OBSOLETE Patch-ID# 109735-08 Keywords: ENCRYPTION EFS security international HA Logdump FTP fragmentation proxy Synopsis: Obsoleted by: 109735-09 SunScreen 3.1 (Intel) miscellaneous fixes. Date: Jul/26/2002 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 2.6_x86 7_x86 8_x86 SunOS Release: 5.6_x86 5.7_x86 5.8_x86 Unbundled Product: SunScreen EFS Unbundled Release: 3.1 Xref: This patch is available for Sparc as Patch 109734. Topic: Relevant Architectures: BugId's fixed with this patch: 4326689 4328055 4333069 4347381 4347894 4347899 4347905 4351317 4355078 4355752 4365144 4366229 4368757 4370757 4371655 4371831 4373963 4373964 4377098 4377829 4378218 4380217 4395538 4400107 4409715 4412981 4415446 4418010 4418578 4431381 4432276 4432480 4458205 4468944 4474065 4475718 4484569 4485964 4489200 4493103 4494052 4500802 4530873 4621944 4632254 4658497 4693028 Changes incorporated in this version: 4371655 4458205 4468944 4474065 4530873 4632254 4658497 4693028 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /kernel/drv/screen /kernel/strmod/efs /kernel/strmod/spf /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmgmt-Xample /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/unplumb_solaris8 /opt/SUNWicg/SunScreen/proxies/ftpp /opt/SUNWicg/SunScreen/proxies/httpp /opt/SUNWicg/SunScreen/proxies/smtpp /opt/SUNWicg/SunScreen/proxies/telnetp /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/versions /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp /opt/SUNWicg/SunScreen/ssadm/logdump Note: 64bit sparcv9 kernel modules not included in x86 patch. Files changed in this version of the patch: /kernel/drv/screen /kernel/strmod/efs /kernel/strmod/spf /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/traffic_stats /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp Problem Description: 4371655 - HA PASSIVE screen can leak skip encrypted packets 4458205 - traffic_stats output modification 4468944 - Screen drops TCP ECN packets 4474065 - SunScreen cluster can hang (allocb fail) 4530873 - ssadm traffic_stats reports negative values 4632254 - sqlnet engine hangs after fetching few records 4658497 - Problem with multiple screen definitions containing HA_ETHER 4693028 - Stealth Screen can hang due to unroutable packets (from 109735-07) 4418010 - sslogmgmt always returns error: argument expected 4475718 - parser stack overflow with large number of address objects 4484569 - BAD TRAP occurred in module "spf" 4493103 - TCP state fails on duplicate SYN, connection drops 4494052 - UDP 162 is not being blocked 4500802 - Byte Swap issue on X86 4621944 - ss_had is writing Error: received short packet (from 109735-06) 4432480 - Sunscreen NAT has performance problems in certain topologies 4485964 - PASV ftp and DYNAMIC NAT broken 4489200 - panic in statetable cleanup routines (from 109735-05) 4432276 - Performance degradation due to inefficient TCP Hash function (from 109735-04) 4418578 - IP addresses garbled with first activation of policy 4378218 - smtp proxy does not work with two rules 4412981 - ftp state engine does not recognize RST 4431381 - ftp state engine confused in certain instances when MicroSoft server is used 4409715 - ss_had can die with Interrupted System Call 4415446 - HA failover time longer than 15 seconds (from 109735-03) 4355078 - performance in stealth mode slower than SPF-200 4400107 - something consuming large amounts of kernel memory 4395538 - ss_logd core dumps causing the system to hang 4377829 - HA screen will become passive if cable is unplugged. 4377098 - ss_had has a file descriptor leak. 4380217 - SunScreen 3.1 with patch 109734-01 can panic in stealth mode. 4373963 - screeninfo output gets truncated. 4266794 - screeninfo does not return if ip forwarding status 4373976 - misc enhancements to screeninfo. 4048429 - Configurations names with spaces don't work 4373966 - screeninfo does not get SCCS versions of all files. 4373972 - screeninfo should perform consistancy checks on packages. 4373964 - Patch information retrieved by screeninfo can be incorrect. 4365144 - Fix not correctly implemented for Trusted Solaris. (from 109735-02) 4347381 - ss_had stops when "ssadm activate" is done 4351317 - HTTP POST does not work without CRLF 4355752 - SunScreen http proxy core dumps when URI password included in URL 4365144 - ftp state engine can't handle tcp option tstamp 4366229 - Possible for encryption rules to generate system panic 4368757 - "*" service includes iptunnel service which could be misunderstood and lead to an insecure screen 4370757 - ftp with NAT has sequence number problem which was introduced after fix for PASV FTP attacks 4371831 - "Fragmentation Needed but DF bit set" message sent out in error when encryption rules are used (from 109735-01) 4326689 - Passive HA stealth screen sends ARP's 4328055 - Logdump -i file -x0 does not display hex dump of packet 4333069 - Traffic passes to undefined addresses when interface addr grp used in rules. 4347894 - Protection against PASV FTP attacks 4347899 - File containing something that looks like FTP commands could be misinterpreted 4347905 - Protection against jolt2.c fragmentation attacks Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Solaris 2.6/7 Patch Requirements for LibC ----------------------------------------- Installation of this patch on Solaris 2.6 or Solaris 7 without the proper LibC patch installed will result in the inability to edit or activate a policy. An example of this failure might look as follows: # ssadm edit Initial ld.so.1: edit: fatal: relocation error: file edit: symbol __1cDstdJbad_allocG__vtbl_: referenced symbol not found # If you experience such a problem after installing patch 109735-08, the appropriate LibC patch can be installed, and the problem should disappear. The LibC patch required is as follows: Solaris 2.6: 104678-12 or later Solaris 7: 106328-13 or later. Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106126. Version 106126-06 is available on your EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 109735-08.tar.Z # tar xf 109735-08.tar # patchadd 109735-08 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106126-06. Version 106126-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 109735-08.tar.Z # tar xf 109735-08.tar # patchadd 109735-08 5. Reboot the Screen. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106126-06. Version 106126-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 109735-08.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: If the patch is installed on a PASSIVE screen before it is installed on an ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar to bug 4347381. The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. Its not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 109735-08 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 109735-08 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106126-06. Version 106126-06 is available on your SunScreen EFS 3.1. 3. Type the following: # ssadm -r patch backout 109735-08 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Friday, January 3, 2003