ALTERPATH
ACS FAMILY RELEASES
This document outlines the new features and bug fixes for AlterPath
ACS/CS family of products (including BETA releases that are designated
with a letter after the
version number).
V_2.2.0-1
Jun/11/04
: (official
release;
upgrade from V_2.2.0)
a) Bug fixes
- Invalid error code returned by scp/ssh
V_2.2.0 May/28/04
:
(official
release;
upgrade from V_2.1.6)
a) New features
- WEB redesign
- Physical Ports - the previous
Port-specific
parameters will be discarded when the admin clicks in the "Modify All
Ports" in expert mode or when
the admin clicks in the "Port Profile" or "Data Buffering" in the
wizard menu.
- WEB session inactivity timeout
implemented
- Upgrade of OpenSSL to 0.9.7d
- Kerberos ticket support (SSH to box
and
to
serial ports; Telnet and rlogin to box)
- PM in daisy chain FW upgrade support
(should be used along with PM 1.2.2 and later)
- New Integration Power Management and
Console
Management.
I) CAS access using pmkey :
- if pmusers of the port is
configured as
"all", the ACS allows the user to access the outlets of the server.
- the user access
verification
is
done by
"pmd", so CAS(telnet/ssh) shows the PM menu and only when user type a
command the check is done.
II) regular users that are members of "pmusers" group
can
manage only outlets that they have permission to access.
- adduser
command has the option "-G <group name>" that allows the admin to
configure list of supplementary groups which the user is also a member
of.
b) Bug fixes
- Kernel with all security patches to bring it
to
the
level of 2.4.25
- User could not access ACS/TS with empty password
through
ssh/telnet
- When using ssh and idle timeout, session is closed by idle
timeout
even if user is using it.
- sshd doesn't work with public key auth when key is stored
at
users
home and user ssh to port
c) Change Log
- openssh will look in the home directory by
default if public key
is used
- The startPmFwUpgrade and pmFWUpgrade programs were removed.
The
new program for PM firmware upgrade is pmfwupgrade.
- Power Management: regular users that are members of
"pmusers"
group can manage only outlets
that they have permission to access. (adduser accepts -G as parameter).
- List of vulnerabilities fixed
# CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device
drivers do not pad frames with null bytes, which allows remote attackers
to obtain information from previous packets or kernel memory by using
malformed packets
# CAN-2003-0127: The kernel module loader allows local users to gain
root
privileges by using ptrace to attach to a child process that is spawned
by
the kernel
# CAN-2003-0244: The route cache implementation in Linux 2.4, and the
Netfilter IP conntrack module, allows remote attackers to cause a denial
of service (CPU consumption) via packets with forged source addresses
that
cause a large number of hash table collisions related to the PREROUTING
chain
# CAN-2003-0247: vulnerability in the TTY layer of the Linux kernel 2.4
allows attackers to cause a denial of service ("kernel oops")
# CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux
kernel 2.4 allows remote attackers to cause a denial of service (CPU
consumption) via certain packets that cause a large number of hash table
collisions
# CAN-2003-0018 Linux kernel 2.4.10 through 2.4.21-pre4 does not
properly
handle the O_DIRECT feature, which allows local attackers with write
privileges to read portions of previously deleted files, or cause file
system corruption.
# CAN-2002-0499 The d_path function in Linux kernel 2.2.20 and earlier,
and 2.4.18 and earlier, truncates long pathnames without generating an
error, which could allow local users to force programs to perform
inappropriate operations on the wrong directories.
# CAN-2003-0619 Integer signedness error in the decode_fh function of
nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to
cause a
denial of service (kernel panic) via a negative size value within XDR
data
of an NFSv3 procedure call.
# CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
# CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
# CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
# CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
# CAN-2004-0077: The do_mremap function for the mremap in Linux 2.2 to
2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the
return value from the do_munmap function when the maximum number of VMA
descriptors is exceeded, which allows local users to gain root
privileges,
a different vulnerability than CAN-2003-0985.
# CAN-2003-0985: The mremap system call (do_mremap) in Linux kernel 2.4
and 2.6 does not properly perform bounds checks, which allows local
users
to cause a denial of service and possibly gain privileges by causing a
remapping of a virtual memory area (VMA) to create a zero length VMA, a
different vulnerability than CAN-2004-0077.
V_2.1.6 Feb/09/04
:
(official
release;
upgrade from V_2.1.5.1)
a) New features
- IPMI over LAN support
- menush support through WEB
- LPD support
- Data Buffer logging
(connection/disconnection time stamp)
- PM field upgrade (no chain) support
- SNMP Proxy to access the PM
- Billing allowed in all ports and
platforms
- Sniff session notification
- Upgrade of OpenSSH (from 3.6.1p2 to
3.7.1p2)
b) Bug fixes
c) Known Bugs
d) Change Log
-
patch in mremap.c file
- The file /etc/TIMEZONE was changed. If there is one saved
in
flash it must be replaced/merged with /etc/TIMEZONE.save
- The sshd program was upgraded to version 3.7.1p2 and it
needs a
new configuration file. If the file /etc/ssh/sshd_config was not
changed just replace it
with the file /etc/ssh/sshd_config.save. Otherwise the user
should
merge these files.
This OpenSSH version uses these
following authentication methods when the parameter UsePAM is
configured as "yes" :
- TIS or
CryptoCard authentication in SSH-1
-
"keyboard-interactive" authentication in SSH-2.
Please, pay attention in ssh client configuration to accept
these authentication methods.
- The file /etc/rc.sysinit was changed.If there is one saved
in
flash
it must be replaced/merged with /etc/rc.sysinit.save.
- The file /etc/group was changed. It was included the group
"pam"
and
"pmusers".If the file was not changed just replace it with the
file
/etc/group.save.
Otherwise the user need to do the following commands :
#addgroup pam <enter>
#addgroup pmusers <enter>
#chgrp pmusers /bin/pm
<enter>
V_2.1.5.1 Dec/09/03
: (official
release;
upgrade from V_2.1.5)
a) New features
b) Bug fixes
- Critical
security bug has been discovered
in the Linux kernel within do_brk() function that may lead to full
compromise of vulnerable system. Successful exploitation of do_brk()
leads to full compromise of vulnerable system, including gaining full
uid 0 privileges (CAN-2003-0961)
c) Change Log
V_2.1.5 Oct/15/03
:
(official
release;
upgrade from V_2.1.4.1)
a) New features
- AlterPath BIO support
- Compact flash and IDE PCMCIA cards
support
- Support to WLAN Linksys WPC11
b) Bug fixes
- rfc2217 commands were not being
properly
handled
by socket when no data buffering or sniffing was enabled
- CrossTalk in bad console cables
would
halt a
normal
boot
- Command "updatefiles" was failing
when
the
files
under /tmp/upd/<pathname> had subdirectories
- When user logged into the ACS using
SecureCRT, telnet,
or SSH and disconnected after the login prompt they would get the
following
error
pam_authenticate : Error in service module- Removed message due to /etc/motd
- crontab -e was not working
- "Password" in the pm utility was
not
working
correctly
- ts_menu with different Escape char
was
not
working
- ports do not release when connecting to LDAP server
c) Change Log
- /etc/motd removed from ACS
- "Existent feature (syslog) -> the configuration file
(/etc/syslog-ng.conf) was changed.
The f_kernel and f_alerts in /etc/syslog-ng/syslog-ng.conf were
changed."
- Comments for parameter all.sttyCmd in
/etc/portslave/pslave.conf
might let user think that it was valid only for TS profile because of
the
expression "terminal port", and it was not true. Changed the comments.
- /etc/pm.cyclades had the AlterPath PM
prompt changed from "pm8>" to "pm>". If that file was NOT
included in /etc/config_files by the user in an earlier FW version, the
ACS FW upgrade will force the user to either upgrade the AlterPath PM
boxes to the newest FW or to edit the /etc/pm.cyclades file in the ACS,
change the prompt back to "pm8>", to include that file in
/etc/config_files, to restart pmd process and to run saveconf to have
the ACS communicating with the AlterPath PM again.
PM versions before 1.0.9 have the "prompt pm8>"
PM versions after that have prompt "pm>"
/etc/pm.cyclades defines the prompt as "pm8>" for all ACS versions before V_2.1.3. It defines as "pm>" for V_2.1.4 and later
V_2.1.4.1 Sep/18/03 : (official
release;
upgrade from V_2.1.4)
a) New features
b) Bug fixes
- Applied latest patches until
openssh
3.7.1
c) Change Log
- The patch is a fix to buffer.c in openssh. The patch
updates
3.6.1p2 to
the current code level (3.7.1)
V_2.1.4 Aug/11/03 : (official
release;
upgrade from V_2.1.3)
a) New features
- SSL V2 reenabled in the FW (it was
disabled
in previous
FW version) and made configurable. This way, IE can work with SSL3 or
SSL2
whereas the existent buggy Netscape and Mozila can work with SSL2.
- Hardened the code through disabling
services
daytime
and time and rejecting time stamp
b) Bug fixes
- saveconf was very slow to save configuration files in flash
and
was
generating
R/W temp files before saving them into flash
- RFC2217 not working when user did not configure data
buffering
or
sniffing
for a given serial port
- WEB would cap in 40 characters the users field before
copying
the
field
to the proper configuration file (pslave.conf). Now the limit is 256
characters.
- CrossTalk in bad console cables made the unit not boot if
the
console
cable
did not have console hooked up
- Socket CAS was handling telnet command NOP as data
- pam was generating a deceiving error saying "unable to set
group
membership
for user (err=-1)". It was a incompatibility between sshd (set_creds)
and
pam_groups (set_creds). The
pam_groups issue a system call that requires root privilege but sshd
already change the privilege to the user just logged in. Removed the
module
pam_groups from the sshd service (pam.conf).
c) Change Log
- SSL2 enabled or disabled through configuration file
(/etc/ssl_version.conf).
The user will choose between SSLv2, SSLv3, and SSLv23 (default).
V_2.1.3 Jun/30/03 : (official
release;
upgrade from V_2.1.2)
a) New features
- Upgrade of OpenSSH (from 3.5.p1 to
3.6.1p1)
- Upgrade of Openssl to 0.9.7b
- Upgrade of net-snmp (from 5.0.7 to
5.0.8)
- Windows 2003 support
- Enhanced Clustering (allows
encrypted
path
between
master and slave at lower CPU cost, authentication between master and
slave)
- Allows Radius Server to specify the
serial
ports
the user can access
- tstest with chat string support
- Enabled pam_tally module
- Support to NIS
- Support to LDAPDownLocal
authentication
- Support to NISDownLocal
authentication
- Support to KerberosDownLocal
authentication
- SSH-2 break extension support
- performance improvement (transfer
rate
over
serial
ports). This feature affects the meaning of the parameters
all.DTR_reset, all.auto_answer_output,
and all.auto_answer_input
- support to change and control (FW
and
Configuration)
to work with new Cyclades product
b) Bug fixes
- Radius and callback was not working properly (no call back)
- "W" command showing a wrong pid for ports TS profile
- Radius was sending a wrong NAS-Port-Id to Radius Server
- Changed DHCP client to keep trying to get an IP address
forever
if
configured
as "1"
- If a user belongs to more than one group he can not access
ACS
serial
port
properly
c) Change Log
- Windows 2003 support: new
parameters in
/etc/portslave/pslave.conf
(s<nn>.translation xterm, s<nn>.web_WinEMS,
s<nn>l.xml_monitor),
added file /webs/web/appl/utf8key.conf, added web interface for Win EMS
via java applet), New macros available in /etc/syslog-ng/syslog-ng.conf:
- added /webs/web/appl/close.gif,
/webs/web/appl/refresh.gif,
/webs/web/appl/colorSet.conf
- java applet now pops up when you
connect.
There
is a refresh and close icon that users can click on. The refresh button
is used to reconnect to the server. The close icon is used to close the
window of the popup. - Enhanced
Clustering: new parameter in
/etc/portslave/pslave.conf
(conf.nat_clustering)
- NIS:
. change in
/etc/nsswitch.conf
(inserted commented lines about NIS)
. change in
/etc/pam.conf
(changed module pam_unix.so to module pam_unix2.so).
. created new file
yp.conf
(NIS server configuration) and domainname.conf (NIS domain name)
. created new program
/bin/domainame
(to configure the domain name)
. new lib
/lib/libnss_nis-2.2.3.so
and /lib/security/pam_unix2.so - LdapDownLocal:
. change in
/etc/portslave/pslave.conf
. changed WEB
interface to
support new value to authentication type parameter
. changed snmpd to
support
new value to authentication type parameter
. change din
/etc/pam.conf
(added new service ldapdownlocal) - KerberosDownLocal:
. change in
/etc/portslave/pslave.conf
. changed WEB
interface to
support new value to authentication type parameter
. changed snmpd to
support
new value to authentication type parameter
. change in
/etc/pam.conf
(add new service kerberosdownlocal)
- SSH-2 break extension: (support to
"Session
Channel
Break Extension - draft-ietf-secsh-break-00.txt")
. implemented client
and
server.
. break interval ->
change
in /etc/portslave/pslave.conf (added parameter all.break_interval)
- performance improvement
. change in /etc/portslave/pslave.conf
(included
new value to all.sniff_mode) - support
to change and control (FW and
Configuration)
. saveconf and restoreconf -> have
more
options
. adduser -> allow to add user with
root
privileges - existent feature (DHCP
client) -> the
following files
were changed : /bin/handle_dhcp (now this script shell does the
ifconfig
commands to set the IP address to eth0) and /etc/network/dhcpcd_cmd.
- existent feaute (default route)
->
the
/etc/network/st_routes
was changed. The option "metric 3" was inserted in the definition of
the
default route.
V_2.1.2 Mar/21/03 : (official
release;
upgrade from V_2.1.1)
a) New features
- Power Management. Allows users
connect
IPDUs
(Inteligent
Power Distribution Unit) from Cyclades and some other vendors (Baytech
and Sentry) to Cyclades' Console Servers and manage the outlets used to
power the Servers.
- Upgrade of OpenSSL to 0.9.7a
- Upgrade of net-snmp to version 5.0.7
- Upgrade of Busybox to 0.60.5.
(include
support to
"top" command).
- Upgrade of DHCP to 1.3.22
- Dynamic DNS update support
- Dynamic serial port allocation
(hunting
group; pool
of serial ports) support
b) Bug fixes
Telnet/SSH connections with Data Buffering are
locked
after NFS server
goes down
Protocol socket_server ignores the [more] data buffer menu
command over
telnet
Wizard for DB is setting the parameter *.data_buffering
wrongly
when
the
value has more than 5 digits
PPP connection from a Windows 2000 would not be established
unless
cb_script
line was commented out in pslave.conf
c) Change Log
- New feature (Power Management):
New directory/files:
- pmd/
- pmd/*
- cyclades/etc/init.d/pmd
Files changed:
- cyclades/etc/inittab
New parameters were added in webs
configuration,
serial ports section : Protocol (the ipdu protocol was included), IPDU
type, PM users, PM number of outlets, PM outlets and PM hotkey.
- The same parameters above were added
in
the
Cyclades MIBs.
- The process pmd was included in the
webs
administration
to restart processes.
- The Link Administration > Power
Management
was created to manage the IPDU's outlets.
- Created a script to change
persmission of
pppd during
bootup /bin/chmod_pppd
- Added that script (commented out)
from
users_script
(/etc/users_scripts)
- Existent feature (telnet client)
->
/bin/telnet moved
to /usr/bin/telnet. (see upgrade notes); /etc/portslave/pslace.conf was
changed (conf.telnet parameter).
- The nsupdate application was added
in
the
ACS
to
allow the dhcpcd performing the DDNS updates when the dhcp server does
not perform them. The nsupdate can be called from the shell script
"handle_dhcp"
using the data received from the dhcp server that were written
into
the file "/etc/dhcpc/dhcpcd-eth0.info".
- A new command line option was added
to
the
tstest
program: the "-I <initchat>".
So, the command to do port conversation without
navigating in the menu should be:
tstest -l <#port> -s
<baudrate>
-I <initchat_string>
The command "tstest -?" will display
all
options
available:
-l #port
-
Serial
port number [1 to 32]
-s speed -
Baud
rate
-p parity -
Parity
even,
odd, none
-f
flow -
Flow control hard, soft, none
-d DataLength - Number of bits from 5 to 8
-b
- Send break 0.25 to 0.5 seconds long
-B interval - Send break
[1-5]
seconds
long
-T interval - Toggle DTR
[1-5]
seconds
long
-t
- Toggle DTR forever
-R interval - Toggle RTS
[1-5]
seconds
long
-r
- Toggle RTS forever
-i
- Port conversation
-I <initchat> - Port conversation
-c
- doesn't change tty configuration/signals on open
-C
- doesn't restore tty configuration/signals on close
- Java applet has changed. Now to ssh
to
the
port chosen,
users can just type the username and his/her password rather than
typing
username:portnumber and then his/her password.
- Existent feature (CallBack in
Dial-In
profile) ->
/bin/chat was moved to /usr/local/sbin/chat, so the
/etc/portslave/cb_script
was changed (included the path "/usr/local/sbin" to "chat").
- Existent feature (Dial-In profile)
->
change in /etc/portslave/pslave.conf
(removed the callback from the default of the pppoptions parameter).
- Existent feature (busybox) ->
upgrade
version 0.60.2
to version 0.60.5 (included support to the "top" command and the
"ps" shows new columns). The /etc/inittab file was changed because the
order to start the process was changed in the new busybox.
- Existent feature
(/bin/build_DB_ramdisk)
-> change
to not show the messages from /etc/mke2fs and /etc/mount.
- Existent feature (cyclades MIB) ->
change to support
new PortSlave parameters and fixed some problems with object
definitions.
- Included Note about CHAP
authentication
(Chapter
3, section Authentication)
- New feature (hunting group) ->
added
some
new parameters
in /etc/portslave/pslave.conf (all.pool_ipno, all.pool_serverfarm,
all.pool_socket_port)
V_2.1.1 Jan/10/03 : (official
release;
upgrade from V_2.1.0)
a) New features
- Upgrade of the WEB server (goahead
v2.1.4)
- The WEB logic for access limit has
changed.
There
will be 4 priority levels: user, monitor, administrator and full
(root).
Each page will have a priority level associated with it; if the page
has
monitor priority, all the users with privilege monitor, administrator
or
full will have access to the page. The default user groups will be root
(full), admin (administrator), monitor (monitor) and user (user). Also,
the link list will be grouped according to the user privilege. The
common
user, for now, will be able to logout and to connect to serial ports,
nothing
more. In order to make it effective, it's necessary to change the file
/etc/websum.conf with the one in the new zImage.
- Run Configuration implemented in
WEB. A
link
was
created in the Administration section and, in the page, the
administrator
can reload the portslave, the IPSEC, the snmp and the syslog-ng
configuration.
The signal_ras script was changed to fit this feature.
- Added a link called SNMP in the
Configuration
section.
This configuration is done in the same way as syslog-ng; by editing the
file.
- Changed the syslog-ng.conf file.
The
new
configuration
allows syslog-ng to receive syslog messages from the Kernel.
- Implemented a new PortSlave
parameter
"all.telnet_client_mode".
This parameters allows the user to choose text or binary mode for
automatic
telnet client.
- ISDN BRI PCMCIA card supported
- Implemented a new PorstSlave
parameter
"all.lf_suppress"
to allow some Windows telnet client to access Unix servers and not
receive
double prompt.
- Implemented two new PortSlave
parameters
"all.auto_answer_input"
and "all.auto_answer_output" to allow PowerEdge Servers to display
BIOS'
output when there's no connection (ssh or telnet) to that serial port
(given
data buffering is active).
- Enhanced sniffer feature by
allowing
presenting or
not the sniffer menu
b) Bug fixes
- A problem in syslog data buffering
was
fixed.
That
would appear when the parameter data_buffering is not enabled and the
parameter
time stamp is enabled.
- When changing serial port
configuration
parameter
like "sttyCmd" and issuing the "signal_ras hup" command the serial port
parameter is not being reconfigured.
- If slave entries for all 48 ports
of a
ACS
are added
to the pslave.conf file in the master the following message appears
when
the slave is selected on the ts_menu first screen.
"Caution: You have exceeded the number of slaves
allowed. You may be invading your system's memory therefore affecting
the
performance of this application..." - ACS -
SNMP
Fixed problem with to save configuration
and
to restart PortSlave by SNMP set. - New
Cyclades Logo replacing the old one
- Changed the banner to show
AlterPath ACS
c) Change Log
- new feature (Access Limit by
priority)
->
change
in /etc/websum.conf (reconfigured user groups and access limits
according
to the priority and added some more access list entried)
- new feature (Common Users access
only
application
pages) -> files web/read/{*.jar, *.conf, sportConnect.asp,
connectPorts.asp}
moved to web/appl.
- new feature (complete Run
Configuration)
-> Link
"Run Configuration" inserted in the Administration section, in
the Web Server Menu - new feature (SNMP configuration) -> Link
"SNMP" inserted
in the Configuration section, in the Web Server
Menu - new
feature (Define the text/binary mode in
automatic
telnet client) -> change in /etc/portslave/pslave.conf (added the
parameter
all.telnet_client_mode)
- new feature (LF suppression) ->
change
in
/etc/portslave/pslave.conf
(allows suppressing the last LF from the CRLF sent by a Windows telnet
client to avoid having double prompt on screen when user accesses a
Unix
server through the CAS' serial port)
- new feature (Probing mechanism)
->
change
in /etc/portslave/pslave.conf
(if a server probes the serial port by sending a string the CAS answer
with other string so BIOS can start displaying. Input and output
strings
are configurable)
- existent feature (session sniffing)
->
change in
/etc/portslave/pslave.conf (all.multiple_sessions can be configured to
present or not the sniffer menu)
- existent feature (syslog-ng
receives
syslog
message
from kernel) -> change the syslog-ng.conf file (see the upgrade
notes),
change in upgrade_110 file
- the command "w" is changed. The
original
version
was renamed to "w_ori". "w_cas" is a new command and it shows the
information
about CAS sessions. The command "w" calls w_ori and w_cas.
- Files changed due to ISDN BRI:
- Inclusion of isdn4k-utils package.
- Changes in the linux/drivers/isdn and
linux/drivers/isdn/hisax
files.
- Changes in the tslinux_mv21/Makefile to
generate
isdn4k-utils tools and support modules_install (CDK).
- Changes in
tslinux_mv21/linux/Makefile.cyc
to support modules_install (CDK).
- Changes in
tslinux_mv21/linux/.config.tsxk
to support isdn subsystem and ppp as loadable module (CDK).
- Inclusion of cyclades/etc/ppp files to
support
synchronous ppp.
- Changes in build_extra to create isdn
devices
under /dev (CDK).
- Changes in
cyclades/lib/modules/<version>/
files to support isdn.
- Changes in /etc/config_files to save
/etc/ppp/pap-secrets
and /etc/ppp/chap-secrets in flash. - ACS
MIB for SNMP management
Included new PortSlave Parameters in the
ACS
MIB. - The configuration of the snmpd
(/etc/snmp/snmpd.conf
file) was changed. The upgrade has to be done in two steps:
. First step.
.. Save the file /etc/snmp/snmpd.conf, if
it
was changed.
.. Edit the file /etc/config_files and
remove
the line related to snmp.
.. Execute the command "saveconf" and
reboot
the TS.
. Second step.
.. if the file /etc/snmp/snmpd.conf was
changed
the user should make his own
changes again.
V_2.1.0 Nov/01/02 : (official
release;
first release)
a) New features
- Linux Kernel 2.4.17
- PAM Support (LDAP, Kerberos,
TACACS+,
Radius,
Local
authentication)
- SSH 1/2, telnet, ftp, PPP and SLIP,
10/100BT
- Spurious Break Eliminator
- PCMCIA support (modem card,
Ethernet
and
Wireless
initially)
- Extended wizard configuration
- Java Applet to allow serial
connection
using
browser
(telnet or ssh sessions)
- IPSec support
- All features supported by
Cyclades-TS
family
b) Bug fixes