Patch-ID# 109737-09 Keywords: encryption efs security international ha logdump ftp fragmentation proxy Synopsis: SunScreen 3.1 LITE (Intel) miscellaneous fixes. Date: Jan/03/2003 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 8_x86 SunOS Release: 5.8_x86 Unbundled Product: SunScreen EFS Unbundled Release: 3.1 LITE Xref: This patch is available for Sparc as Patch 109736. Topic: Relevant Architectures: BugId's fixed with this patch: 4328055 4333069 4347894 4347899 4347905 4365144 4366229 4368757 4370757 4371086 4371831 4373963 4373964 4395538 4400107 4412981 4418010 4418578 4422897 4431381 4432276 4432480 4458205 4467805 4468944 4474065 4475718 4475976 4483861 4484569 4485964 4489200 4491469 4493103 4494052 4500802 4530873 4632254 4658497 4693028 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 Changes incorporated in this version: 4371086 4467805 4475976 4483861 4491469 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /kernel/drv/screen /kernel/strmod/efs /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmgmt-Xample /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/unplumb_solaris8 /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/versions /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp NOTE: 64bit sparcv9 kernel modules not included in x86 patch. Files changed in this version of the patch: /kernel/drv/screen /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet Problem Description: 4371086 NFS state engine assumes 20 byte tcp header size 4467805 UDP hash lookup needs improvement 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4483861 ttls for NAT entries need to be more closely related to stateentries 4491469 reply packets don't match broadcast UDP sessions, get dropped 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 109737-08) 4458205 traffic_stats output modification 4468944 Screen drops TCP ECN packets 4530873 ssadm traffic_stats reports negative values 4632254 sqlnet engine hangs after fetching few records (from 109737-07) 4418010 sslogmgmt always returns error: argument expected 4422897 Lite interface limit needs exception when no ip_forwarding 4475718 parser stack overflow with large number of address objects 4484569 BAD TRAP occurred in module "spf" 4493103 TCP state fails on duplicate SYN, connection drops 4494052 UDP 162 is not being blocked 4500802 Byte Swap issue on X86 (from 109737-06) 4432480 Sunscreen NAT has performance problems in certain topologies 4485964 PASV ftp and DYNAMIC NAT broken 4489200 panic in statetable cleanup routines (from 109737-05) 4432276 Performance degradation due to inefficient TCP Hash function (from 109737-04) 4418578 IP addresses garbled with first activation of policy 4412981 ftp state engine does not recognize RST 4431381 ftp state engine confused in certain instances when MicroSoft server is used (from 109737-03) 4400107 something consuming large amounts of kernel memory 4395538 ss_logd core dumps causing the system to hang 4373963 screeninfo output gets truncated. 4266794 screeninfo does not return if ip forwarding status 4373976 misc enhancements to screeninfo. 4048429 Configurations names with spaces don't work 4373966 screeninfo does not get SCCS versions of all files. 4373972 screeninfo should perform consistancy checks on packages. 4373964 Patch information retrieved by screeninfo can be incorrect. 4365144 Fix not correctly implemented for Trusted Solaris. (from 109737-02) 4365144 ftp state engine can't handle tcp option tstamp 4366229 Possible for encryption rules to generate system panic 4368757 "*" service includes iptunnel service which could be misunderstood and lead to an insecure screen 4370757 ftp with NAT has sequence number problem which was introduced after fix for PASV FTP attacks 4371831 "Fragmentation Needed but DF bit set" message sent out in error when encryption rules are used (from 109737-01) 4328055 Logdump -i file -x0 does not display hex dump of packet 4333069 Traffic passes to undefined addresses when interface addr grp used in rules. 4347894 Protection against PASV FTP attacks 4347899 File containing something that looks like FTP commands could be misinterpreted 4347905 Protection against jolt2.c fragmentation attacks Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106126. Version 106126-06 is available on your EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 109737-09.tar.Z # tar xf 109737-09.tar # patchadd 109737-09 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106126-06. Version 106126-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 109737-09.tar.Z # tar xf 109737-09.tar # patchadd 109737-09 5. Reboot the Screen. Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen. # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 109737-09 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 109737-09 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Thursday, July 31, 2003