Patch-ID# 112960-34 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: security libsldap ldap_cachemgr ldap sigbus buffer libldap Synopsis: SunOS 5.9: ldap library Patch Date: Feb/01/2006 Install Requirements: See Special Install Instructions Reboot immediately after patch is installed Install in Single User Mode Solaris Release: 9 SunOS Release: 5.9 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 114242 Topic: SunOS 5.9: ldap library Patch Relevant Architectures: sparc BugId's fixed with this patch: 4192824 4248430 4357827 4390053 4523936 4614945 4624458 4626861 4630226 4643366 4645604 4648140 4648146 4658569 4658625 4660019 4670947 4677591 4682120 4683522 4688752 4698366 4698379 4698387 4700602 4702568 4709300 4720818 4723361 4743707 4746114 4747441 4751386 4751394 4754634 4755582 4756113 4757282 4765506 4768140 4774607 4776571 4779333 4780109 4784324 4787488 4791006 4793719 4802414 4805635 4830406 4830525 4858673 4873939 4874749 4877796 4887906 4890233 4890303 4894583 4913437 4920444 4966423 4977110 4980441 4981868 4988859 5003953 5005602 5006801 5007891 5012514 5014922 5014993 5022076 5044522 5047250 5055748 5067333 5096736 6219143 6226776 6230927 6232564 6232579 6262121 6262153 6276525 Changes incorporated in this version: 4791006 Patches accumulated and obsoleted by this patch: 113152-01 113166-01 113476-13 Patches which conflict with this patch: Patches required with this patch: 112874-06 (or greater) Obsoleted by: Files included with this patch: /usr/include/ldap.h /usr/lib/abi/abi_libldap.so.5 /usr/lib/abi/abi_libsldap.so.1 /usr/lib/abi/sparcv9/abi_libldap.so.5 /usr/lib/abi/sparcv9/abi_libsldap.so.1 /usr/lib/ldap/ldap_cachemgr /usr/lib/libldap.so.4 /usr/lib/libldap.so.5 /usr/lib/libpam.so.1 /usr/lib/libsldap.so.1 /usr/lib/llib-lldap /usr/lib/llib-lldap.ln /usr/lib/llib-lpasswdutil /usr/lib/llib-lpasswdutil.ln /usr/lib/llib-lsldap /usr/lib/llib-lsldap.ln /usr/lib/nss_ldap.so.1 /usr/lib/passwdutil.so.1 /usr/lib/security/pam_authtok_check.so.1 /usr/lib/security/pam_authtok_get.so.1 /usr/lib/security/pam_authtok_store.so.1 /usr/lib/security/pam_dhkeys.so.1 /usr/lib/security/pam_ldap.so.1 /usr/lib/security/pam_passwd_auth.so.1 /usr/lib/security/pam_unix_account.so.1 /usr/lib/security/pam_unix_auth.so.1 /usr/lib/security/sparcv9/pam_authtok_check.so.1 /usr/lib/security/sparcv9/pam_authtok_get.so.1 /usr/lib/security/sparcv9/pam_authtok_store.so.1 /usr/lib/security/sparcv9/pam_dhkeys.so.1 /usr/lib/security/sparcv9/pam_ldap.so.1 /usr/lib/security/sparcv9/pam_passwd_auth.so.1 /usr/lib/security/sparcv9/pam_unix_account.so.1 /usr/lib/security/sparcv9/pam_unix_auth.so.1 /usr/lib/sparcv9/libldap.so.4 /usr/lib/sparcv9/libldap.so.5 /usr/lib/sparcv9/libpam.so.1 /usr/lib/sparcv9/libsldap.so.1 /usr/lib/sparcv9/llib-lldap.ln /usr/lib/sparcv9/llib-lpasswdutil.ln /usr/lib/sparcv9/llib-lsldap.ln /usr/lib/sparcv9/nss_ldap.so.1 /usr/lib/sparcv9/passwdutil.so.1 /usr/sbin/ldapclient Problem Description: 4791006 ldap_cachemgr initializes ldap_cache_door file with wrong permissions (from 112960-33) 6226776 The passwd command will fail if first ldap server in referral list is down. 6276525 libldap5 cores when trying to resolve hostname (from 112960-32) 6262121 Solaris 9 & 8 libldap5 crash when compiled with -DDEBUG and using SSL 6262153 Unable to build libldap5 with LDAP_DEBUG defined for Solaris 8 or 9 due to error in request.c (from 112960-31) 4626861 If a search times out, libsldap logs the wrong message 6232564 when interrupted (EINTR) while polling, libsldap should retry the poll 6232579 libldap not handling select() failures when issuing a connection (from 112960-30) 6230927 Using multiple netgroups in the nfs_share access list breaks the access list. (from 112960-29) This is a respin of the previous revision to fix a patch property problem. (from 112960-28) 5055748 memory leak in libsldap/sldaputil 5047250 automountd memory-heap is growing on solaris 8 with latest 108993-33 patch (from 112960-27) 4755582 authtok_check: old and new password diff. check should loop through shorter len. (from 112960-26) 6219143 LDAP server failover causes client to delete cert7.db file. (from 112960-25) 4688752 "ldapclient mod" with no arguments causes naming services to fail 4698387 "ldapclient manual" results in "__default_config" error message on console. 4698366 "ldapclient list" does not display CACHETTL when it set. 4698379 "ldapclient manual" gets a default CACHETTL of 3600 4702568 "ldapclient uninit" does not restore /etc/.rootkey 5007891 passwd(1) command may SEGV on NIS+ master servers. 5096736 pwd change in NIS+ fails with "Permission denied" if new pwd is longer than 11 bytes (from 112960-24) 4784324 ldapaddent: does not function with tls specified 5022076 pam_ldap:pam_sm_acct_mgmt() uses incorrect password in BIND to LDAP (from 112960-23) 4894583 su to a local account will dump core, if LDAP is enabled (from 112960-22) 5014922 bugfix for 4624458 causes compatibility problems between libsldap and libldap (from 112960-21) 4858673 innetgr may never return and when it does may produce incorrect results (from 112960-20) 5005602 ldapaddent does not work with iDS 5.2 5044522 Root is able to change user passwd if no of attempts > max_attempts in nis+. (from 112960-19) 4981868 "passwd " with NIS+ backend chooses wrong uid/credentials for update (from 112960-18) 5014993 user logins may fail when nsswitch compat mode is used with NIS+ or LDAP 5067333 S9 needs fix for 5036036 (from 112960-17) 4966423 RBAC exec_attr search in LDAP: everything's wild 4988859 passwd -g, -e, -h cause segfault 5003953 Logins to Solaris 9 NIS+ clients always talk to master even when it is down (from 112960-16) 4913437 Changing password in NIS+ fails on S9 clients with "Permission denied" 5012514 'passwd ' fails as root on NIS+ systems 4980441 PAM module pam_dhkeys fails to retrieve changed credentials (from 112960-15) 5006801 getprojent(3project) dumps core with LDAP project(4) database (from 112960-14) 4977110 passwd doesn't work with compat entries in /etc/nsswitch.conf (from 112960-13) 4890303 pam_ldap should return PAM_AUTH_ERROR instead of PAM_PERM_DENIED (from 112960-12) 4920444 libldap.so.4 ber encoding memory corruption (from 112960-11) 4523936 mountd memory leak when using Native LDAP (from 112960-10) 4787488 ldapaddent can only add ethers or bootparams for the same hosts, not both. (from 112960-09) 4643366 Groups with no members broken 4779333 ldap get*ent requests may free already freed memory 4780109 __ns_ldap_firstEntry may return a cookie that is freed 4830525 Buffer overflow in nss_ldap.so.1 (from 112960-08) 4802414 Client does not follow referral without hostname. 4658569 Following referrals does not work in all cases (from 112960-07) 4757282 ldapclient init fails with SIGBUS if SSD's are > 15 in profile (from 112960-06) 4624458 if hostname is used in NS_LDAP_SERVERS, ldap goes into loop 4723361 log messages when resolving hostname for ldap_server 4776571 Applications running on SSL enabled native ldap clients may crash at termination (from 112960-05) 4751386 ether_ntohost() fails with rc 1 when resolving data from LDAP (from 112960-04) 4720818 LDAP naming services fails when domainname is greater than 23 characters (from 112960-03) 4357827 pam_ldap should fully support password aging 4677591 implement PSARC/2002/241 - PAM binding control flag 4660019 nss_ldap.so may return non '-1' values for getspnam() 4682120 get/set_item conversation function tracing needs improvement. 4658625 pam_framework doesn't trace pam_chauthtok PAM_TRY_AGAIN return. 4683522 pam_get_data tracing could improve. (from 112960-02) 4614945 Memleak in getgrent() when using against Native Ldap. (from 112960-01) 4645604 A race condition in ldap_cachemgr cause ldapclient to fail 4630226 __s_api_requestServer fails when ldap_cachemgr is updating the profile 4648140 libsldap fails when NS_LDAP_CACHETTL = 0 4648146 __ns_ldap_getParam returned incorrect value for the NS_LDAP_EXP parameter (from 113476-13) 4887906 pam_sm_chauthtok() returns 13 (PAM_USER_UNKNOWN) if lastchg=0 for local users (from 113476-12) 4890233 using 'use_first_pass' for pam_ldap does not work (from 113476-11) 4746114 libpam internationalized messages are off by 1 for locale != C 4793719 pam_authtok_check.so.1::circ() too space-conservative 4805635 root may change enduser password in NIS+ without entering its own password 4877796 passwd (passwdutil) inadvertently resets aging information (from 113476-10) 4873939 pam and compat do not work after applying patch 108993-18 (from 113476-09) 4874749 passwd -x modifies the lastchg field also in /etc/shadow file (from 113476-08) 4765506 NIS+ password problems with Solaris 9 4768140 passwd core dumps when changing shell (from 113476-07) 4774607 pam_ldap gets confused when root tries to change user's password (from 113476-06) 4830406 passwdutil is too dumb to handle NIS+ subdomains correctly (from 113476-05) 4743707 non-default nsswitch backends confuse passwdutil.so.1 4747441 pam_authtok_store does not map all the PWU errors to PAM errors 4751394 non decisive modules should not return PAM_SUCCESS 4754634 passwd command seg faults when updating user can't be authenticated to LDAP (from 113476-04) 4756113 libc version number is incorrect in s9u2 (from 113476-03) 4709300 passwd fails if the pam_authtok_store service was specified with server_policy (from 113476-02) 4670947 logins failing when NIS is backend for authentication (from 113476-01) This patch revision accumulates/obsoletes Solaris Update s9u2 feature point patches: 113152-01 113166-01 (from 113152-01) 4357827 pam_ldap should fully support password aging 4677591 implement PSARC/2002/241 - PAM binding control flag 4660019 nss_ldap.so may return non '-1' values for getspnam() 4682120 get/set_item conversation function tracing needs improvement. 4658625 pam_framework doesn't trace pam_chauthtok PAM_TRY_AGAIN return. 4683522 pam_get_data tracing could improve. (from 113166-01) 4390053 crypt(3c) needs to interoperate with BSD and Linux 4248430 RFE: NIS+ should support alternate encryption algorithms for the user password 4192824 newkey/chkey should use a configurable crypt() to encrypt the users password 4700602 crypt_gensalt should be version SUNW_1.22 instead of SUNW_1.21 Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: To get the complete Flexible Crypt feature, please also install the following patches: 113475-01 (or greater) libsecurity crypt patch 113480-01 (or greater) pam_unix patch 113481-01 (or greater) nispasswdd patch 113482-01 (or greater) sbin/sulogin patch 113483-01 (or greater) rpc.ypasswdd patch NOTE 2: To get the complete fix for the bug 4765506 (NIS+ password problems with Solaris 9), please also install the following patch: 113319-14 (or greater) rpc.nispasswdd patch NOTE 3: Migrating Your Sun Java System Directory Server Schema changes were implemented between the release of Sun Java System (formerly Sun ONE) Directory Server 5.1 and the release of Directory Server 5.2. ldapaddent now adds "objectclass: device" to the entries of ethers/bootparams. Therefore, if you choose to use the LDAP commands to migrate directory data from Directory Server 5.1 to 5.2, you must use ldapaddent -d to export data and ldapaddent to import data. Otherwise if you use the Sun Java System Directory Server tools db2ldif and ldif2db to migrate data, you must apply Directory Server 5.2 with all patches before migrating the data or the data import could fail. README -- Last modified date: Wednesday, February 1, 2006