OBSOLETE Patch-ID# 112614-01 Keywords: ENCRYPTION SunScreen security international Synopsis: Obsoleted by: 112614-02 SunScreen 3.2 miscellaneous fixes for Trusted Solaris. Date: Sep/24/2002 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: Trusted_Solaris_8 SunOS Release: Unbundled Product: SunScreen EFS Unbundled Release: 3.2 Xref: This patch is available for Solaris 9 as Patch 112613. Topic: Relevant Architectures: BugId's fixed with this patch: 4458205 4474065 4475718 4494052 4498719 4504550 4504560 4504562 4530873 4546483 4623384 4627419 4632254 4641757 4641855 4650187 4658497 4693028 4701439 4708402 Changes incorporated in this version: 4458205 4474065 4475718 4494052 4498719 4504550 4504560 4504562 4530873 4546483 4623384 4627419 4632254 4641757 4641855 4650187 4658497 4693028 4701439 4708402 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /sbin/ss_plumb_interface /usr/kernel/drv/screen_ipsec /usr/kernel/drv/sparcv9/screen_ipsec /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_sqlnet /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecHeader.class /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecPanel.class /usr/lib/sunscreen/admin/jass/Finish/minimize-sunscreen.fin /usr/lib/sunscreen/lib/datacompiler /usr/lib/sunscreen/lib/edit /usr/lib/sunscreen/lib/efs2to3 /usr/lib/sunscreen/lib/natcompiler /usr/lib/sunscreen/lib/ss_access_convert /usr/lib/sunscreen/lib/ss_compiler /usr/lib/sunscreen/lib/ss_ha /usr/lib/sunscreen/lib/ss_had /usr/lib/sunscreen/lib/ss_rule_convert /usr/lib/sunscreen/ssadm/configure /usr/lib/sunscreen/ssadm/traffic_stats NOTE: Files changed in this version of the patch: /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /sbin/ss_plumb_interface /usr/kernel/drv/screen_ipsec /usr/kernel/drv/sparcv9/screen_ipsec /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_sqlnet /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecHeader.class /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecPanel.class /usr/lib/sunscreen/admin/jass/Finish/minimize-sunscreen.fin /usr/lib/sunscreen/lib/datacompiler /usr/lib/sunscreen/lib/edit /usr/lib/sunscreen/lib/efs2to3 /usr/lib/sunscreen/lib/natcompiler /usr/lib/sunscreen/lib/ss_access_convert /usr/lib/sunscreen/lib/ss_compiler /usr/lib/sunscreen/lib/ss_ha /usr/lib/sunscreen/lib/ss_had /usr/lib/sunscreen/lib/ss_rule_convert /usr/lib/sunscreen/ssadm/configure /usr/lib/sunscreen/ssadm/traffic_stats Problem Description: 4458205 error in traffic_stats output 4474065 screen write queue can fill up 4475718 large number of address objects can cause compile failure 4494052 UDP 162 is not being blocked 4498719 ifconfig modlist can fail with "invalid argument" 4504550 problem re-editing manual ipsec parameters in SunScreen GUI 4504560 cannot add Source/Dest tunnel in manual ipsec rules in GUI 4504562 cannot add tunnel address in manual ipsec rules in GUI 4530873 ssadm traffic_stats reports negative values 4546483 problem compiling manual IPsec policy in HA configuration 4623384 transport mode IPsec fragments dropped in reassembly 4627419 GUI does not allow ESP with no auth with IPsec Manual 4632254 sqlnet engine hangs after fetching few records 4641757 problem with screen_ipsec if wrong source tunnel address received 4641855 GUI strips out white space from key names when creating rules 4650187 problem with RealAudio traffic 4658497 only a single HA_ETHER object can be stored 4693028 stealth Screen can leak packets with no route to remote net 4701439 incorrect permissions on several SunScreen files 4708402 screen_ipsec module is not unloaded correctly Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Then type: # uncompress 112614-01.tar.Z # tar xf 112614-01.tar # patchadd 112614-01 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 3. Type the following: # uncompress 112614-01.tar.Z # tar xf 112614-01.tar # patchadd 112614-01 4. Reboot the Screen. How to be sure this is the Correct SunScreen 3.2 Patch ------------------------------------------------------ There were two revisions of the SunScreen 3.2 product. The installation of patch 112614-01 will fail if the revision you are patching does not match that of the product installed. In the case of a mismatch, you will see the following error: # patchadd 112614-01 Checking installed patches... One or more patch packages included in 112614-01 are not installed on this system. Patchadd is terminating. # To verify which product revision is installed, run the following command: # pkginfo -l SUNWsfwr | grep VERSION For patch 112614-01, the result should be as follows: 3.2,REV=42 If you get no result, then there was a problem installing the SunScreen 3.2 product initially, and the installation logs should be checked for errors. If you have a revision mismatch, the result will read as follows: 3.2,REV=45 In this case, you are installing the wrong patch. You should be installing patch 112613 instead. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Type the following: # ssadm -r patch install < 112614-01.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. It's not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 112614-01 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 112614-01 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. Type the following: # ssadm -r patch backout 112614-01 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Tuesday, February 4, 2003