FIRMWARE CHANGE HISTORY ----------------------- IBM Networking Operating System RackSwitch G7028 firmware version 7.6.5.0 (Released June 2020) ** changes since 7.6.4.0 ** Enhancements: none Changes: - The support for TLS versions 1.1 and 1.0 has been deprecated. TLS version 1.2 is now supported by default. (72679) - The SSH Server CBC Mode Ciphers and SSH Weak MAC Algorithms have been disabled. (75828) - Added support for using the Diffie-Hellman key exchange algorithm for SSH. (68841) - Added support for the DHE key exchange mode for SSL. (XB223799) - Added support for deleting the HTTPS certificate in ISCLI by using the "access https delete-certificate" command. (XB224563) - Changed the default key exchange methods for generating a certificate from SHA1/RSA1024 to SHA256/RSA2048. If an old certificate already exists on the switch, it needs to be deleted and the switch must be rebooted. (69051) Fixes: - A SSH connection could fail when using an OpenSSH 6.2 client to connect to the switch. (XB178587) - The HTTPS connection would be lost when generating a certificate with blank fields. (202593) - A SSL connection would fail when different TLS versions were specified in the SSL Record Layer header and in the ClientHello payload. (69542) - Switch could crash when processing SSL traffic received on the management interface. (50705) - A crash would occur when scanned by the web security tool IBM AppScan, while running a Recorded Login option. (90107) - Fixed issue reported by the web security tool IBM AppScan for the Spanning-Tree Protocol webpage. (116507) - Fixed issue in login credential mechanism. (107614) - Fixed issue related to non-configured SNMP community strings. (115054) - Fixed command injection issue for the "mv" command. (136430) - Fixed libxml2 security vulnerabilities as reported in the CVE Advisories CVE-2015-8710, CVE-2016-3705, CVE-2016-3627, CVE-2015-8806, CVE-2016-4447, CVE-2016-4449, CVE-2016-4448, CVE-2016-4658, CVE-2016-9318, CVE-2017-8872, CVE-2017-9049, CVE-2017-9050, CVE-2016-5131, CVE-2017-15412, CVE-2017-16932, CVE-2017-5130 (49214, 57176, 55781, 58942, 58943, 86808, 104768, 124059) - Fixed zlib vulnerabilities as reported in the CVE Advisories CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843. (86800) - Fixed Linux Kernel security vulnerabilities as reported in the CVE Advisories CVE-2017-6214, CVE-2015-8324, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. (57178, 177635, 113078) - Fixed TLS security vulnerabilities as reported in the CVE Advisories CVE-2014-8730 (POODLE), CVE-2013-0169 (Lucky 13). (80866, XB221660) - Fixed OpenSSL security vulnerabilities as reported in the CVE Advisories CVE-2016-2108, CVE-2018-0732, CVE-2018-0734, CVE-2019-1559. (55174, 147029, 175714, 181273) - Fixed security vulnerabilities as reported in the CVE Advisories CVE-2013-2566, CVE-2015-2808 (BarMitzvah), CVE-2016-2183 (SWEET32), CVE-2016-6329. (LV300779, 66395) ================================================================================ IBM Networking Operating System RackSwitch G7028 firmware version 7.6.4.0 (Released February 2016) ** changes since 7.6.3.0 ** Enhancements: none Changes: none Fixes: - Using Cisco ACS, version 5.5 and above, to authenticate users with TACACS protocol, could lead to the User Interface thread (SSHD,AGR,TNET,CONS) to be suspended forever, thereby denying any further authentication with the TACACS protocol. (LV307694/7383) ================================================================================ IBM Networking Operating System RackSwitch G7028 firmware version 7.6.3.0 (Released January 2015) ** changes since 7.6.2.0 ** Enhancements: none Changes: none Fixes: - Speed and duplex settings of the management port are displayed incorrectly when no cable is present. (LV296505) ================================================================================ IBM Networking Operating System RackSwitch G7028 firmware version 7.6.2.0 (Released August 2014) ** changes since 7.6.1.0 ** Enhancements: None Changes: - Added the Machine Type Model 7120-24L to identify Lenovo as a distribution channel. (XB277502) - Internal debug usernames have been removed from the firmware to prevent potential backdoor access. (XB282666) Fixes None