Patch-ID# 108157-07 Keywords: ENCRYPTION security international stealth NAT CMG proxy GUI HA Synopsis: SunScreen EFS 3.0 RevB miscellaneous fixes. Date: Jun/06/00 ******************************************************************************** EXPORT INFORMATION: This software contains encryption features and requires export approval from the U.S. Department of State, prior to exporting from the United States. This patch is for a product which performs cryptographic functions, which are subject to U.S. export control, and must not be exported outside the U.S. without prior approval of the U.S. government. Prior export approval must be obtained by the user of this product. By obtaining this software, you are agreeing to comply with all of the United States and other applicable country laws and regulations when either exporting, re-exporting or importing this software or any underlying information or technology. Further, you acknowledge that you are not a national of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria or a party that is listed in the U.S. Table of Denial Orders or U.S. Treasury Department's list of Specially Designated Nationals. Product is restricted from being used for the design or development of nuclear, chemical, biological, weapons or missile technology without the prior permission of the U.S. Government. ******************************************************************************** Solaris Release: 2.6 7 SunOS Release: 5.6 5.7 Unbundled Product: SunScreen EFS Unbundled Release: 3.0 Rev B Xref: This patch is available for sparc as Patch 108156-07. BugId's fixed with this patch: 4231913 4231917 4253279 4257613 4258953 4259288 4259291 4263150 4263985 4267482 4268211 4269897 4271577 4272397 4273153 4273198 4273416 4274877 4275509 4276516 4278909 4279408 4280375 4280348 4281974 4286707 4287892 4291630 4291953 4292561 4297741 4302056 4302422 4306041 4310845 4313231 4314493 4326689 4317939 4328055 4329296 4333069 Changes incorporated in this version: 4326689 4333069 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: SUNWicgSS /kernel/strmod/efs /kernel/strmod/spf /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/drv/screen /kernel/drv/sparcv9/screen /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_normal /usr/kernel/misc/sparcv9/screen_normal /opt/SUNWicg/SunScreen/ssadm/activate /opt/SUNWicg/SunScreen/ssadm/algorithm /opt/SUNWicg/SunScreen/ssadm/debug_level /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/ha /opt/SUNWicg/SunScreen/ssadm/lock /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/patch /opt/SUNWicg/SunScreen/ssadm/policy /opt/SUNWicg/SunScreen/ssadm/stateengine /opt/SUNWicg/SunScreen/ssadm/sys_info /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/catgets /opt/SUNWicg/SunScreen/lib/get_access /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/logbrfmt /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/mail_relay /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access /opt/SUNWicg/SunScreen/lib/ss_active_config /opt/SUNWicg/SunScreen/lib/ss_address /opt/SUNWicg/SunScreen/lib/ss_certificate /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_default_drop /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_ha_active_mode /opt/SUNWicg/SunScreen/lib/ss_ha_passive_mode /opt/SUNWicg/SunScreen/lib/ss_interfaces /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_nat /opt/SUNWicg/SunScreen/lib/ss_rule /opt/SUNWicg/SunScreen/lib/ss_service /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/mail_spam /opt/SUNWicg/SunScreen/lib/ss_spam_list /opt/SUNWicg/SunScreen/lib/install_UDH_keys /opt/SUNWicg/SunScreen/proxies/ftpp /opt/SUNWicg/SunScreen/proxies/httpp /opt/SUNWicg/SunScreen/proxies/smtpp /opt/SUNWicg/SunScreen/proxies/telnetp /opt/SUNWicg/SunScreen/support/stats /opt/SUNWicg/SunScreen/support/findcore /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Session.class /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /opt/SUNWicg/SunScreen/admin/htdocs/plugin/htmldocs /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/efsgui_en_us.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/sg_registry.jar /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/ConfigListWindow.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/GetTextDialog.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SearchPanel.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SunScreenApplet.class /opt/SUNWicg/SunScreen/bin/ss_install /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 SUNWicgSA /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.so /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.class /opt/SUNWicg/SunScreen/lib/javaexec /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/ssadm/logdump Note: 64bit sparcv9 kernel modules not included in x86 patch. Problem Description: 4326689 - Passive HA stealth screen sends ARP's 4333069 - traffic passes to undefined addresses when interface addr grp used in rules. (from 108157-06) 4314493 - stealth mode floods network on incorrect broadcasts. 4328055 - logdump -i file -x0 does not display hex dump of packet 4329296 - IPSec fragments get dropped in stealth mode. (from 108157-05) 4281974 - http proxy stops working. connection limit problem. 4297741 - doesn't show absolute time for SESSION logs 4302422 - 64-bit kernel writes session log records incorrectly. 4310845 - ICMP need to fragment pkts not translated in tunnel. 4313231 - Mixed mode panic with non-ip panics & tunnel of localhost. 4317939 - GUI can fail in ssadm.nl_catd class(AppletSecurityException). (from 108157-04) 4258953 - Cannot view online docs with java plugin 4263985 - Mix of Dynamic NAT & Encrypted tunnelling problems 4292561 - ssadm ha active_mode && ssadm ha passive_mode can set both screens passive. 4296011 - SYN/RST spoofed packets reset statetable entry (DoS) 4302056 - screeninfo: replaced "arp -a" with "netstat -pn" 4306041 - smtp proxy fails with large msg on very slow connections. (from 108157-03) 4253279 - Using snoop, NAT not showing correct address. 4275509 - Verify NAT address grps are not empty. 4280375 - Kernel panic when empty stealth interface address grps are set with encrypted traffic. Also compiler warning when address group is empty and SPF tag not set on screen object. 4286707 - Disabled interface not cleared unless rebooted. 4287892 - logwhy option not working. 4291630 - Editor dumps core when "load" with no policy specified. 4291953 - findcore will run off onto nfs & automount directories (from 108157-02) 4231913 - Admin user write does not have all privileges. 4231917 - Admin user read does not have all privileges. 4257613 - findcore should run "file" on all core files. 4259288 - screeninfo needs to gather more information. 4259291 - screeninfo gets java MalformedInputException on U5/U10. 4263150 - Activate fails on CMG 24-48hr since last activate. 4271577 - Http Proxy not handling cookies properly. 4273153 - Undefined address in AccessRemote causes core. 4278908 - SNMP not sending alerts. 4280348 - Ether state engine not working. (from 108157-01) 4267482 - i18n: The "status" information is displayed incorrectly in zh locale. 4268211 - i18n: Delete window of active configuration is not i18n 4269897 - i18n: A policy with Chinese characters in its name can't be activated. 4272397 - execute skiplocal with C locale for parsable result. 4273198 - removed space before macro for proper getmsg processing. 4273416 - i18n: Object type pull down menu in common object area is not i18n. 4274877 - i18n: Some properties are duplicated. 4276516 - Can not activate a l10n policy name via GUI admin. 4279409 - i18n: 'ssadm logdump -x' causes Java exception. Patch Installation Instructions for the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.0 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 108157-07.tar.Z # tar xf 108157-07.tar # patchadd 108157-07 Patch Installation Instructions for Locally Administered Screens ---------------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 108157-07.tar.Z # tar xf 108157-07.tar # patchadd 108157-07 5. Reboot the Screen. Patch Installation Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 108157-07.tar.Z Additional Patch Installation Instructions for Users of the Java Plug-In for GUI Administration ------------------------------------------------------------------------ Use this procedure only if you are using the Java plug-in for GUI administration. If the file identitydb.obj is used only for use with the SunScreen EFS 3.0 Rev B product, replace the existing identitydb.obj file with the new identitydb.obj file included in this patch. The new file is located on the Screen at /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj. If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108157-07.tar.Z # tar xf 108157-07.tar # cp 108157-07/SUNWicgSS/reloc/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /tmp/identitydb.obj If the file identitydb.obj is used by other applications, then add SunScreen as one of the accepted signers to the file identitydb.obj using the following steps: 1. Copy the 6 identitydb.obj to your home directory. 2. Type the following, substituting the path for the javakey binary (/usr/java1.1) for $JAVA_HOME: % $JAVA_HOME/javakey -r SunScreenEFS % $JAVA_HOME/javakey -cs SunScreenEFS true % $JAVA_HOME/javakey -ic SunScreenEFS /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108157-07.tar.Z # tar xf 108157-07.tar # cp 108157-07/SUNWicgSS/root/etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 /tmp/SunScreenEFS.x509 3. Copy the file identitydb.obj to a diskette for distribution to other Administration Stations and install it in the following directories: $HOME on UNIX systems C:\WINDOWS directory for single user Windows 95 systems C:\WINDOWS\PROFILES\username for multiuser Windows 95 & 98 systems C:\WINNT\PROFILES\username on Windows NT systems Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 108157-07 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 108157-07 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Type the following: # ssadm -r patch backout 108157-07 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch.