			 Release Notes

     This document summarizes the contents and special instructions for the 
     Tru64 UNIX V5.1B patches contained in this kit.

     For information about installing or removing patches, baselining, 
     and general patch management, see the Patch Kit Installation 
     Instructions document. 

1 Release Notes


This Customer-Specific Patch Kit Distribution contains: 

   - fixes which are intended to resolve the problem(s) reported in: 
        o QXCM1000294567 
             * for Tru64 UNIX V5.1B T64V51BB25AS0004-20040616.tar (BL25)

	This kit includes a patch which requires system reboot.

 WARNING! NOT FOR GENERAL USE.
          These patches are tailored for an individual system's hardware and
          software configuration. Use of this patch kit, or patches contained
          in this kit, on any other system may cause that system to be in an
          inconsistent and non-operational state.

          This patch kit, or its content, may not be posted on any network or
          bulletin boards.


 The Release Notes contain a summary of each patch in this kit.

 Patches in this kit are installed by running dupatch from the directory 
 in which the kit was untarred. For example, as root on the target system:

	> mkdir -p /tmp/CSPkit1
	> cd /tmp/CSPkit1
	> <copy the kit to /tmp/CSPkit1>
	> tar -xpvf DUV40D13-C0044900-1285-20000328.tar
	> cd patch_kit
	> ./dupatch

 These patches have been tested and found to work correctly in the support
 engineering environment. However, it is possible that you may experience 
 different results running these patches in your computing environment.

 HP recommends that you install these patches in a NON-Production (testing)
 computing environment to ensure there are no side-effects (due to your specific
 configurations) PRIOR to installing the patches in your production environment.

 
2 Special Instructions

SPECIAL INSTRUCTIONS for Tru64 UNIX V5.1B Patch C1363.04
The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet 
Architecture to perform fault-isolation and recovery (RFC 816), which is the 
group of actions that hosts and routers take to determine if a network failure 
has occurred.

The industry standard TCP specification (RFC 793) has a vulnerability whereby 
ICMP packets can be used to perform a variety of attacks such as blind 
connection reset attacks and blind throughput-reduction attacks. Blind 
connection reset attacks can be triggered by an attacker sending forged ICMP 
"Destination Unreachable, host unreachable" packets or ICMP "Destination 
Unreachable, port unreachable" packets.  Blind throughput-reduction attacks 
can
be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.

Path MTU Discovery (RFC 1191) describes a technique for dynamically 
discovering
the MTU (maximum transmission unit) of an arbitrary internet path.  This 
protocol uses ICMP packets from the router to discover the MTU for a TCP 
connection path.  An attacker can reduce the throughput of a TCP connection by 

sending forged ICMP packets (or their IPv6
counterpart) to the discovering host, causing an incorrect Path MTU setting.

HP has addressed these potential vulnerabilities by providing a new kernel 
tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 
4.0G,
HP has introduced two new kernel tunables, icmp_tcpseqcheck and 
icmp_rejectcodemask. The icmp_rejectcodemask tunable is already available in 
Tru64 UNIX V5.1B and 5.1A.

icmp_tcpseqcheck
The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking 
that the TCP sequence number contained in the payload of the ICMP error 
message
is within the range of the data already sent but not yet acknowledged. An ICMP 

error message that does not pass this check is discarded. This behavior 
protects TCP against spoofed ICMP packets.

Set the tunable as follows:

        icmp_tcpseqcheck=1 (default)
        Provides a level of protection that reduces the possibility of 
considering a spoofed ICMP packet as valid to 1/2''32
                
                
        icmp_tcpseqcheck=0
        Retains existing behavior, i.e., accepts all ICMP packets
                
icmp_rejectcodemask
In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that 


the use of ICMP Source Quench packets is an ineffective (and unfair) antidote 
for congestion. Thus, HP recommends completely iqnoring ICMP Source Quench 
packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a 
bitmask that designates the ICMP codes that the system should reject. For 
example, to reject ICMP Source Quench packets, set the mask bit position for 
the ICMP_SOURCEQUENCH code 4, which is 2'4=16 which is 0x10.  The 
icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or 
multiple masks can be combined to reject more than one type.

The ICMP type codes are in /usr/include/netinet/ip_icmp.h.

Set the tunable as follows:

        icmp_rejectcodemask = 0x10
        Rejects ICMP Source Quench packets
                
                
        icmp_rejectcodemask = 0 (default)
        Retains existing behavior, i.e., accepts all ICMP packets
                
Adjusting the variables
The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the 
sysconfig and sysconfigdb commands:

        # sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 1
        
        # sysconfig -r inet icmp_tcpseqcheck=0
        icmp_tcpseqcheck: reconfigured
        
        # sysconfig -q inet icmp_tcpseqcheck
        inet:
        icmp_tcpseqcheck = 0
        
        # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge
        
        # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_tcpseqcheck = 1
        
        Similarly, the icmp_rejectcodemask variable can be adjusted using the 
sysconfig and sysconfigdb commands:

        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 0
        
        # sysconfig -r inet icmp_rejectcodemask=0x10
        icmp_rejectcodemask: reconfigured
        
        # sysconfig -q inet icmp_rejectcodemask
        inet:
        icmp_rejectcodemask = 16 
        
        # sysconfig -q inet icmp_rejectcodemask >/tmp/icmp_rejectcodemask_merge
        
        # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet
        
        # sysconfigdb -l inet
         
        inet:
                icmp_rejectcodemask = 16



3 Summary of CSPatches contained in this kit


Tru64 UNIX V5.1B

PatchId			Summary Of Fix
----------------------------------------
C1363.04			 Fix for SSRT 4743, SSRT 4884


4 Additional information from Engineering


None

5 Affected system files
This patch delivers the following files:

Tru64 UNIX V5.1B
	Patch C1363.04
		./sys/BINARY/alt.mod
			CHECKSUM:	07630 327
			SUBSET:	OSFHWBIN540
		./sys/BINARY/bcm.mod
			CHECKSUM:	31670 419
			SUBSET:	OSFHWBIN540
		./sys/BINARY/dec_audit.mod
			CHECKSUM:	11041 239
			SUBSET:	OSFBIN540
		./sys/BINARY/inet.mod
			CHECKSUM:	24843 568
			SUBSET:	OSFBIN540
		./sys/BINARY/ipv6.mod
			CHECKSUM:	48977 428
			SUBSET:	OSFBIN540
		./sys/BINARY/net.mod
			CHECKSUM:	01926 337
			SUBSET:	OSFBIN540
		./sys/BINARY/sec.mod
			CHECKSUM:	59293 13
			SUBSET:	OSFBIN540
		./sys/BINARY/vfs.mod
			CHECKSUM:	44024 654
			SUBSET:	OSFBIN540
		./usr/lib/nls/msg/en_US.ISO8859-1/audit_tool.cat
			CHECKSUM:	09064 8
			SUBSET:	OSFBASE540
		./usr/lib/nls/msg/en_US.ISO8859-1/auditd.cat
			CHECKSUM:	54345 7
			SUBSET:	OSFBASE540
		./usr/sbin/audit_tool
			CHECKSUM:	15657 247
			SUBSET:	OSFBASE540
		./usr/sbin/auditd
			CHECKSUM:	59185 108
			SUBSET:	OSFBASE540
