Patch-ID# 112238-13 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: security krb5 client authentication fails interfaces buffer overrun Synopsis: SunOS 5.8_x86: mech_krb5.so.1 patch Date: Nov/10/2005 Install Requirements: Reboot after installation, an alternative may be in Special Install Instructions Install in Single User Mode Solaris Release: 8_x86 SunOS Release: 5.8_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 112237 Topic: SunOS 5.8_x86: mech_krb5.so.1 patch Relevant Architectures: i386 BugId's fixed with this patch: 4338622 4360141 4423818 4496679 4521000 4526202 4677605 4691352 4786126 4807010 4836676 4851952 4860226 4882946 4957406 5008950 5055875 6261685 6284864 Changes incorporated in this version: 4786126 4860226 4957406 5008950 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 109224-02 (or greater) Obsoleted by: Files included with this patch: /kernel/misc/kgss/gl_kmech_krb5 /usr/lib/gss/gl/mech_krb5.so /usr/lib/gss/gl/mech_krb5.so.1 /usr/lib/gss/mech_dh.so.1 Problem Description: 5008950 fix for 4957406 is incomplete 4957406 nfs on kerberized file systems thinks I'm nobody 4860226 fix for 4786126 is not complete 4786126 delegated credentials not provided to caller of gss_accept_sec_context (from 112238-12) 6261685 Security: buffer overflow, heap corruption in KDC 6284864 krb5_recvauth() may free memory twice under certain conditions (from 112238-11) 4851952 krb5_os_localaddr() doesn't work correctly when multiple interfaces configured (from 112238-10) 4807010 Crash in the gssapi module 5055875 buffer overflow in (undocumented) auth_to_local rules (from 112238-09) 4882946 GSS_C_NO_BUFFER: gss_init_sec_context gives an Error code (from 112238-08) 4836676 Bounds checks not in place for princs in krbv5 (from 112238-07) 4521000 krb5_gss_wrap_size_limit() does not work (from 112238-06) 4423818 krb5 mechanism validating the wrong encryption type field 4691352 Multiple Kerberos vulnerabilities need to be fixed (from 112238-05) 4526202 pam_krb5 auth can fail with multiple ftp sessions of same user (from 112238-04) 4360141 kpasswd needs to be able to interface with MIT (from 112238-03) 4677605 mech_krb5 patches need a dependency on the libgss patch (from 112238-02) 4338622 BUFFER OVERRUN VULNERABILITIES IN KERBEROS (SEAM) (from 112238-01) 4496679 krb5 client authentication fails with 32 interfaces Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Perform patch installation in single user mode. Reboot the system after patch installation. README -- Last modified date: Thursday, November 10, 2005