removing all the associated security modules (Thales SM) configurations.
6. Disabling encryption on all associated couplers.
Note:
Steps 1 and 2 are not considered for standalone nodes.
Details on each operation will be described in another document.
3.4.3 Native Encryption - SIP TLS: mutual TLS authentication for SIP separated
The TLS feature is embedded in the SipMotor process, SIP TLS encryption is now available without the help of SSM.
This enhancement is available on OXE under the following conditions, managed by MAO:
No SSM is configured.
TLS Signaling is enabled.
The external gateway is configured in TLS.
The need is to have a dedicated parameter to manage mutual TLS authentication for SIP trunks, independently of
mutual TLS authentication used by IP Phones and MediaGW in native encryption.
Now there is in mgr “system -> ....” Native encryption parameters: enable mutual TLS authentication.
This parameter applies both to SIP trunks and IPPhones and MGW.
Feature
Title Status ID Defects
002_Functional Test - Check tag and value for Internal E-Gateway of CROXE-
FSNE enabled node in audit access tool after modification Passed 13456
003_Functional Test - Check tag and value for external E-Gateway of CROXE-
FSNE enabled node in audit access tool Passed 13456
004_Functional Test - Check tag and value for external E-Gateway of CROXE-
FSNE enabled node in audit access tool after modification Passed 13456
005_Functioanal Test - Check keysize and value for CA, CS and Twin CROXE-
Certificates of FSNE enabled node in audit access tool Passed 13456
006_Functional Test - Change keysize for CA, CS and Twin Certificates CROXE-
of FSNE enabled node in audit access tool Passed 13456
007_Functional Test - Check SAN tag and value for CS and Twin CROXE-
certificates of FSNE enabled node in audit access tool Passed 13456
009_Functional Test - Check for hashing algorithm for all User CROXE-
Accounts from new installation with default security level Passed 13456
010_Functional Test - Check for hashing algorithm for all User CROXE- CROXE-
Accounts from new installation with enabled high security level Failed 13456 15324
011_Functional test - Check for hashing algorithm for all User CROXE-
Accounts upgrade from lower release Passed 13456
012_Functional Test - Check hashing algorithm for all user accounts CROXE-
by restoration from M3 linux DB Passed 13456
014_Functional Test - Check hashing algorithm for all user accounts CROXE-
by restoration from M4 linux DB Passed 13456
020_Non-Functional Test - Check tool with many NTP servers and CROXE-
NTP started in the node Passed 13456
023_Non-Functional Test - Check tool with all trunks enabled DISA in CROXE-
the node Passed 13456
3.4.5 Update Linux kernel to 2.6.32-754.24.2 + new openSSH for security vulnerabilities
(MD1)
The scope of the feature is to validate the update of Linux kernel to 2.6.32-754.24.2 + new openSSH for
security vulnerabilities
CVE-2013- nss-util,nss Critical Mozilla Network Security Services (NSS) 3.14 before 3.14.5
5605 and 3.15 before 3.15.3 allows remote attackers to cause a Upgraded packages to latest version
denial of service or possibly have unspecified other impact via nss ( 3.44.0-7.el6_10)
invalid handshake packets. nss-softokn ( 3.44.0-5.el6_10)
nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2014- nss Critical Race condition in libssl in Mozilla Network Security Services
1490 (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Upgraded packages to latest version
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, nss ( 3.44.0-7.el6_10)
SeaMonkey before 2.24, and other products, allows remote nss-softokn ( 3.44.0-5.el6_10)
attackers to cause a denial of service (use-after-free) or nspr ( 4.21.0-1.el6_10)
possibly have unspecified other impact via vectors involving a nss-util (3.44.0-1.el6_10)
resumption handshake that triggers incorrect replacement of
a session ticket.
CVE-2014- nss Critical Mozilla Network Security Services (NSS) before 3.15.4, as used
1491 in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Upgraded packages to latest version
Thunderbird before 24.3, SeaMonkey before 2.24, and other nss ( 3.44.0-7.el6_10)
products, does not properly restrict public values in Diffie- nss-softokn ( 3.44.0-5.el6_10)
Hellman key exchanges, which makes it easier for remote nspr ( 4.21.0-1.el6_10)
attackers to bypass cryptographic protection mechanisms in nss-util (3.44.0-1.el6_10)
ticket handling by leveraging use of a certain value.
CVE-2014- nss Critical The cert_TestHostName function in lib/certdb/certdb.c in the
1492 certificate-checking implementation in Mozilla Network Upgraded packages to latest version
Security Services (NSS) before 3.16 accepts a wildcard nss ( 3.44.0-7.el6_10)
character that is embedded in an internationalized domain nss-softokn ( 3.44.0-5.el6_10)
name's U-label, which might allow man-in-the-middle nspr ( 4.21.0-1.el6_10)
attackers to spoof SSL servers via a crafted certificate. nss-util (3.44.0-1.el6_10)
CVE-2015- nss- Critical Mozilla Network Security Services (NSS) before 3.19.1, as used
2730 softokn in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and Upgraded packages to latest version
38.x before 38.1, and other products, does not properly nss ( 3.44.0-7.el6_10)
perform Elliptical Curve Cryptography (ECC) multiplications, nss-softokn ( 3.44.0-5.el6_10)
which makes it easier for remote attackers to spoof ECDSA nspr ( 4.21.0-1.el6_10)
signatures via unspecified vectors. nss-util (3.44.0-1.el6_10)
CVE-2017- nss Critical Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x
5461 through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x Upgraded packages to latest version
before 3.30.1 allows remote attackers to cause a denial of nss ( 3.44.0-7.el6_10)
service (out-of-bounds write) or possibly have unspecified nss-softokn ( 3.44.0-5.el6_10)
other impact by leveraging incorrect base64 operations. nspr ( 4.21.0-1.el6_10)
CVE-2017- nss Critical Null pointer dereference vulnerability in NSS since 3.24.0 was
7502 found when server receives empty SSLv2 messages resulting Upgraded packages to latest version
into denial of service by remote attacker. nss ( 3.44.0-7.el6_10)
nss-softokn ( 3.44.0-5.el6_10)
nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2011- libxml2 Critical Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and
1944 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows Upgraded libxml2 package to latest
context-dependent attackers to cause a denial of service version 2.7.6-21.el6_8.1
(crash) and possibly execute arbitrary code via a crafted XML
file that triggers a heap-based buffer overflow when adding a
new namespace node, related to handling of XPath
expressions.
CVE-2011- libxml2 Critical Double free vulnerability in libxml2, as used in Google Chrome
2834 before 14.0.835.163, allows remote attackers to cause a Upgraded libxml2 package to latest
denial of service or possibly have unspecified other impact via version 2.7.6-21.el6_8.1
vectors related to XPath handling.
CVE-2011- libxml2 Critical libxml2, as used in Google Chrome before 16.0.912.63, allows
3905 remote attackers to cause a denial of service (out-of-bounds Upgraded libxml2 package to latest
read) via unspecified vectors. version 2.7.6-21.el6_8.1
CVE-2014- libxml2 Critical parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when Upgraded
3660 entity substitution has been disabled, which allows context-dependent attackers to libxml2 package
cause a denial of service (CPU consumption) via a crafted XML document containing a to latest version
large number of nested entity references, a variant of the "billion laughs" attack. 2.7.6-21.el6_8.1
CVE-2018- kernel Medium Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some
12127 microprocessors utilizing speculative execution may allow an authenticated user to Upgraded kernel
potentially enable information disclosure via a side channel with local access. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2018- kernel Medium Improper invalidation for page table updates by a virtual guest operating system for
12207 multiple Intel(R) Processors may allow an authenticated user to potentially enable Upgraded kernel
denial of service of the host system via local access package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2018- kernel Medium The inode_init_owner function in fs/inode.c in the Linux kernel through 4.17.4 allows
13405 local users to create files with an unintended group ownership, in a scenario where a Upgraded kernel
directory is SGID to a certain group and is writable by a user who is not a member of package to latest
that group. Here, the non-member can trigger creation of a plain file whose group version kernel-
ownership is that group. The intended behavior was that the non-member can trigger 2.6.32-ll-dhs3-
creation of a directory (but not a plain file) whose group ownership is that group. The 090.000
non-member can escalate privileges by making the plain file executable and SGID.
An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux Upgraded kernel
kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack package to latest
of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak version kernel-
CVE-2018- kernel Medium kernel task stack contents. 2.6.32-ll-dhs3-
17972 090.000
CVE-2019- kernel Medium Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th
0154 and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor
J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series;
CVE-2019- kernel Medium Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th
0155 and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor Upgraded kernel
J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; package to latest
Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 version kernel-
and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows 2.6.32-ll-dhs3-
before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 090.000
(aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-
rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to
potentially enable escalation of privilege via local access.
CVE-2019- kernel Medium A Spectre gadget was found in the Linux kernel's implementation of system interrupts.
1125 An attacker with local access could use this information to reveal private data through a Upgraded kernel
Spectre like side channel. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch.
3896 An unprivileged local attacker can use this flaw for a privilege escalation or for a system Upgraded kernel
crash and a denial of service (DoS). package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may
11135 allow an authenticated user to potentially enable information disclosure via a side Upgraded kernel
channel with local access. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was
11477 subject to an integer overflow in the Linux kernel when handling TCP Selective Upgraded kernel
Acknowledgments (SACKs). A remote attacker could use this to cause a denial of package to latest
service. version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the TCP retransmission queue implementation in Upgraded kernel
11478 tcp_fragment in the Linux kernel could be fragmented when handling certain TCP package to latest
Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause version kernel-
a denial of service. 2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48
11479 bytes. This allows a remote peer to fragment TCP resend queues significantly more than Upgraded kernel
if a larger MSS were enforced. A remote attacker could use this to cause a denial of package to latest
service. version kernel-
CVE-2019- kernel Medium An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference
11810 can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in Upgraded kernel
drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to package to latest
a use-after-free. version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux
14835 kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer Upgraded kernel
descriptors during migration. A privileged guest user able to pass descriptors with package to latest
invalid length to the host when migration is underway, could use this flaw to increase version kernel-
their privileges on the host. 2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in
14821 the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write Upgraded kernel
operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, package to latest
wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user- version kernel-
space process. An unprivileged host user or process with access to '/dev/kvm' device 2.6.32-ll-dhs3-
could use this flaw to crash the host kernel, resulting in a denial of service or potentially 090.000
escalating privileges on the system.
CVE-2013- libtiff Critical Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff
1960 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and Upgraded Libtiff
possibly execute arbitrary code via a crafted TIFF image file. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff
1961 before 4.0.3 allows remote attackers to cause a denial of service (application crash) via Upgraded Libtiff
a crafted image length and resolution in a TIFF image file. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff
4243 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and Upgraded Libtiff
possibly execute arbitrary code via a crafted height and width values in a GIF image. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-
4244 dependent attackers to cause a denial of service (out-of-bounds write and crash) or Upgraded Libtiff
possibly execute arbitrary code via a crafted GIF image. package to latest
version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which
8130 allows remote attackers to cause a denial of service (divide-by-zero error and Upgraded Libtiff
application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline package to latest
function in tif_write.c, as demonstrated by tiffdither. version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to
9330 cause a denial of service (crash) via crafted BMP image, related to dimensions, which Upgraded Libtiff
triggers an out-of-bounds read. package to latest
version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function
9655 in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized Upgraded Libtiff
memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff- package to latest
cvs-2.tif. version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a
1547 denial of service (uninitialized memory access) via a crafted TIFF image, as Upgraded Libtiff
demonstrated by libtiff5.tif. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial
7554 of service (invalid memory write and crash) or possibly have unspecified other impact Upgraded Libtiff
via crafted field data in an extension tag in a TIFF image. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in
8668 bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or Upgraded Libtiff
cause a denial of service via a large width field in a BMP image. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote
8683 attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via
8782 a crafted TIFF image, a different vulnerability than CVE-2015-8781. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a
8784 denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by Upgraded Libtiff
libtiff5.tif. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote
3632 attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code Upgraded Libtiff
via a crafted TIFF image. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the
3945 tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote Upgraded Libtiff
attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF package to latest
image, which triggers an out-of-bounds write. version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in
3990 LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or Upgraded Libtiff
execute arbitrary code via a crafted TIFF image to tiffcp. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF
3991 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds Upgraded Libtiff
write) or execute arbitrary code via a crafted TIFF image with zero tiles. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical An exploitable heap-based buffer overflow exists in the handling of TIFF images in
5652 LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer Upgraded Libtiff
overflow resulting in remote code execution. Vulnerability can be triggered via a saved package to latest
TIFF file delivered by other means. version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that
9534 didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka Upgraded Libtiff
"TIFFFlushData1 heap-buffer-overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2016- tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion
9535 libtiff Critical failures in debug mode, or buffer overflows in release mode, when dealing with unusual Upgraded Libtiff
tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap- package to latest
buffer-overflow." version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated
9536 buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka Upgraded Libtiff
"t2p_process_jpeg_strip heap-buffer-overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers.
9537 Reported as MSVR 35093, MSVR 35096, and MSVR 35097. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile
9540 width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer- Upgraded Libtiff
overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2014- php Critical Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation Removed php
3668 in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before package
5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service
(application crash) via (1) a crafted first argument to the xmlrpc_set_type function or
(2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds
read operation.
CVE-2014- php Critical Integer overflow in the object_custom function in ext/standard/var_unserializer.c in Removed php
3669 PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers package
to cause a denial of service (application crash) or possibly execute arbitrary code via an
argument to the unserialize function that triggers calculation of a large length value.
CVE-2014- php Critical The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, Removed php
3670 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, package
which allows remote attackers to cause a denial of service (heap memory corruption
and application crash) or possibly execute arbitrary code via a crafted JPEG image with
TIFF thumbnail data that is improperly handled by the exif_thumbnail function.
CVE-2014- php Critical The donote function in readelf.c in file through 5.20, as used in the Fileinfo component Removed php
3710 in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows package
remote attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted ELF file.
With lower Flex versions (2.1.xxx.yyy) the new dongle will NOT work: Panic Flex will occur.
3.5.4 SUSE Patch upgrade support for GAS (concerns the HOST)
GOAL:
Give a procedure to upgrade to the latest security fixes that are brought along the different versions of
bootDVD that are delivered in the Business Portal.
Compatibility: Suse 12.3 Updates are named at the right of those digit. Eg.: 12.3.016.000
This feature is available from GAS version 8.03. Following steps to update Host OS using gas-suse-
update.sh script provided in “OXE SW Server Installer” Package.
1. Mount the SUSE boot ISO available in DVD/Flash Drive or locally transferred to the host
machine:
mount <source_directory> <target_directory>
For example, if the ISO file is available in a DVD and is to be mounted then the following
command should be executed.
The virtual machines (OXE, OMS and WebRTCGW) will be gracefully shut down before the patch
update and the SUSE Host will REBOOT after the successful patch update.
From version r_oxesws_8.04, GAS supports monitoring UPS through USB. While AS is operated through
UPS during main failure, GAS ensures automatic safe shutdown of AS and its VM if the UPS battery
power percentage reduces to configured value (Default: 30%).
Minimum requirement:
- GAS 8.04
- bootDVD 12.3.020.001
Services provided:
Power cable draws power to AS from UPS and a USB signal cable is used to monitor the status of UPS.
UPS Management
UPS management in GAS Package is performed with the help of NUT Package present in the SUSE Host
OS.
GAS Package GAS Package provides a script (gasups) which runs on host OS. It acts as a scheduler which
receives status of UPS as events from Monitor (upsmon) and respective actions will be triggered.
Following 3 types of events are thrown by Monitor to the Scheduler (gasups).
ONLINE – Source Power supply of the system through mains.
ONBATT – Source Power supply of the system switched to battery.
LOWBAT – UPS battery charge reaches configured (Default: 30 %) Low value.
- On reception of Events ONBATT, ONLINE and LOWBAT from UPS monitor, status is logged in to the file
/var/log/gasups.log
- On receiving LOWBAT event, the VMs (OXEVM, OMSVM (If installed) and WebRTCGW (If installed) will be
shutdown gracefully then followed by shutdown of host.
Before shutting down the host, a file /etc/killpower is created which acts as a flag to denote that the GAS
Host has shut down because of low power in UPS. This file is deleted during the start of UPS service on
the next boot.
Note: If a user wants the AS to be powered on automatically as soon as the mains are up, then the
parameter “Automatic Power Restore” (Applicable for AS supplied by IBM. Relevant option can be
enabled for other OEMs) needs to be enabled in BIOS and this feature is non-UPS dependent.
The UPS related services could be managed using the following commands.
$ gasups start
$ gasups stop
This command is used to stop the UPS related services.
$ gasups status
Provides current status of all the UPS related services (running/stopped). It also gives the current UPS
battery charge in percentage and configured UPS low battery charge value.
e.g $ gasups status
Battery Charge: battery.charge: 100
Configured Low Battery Value: battery.charge.low: 30
UPS Service Status: Running
$ gasups restart
Used to restart UPS related services.
3.6 MAINTENANCE/TOOLS
3.6.1 Have different incidents between hard-phone and IPDSP
The objective of this feature is to have different incidents for IP Hard phone and IP Desktop Softphone
Existing Behavior
The existing behavior of IP Hard phone or IPDSP is whenever it goes to out of service or restart, the OXE
will generate an incident based on the cause of restart or out of service. The incident generated for the
IP Hard phone and IPDSP will be same.
Enhancement
The Enhancement of this feature is to distinguish between incidents of the IP Hard phone and IPDSP. The
existing incidents such as 386, 389, 426, 2053 is applicable only for IP Hard phone and not for IPDSP. For
IPDSP, the new incidents are introduced to identify the cause of restart or OOS. Incident 6051 is used
when IPDSP goes out of service irrespective of any reason for OOS. Incident 6052 is used when IPDSP
comes into service.
The difference in the incidents generated for IPDSP due to the enhancement is described in the table
below.
New incidents:
6051: IPDSP is put out of service
6052: IPDSP is put in service
A new menu, swinst → 2.Expert menu → 9.Remote download → 10. ‘Local load as distributor of ISO image/ZIP file
and installation’ is added in swinst tool to load an OXE CPU as Distributor with the ISO image/ZIP file. The
Distributor OXE CPU must have the version/patch files in ISO/ZIP format in the /tmpd directory. After loading the
ISO image/ZIP file, the installation of the version or patch is done in the Distributor OXE CPU.
ALCATEL-LUCENT
Remote Download menu Installation FACILITIES 3.43.0
8 Programmed operations
9 Fast Delta programmed operations
When this submenu is selected, the name of the ISO/ZIP file in the /tmpd directory must be given as follows,
ALCATEL-LUCENT
Remote Download menu Installation FACILITIES 3.43.0
Please enter the name of the ISO/ZIP file in /tmpd directory (enter for none)
=> OXE-m430218a.iso
Restoring flush
Press return
With this option, the ISO/ZIP archive is loaded and installed in the Distributor CPU.
The loaded ISO files are saved under the following directories.
/usr4/ftp/ISO/version for full versions.
/usr4/ftp/ISO/patch for static patches.
/usr4/ftp/ISO/dynpatch for dynamic patches.
The loaded ZIP files are saved under the following directories.
/usr4/ftp/ZIP/version for full versions.
/usr4/ftp/ZIP/patch for static patches.
/usr4/ftp/ZIP/dynpatch for dynamic patches.
The directory structure for an ISO file contains “dhs3mgr” followed by all the different directories corresponding to
the different patches.
For a zip file there can be “dhs3mgr” or not.
Next print screen shows this kind of result for a search with keyword “encryption”.
Evolution “click and GO” will come in MD1: possibility to click in a search result & go directly to the right
object.
Feature is searching only in the object model meaning that a result can be seen even if the management
in the database has not been done.
Feature does not search in the data (eg: a search for a user name is not possible)
Added for MD1 patch the possibility to “click & GO”: after a search, the result is presented & it is possible
to click on it. The WBM will bring the user to the closest branch of the result.
- END OF DOCUMENT -