OBSOLETE Patch-ID# 112615-03 Keywords: encryption sunscreen international Synopsis: Obsoleted by: 112615-04 SunScreen 3.2 miscellaneous fixes for Solaris 9 x86. Date: Sep/19/2003 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 9_x86 SunOS Release: 5.9_x86 Unbundled Product: SunScreen EFS Unbundled Release: 3.2 Xref: This patch is available for Solaris 9 SPARC as Patch 112613. Topic: Relevant Architectures: i386 BugId's fixed with this patch: 4475976 4484731 4531796 4599245 4621944 4636508 4636511 4636514 4710480 4710493 4713896 4729278 4731099 4760976 4762492 4764370 4764373 4767244 4770205 4790511 Changes incorporated in this version: 4484731 4599245 4636508 4636511 4636514 4710480 4790511 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: NOTE: Files changed in this version of the patch: /etc/init.d/plumbsunscreen /kernel/drv/screen /usr/lib/sunscreen/lib/ss_had /usr/lib/sunscreen/proxies/ftpp Files included with this patch: /etc/init.d/plumbsunscreen /etc/rcS.d/S21plumbsunscreen /kernel/drv/screen /kernel/strmod/efs /kernel/strmod/spf /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/lib/sunscreen/admin/cgi-bin/html_logdump /usr/lib/sunscreen/lib/authuser /usr/lib/sunscreen/lib/datacompiler /usr/lib/sunscreen/lib/jar_hash /usr/lib/sunscreen/lib/jar_sig /usr/lib/sunscreen/lib/logdump /usr/lib/sunscreen/lib/logmacro /usr/lib/sunscreen/lib/logmsg /usr/lib/sunscreen/lib/natcompiler /usr/lib/sunscreen/lib/proxyuser /usr/lib/sunscreen/lib/ss_access_convert /usr/lib/sunscreen/lib/ss_disable_send /usr/lib/sunscreen/lib/ss_ha /usr/lib/sunscreen/lib/ss_had /usr/lib/sunscreen/lib/ss_logd /usr/lib/sunscreen/lib/ss_rule_convert /usr/lib/sunscreen/lib/ss_upgrade /usr/lib/sunscreen/lib/strs /usr/lib/sunscreen/lib/user_authenticate /usr/lib/sunscreen/lib/vars /usr/lib/sunscreen/proxies/ftpp /usr/lib/sunscreen/ssadm/log /usr/lib/sunscreen/ssadm/logdump /usr/lib/sunscreen/ssadm/logmacro /usr/lib/sunscreen/ssadm/logstats Problem Description: 4484731 typo in ss_had error message 4599245 Some HA messages don't get into messages files 4636508 ss_had does not log enough information to diagnose HA issues. 4636511 Age drift can cause unnecessary HA failover. 4636514 Active screen will become passive then active when ss_had restarted on secondary 4710480 ss_had prints erroneous errors to syslog. 4790511 FTP proxy: after of subcommand REST error 503 bad sequence of commands (from 112615-02) 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4531796 ss_had shutdown sends gratuitous arp with wrong MAC address 4621944 ss_had is writing Error: received short packet to /var/adm/messages 4710493 Network error on heartbeat link can cause HA failover. 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4731099 Panic in screen_nfsro:nfsro_tcp_check() 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Then type: # uncompress 112615-03.tar.Z # tar xf 112615-03.tar # patchadd 112615-03 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 3. Type the following: # uncompress 112615-03.tar.Z # tar xf 112615-03.tar # patchadd 112615-03 4. Reboot the Screen. How to be sure this is the Correct SunScreen 3.2 Patch ------------------------------------------------------ There were two revisions of the SunScreen 3.2 product. The installation of patch 112615-03 will fail if the revision you are patching does not match that of the product installed. In the case of a mismatch, you will see the following error: # patchadd 112615-03 Checking installed patches... One or more patch packages included in 112615-03 are not installed on this system. Patchadd is terminating. # To verify which product revision is installed, run the following command: # pkginfo -l SUNWsfwr | grep VERSION For patch 112615-03, the result should be as follows: 3.2,REV=45 If you get no result, then there was a problem installing the SunScreen 3.2 product initially, and the installation logs should be checked for errors. If you have a revision mismatch, the result will read as follows: 3.2,REV=42 In this case, you are installing the wrong patch. You should be installing patch 112613 instead. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Type the following: # ssadm -r patch install < 112615-03.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. It's not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 112615-03 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 112615-03 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. Type the following: # ssadm -r patch backout 112615-03 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Wednesday, December 10, 2003