Patch-ID# 109734-01 Keywords: ENCRYPTION security international HA Logdump FTP fragmentation Synopsis: SunScreen EFS 3.1 (Sparc) miscellaneous fixes. Date: Jul/06/00 NOTE: ******************************************************************************** EXPORT INFORMATION: This software contains encryption features and requires export approval from the U.S. Department of State, prior to exporting from the United States. This patch is for a product which performs cryptographic functions, which are subject to U.S. export control, and must not be exported outside the U.S. without prior approval of the U.S. government. Prior export approval must be obtained by the user of this product. By obtaining this software, you are agreeing to comply with all of the United States and other applicable country laws and regulations when either exporting, re-exporting or importing this software or any underlying information or technology. Further, you acknowledge that you are not a national of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria or a party that is listed in the U.S. Table of Denial Orders or U.S. Treasury Department's list of Specially Designated Nationals. Product is restricted from being used for the design or development of nuclear, chemical, biological, weapons or missile technology without the prior permission of the U.S. Government. ******************************************************************************** Solaris Release: 2.6 7 8 SunOS Release: 5.6 5.7 5.8 Unbundled Product: SunScreen Unbundled Release: 3.1 Xref: This patch is available for x86 as Patch 109735-01. BugId's fixed with this patch: 4326689 4328055 4333069 4347894 4347899 4347905 Changes incorporated in this version: 4326689 4328055 4333069 4347894 4347899 4347905 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: SUNWicgSS /kernel/strmod/efs /kernel/strmod/spf /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/drv/screen /kernel/drv/sparcv9/screen /usr/kernel/misc/screen_ftp /usr/kernel/misc/sparcv9/screen_ftp /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump SUNWicgSA /opt/SUNWicg/SunScreen/ssadm/logdump Note: 64bit sparcv9 kernel modules not included in x86 patch. Problem Description: 4326689 - Passive HA stealth screen sends ARP's 4328055 - Logdump -i file -x0 does not display hex dump of packet 4333069 - Traffic passes to undefined addresses when interface addr grp used in rules. 4347894 - Protection against PASV FTP attacks 4347899 - File containing something that looks like FTP commands could be misinterpreted 4347905 - Protection against jolt2.c fragmentation attacks Patch Installation Instructions for the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 109734-01.tar.Z # tar xf 109734-01.tar # patchadd 109734-01 Patch Installation Instructions for Locally Administered Screens ---------------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 109734-01.tar.Z # tar xf 109734-01.tar # patchadd 109734-01 5. Reboot the Screen. Patch Installation Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 109734-01.tar.Z Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 109734-01 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 109734-01 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1. 3. Type the following: # ssadm -r patch backout 109734-01 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch.