Patch-ID# 114880-04 Keywords: sun ray update patch security Synopsis: Sun Ray Server version 2.0 Patch Update Date: Apr/27/2004 Install Requirements: Reboot after installation Solaris Release: 8 9 SunOS Release: 5.8 5.9 Unbundled Product: Sun Ray Server Software Unbundled Release: 2.0 Xref: Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4369691 4433854 4759966 4775352 4781321 4792984 4810192 4810962 4813815 4817187 4825312 4825808 4828674 4833004 4834790 4836233 4838105 4838376 4838723 4839252 4839685 4840440 4841227 4841245 4841279 4841623 4841678 4842640 4842791 4842800 4844714 4847413 4847657 4849042 4850576 4855375 4857347 4858575 4863617 4874498 4877262 4878246 4881981 4889019 4890267 4894276 4898094 4902617 4905168 4907215 4913927 4917981 4931943 4934961 4937735 4942260 4944875 4945510 4954684 4958188 4958479 4959964 4959969 4959976 4960514 4963980 4965543 4965942 4965958 4967253 4976175 4977771 4979769 4980867 4985620 4992187 4992396 4994404 4995913 4997442 4997503 5003520 5006545 5009497 5010353 5010789 5012100 5013617 5013715 5014959 5016553 5024925 5028734 Changes incorporated in this version: 4775352 4759966 4960514 4979769 4980867 4995913 4841245 4842800 4847413 4847657 4850576 4857347 4942260 4944875 4945510 4954684 4965543 4967253 4976175 4997503 4992396 4917981 4958479 4985620 4997442 4994404 5009497 5010353 4849042 4977771 5003520 5006545 5013715 5014959 4937735 4838376 4992187 4965942 4965958 5010789 5016553 5013617 5012100 4963980 5024925 5028734 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWut/gulogin.start /etc/opt/SUNWut/loginGUI.start /etc/opt/SUNWut/sessionTypes.props /etc/opt/SUNWut/smartcard/ActivCardGoldJavaCard.cfg /etc/opt/SUNWut/smartcard/JavaBadgeCAC.cfg /etc/opt/SUNWut/smartcard/probe_order.conf /etc/opt/SUNWut/tokenreader.start /opt/SUNWut/bin/utaudio /opt/SUNWut/cgi-bin/desktop /opt/SUNWut/cgi-bin/log /opt/SUNWut/lib/app-defaults/guloginGUI.res /opt/SUNWut/lib/firmware/CoronaP1 /opt/SUNWut/lib/firmware/CoronaP2 /opt/SUNWut/lib/firmware/CoronaP3 /opt/SUNWut/lib/firmware/CoronaP4 /opt/SUNWut/lib/firmware/CoronaP5 /opt/SUNWut/lib/firmware/CoronaP6 /opt/SUNWut/lib/firmware/CoronaP7 /opt/SUNWut/lib/guloginGUI /opt/SUNWut/lib/libsrcom.so.2 /opt/SUNWut/lib/libutgrpmgr.so /opt/SUNWut/lib/libutinfo.so.1 /opt/SUNWut/lib/libutjadmin.so /opt/SUNWut/lib/libutscr.so.2 /opt/SUNWut/lib/libutsmon.so.1 /opt/SUNWut/lib/modules/Authxlation.jar /opt/SUNWut/lib/modules/StartSession.jar /opt/SUNWut/lib/modules/StartxlationSession.jar /opt/SUNWut/lib/modules/TerminalId.jar /opt/SUNWut/lib/nscloginGUI /opt/SUNWut/lib/pixmaps/GUdefault.xpm /opt/SUNWut/lib/pixmaps/GUsunray.xpm /opt/SUNWut/lib/scloginGUI /opt/SUNWut/lib/settings.jar /opt/SUNWut/lib/sunray_get_user.so.1 /opt/SUNWut/lib/tokenreader.yuv /opt/SUNWut/lib/utauthd.jar /opt/SUNWut/lib/utdevctl /opt/SUNWut/lib/utdevmgrd /opt/SUNWut/lib/utdmsession /opt/SUNWut/lib/utdtsession /opt/SUNWut/lib/utgenpolicy /opt/SUNWut/lib/utload /opt/SUNWut/lib/utpamcfg /opt/SUNWut/lib/utparalleld /opt/SUNWut/lib/utprefs-helper /opt/SUNWut/lib/utresexec /opt/SUNWut/lib/utseriald /opt/SUNWut/lib/utsessiond /opt/SUNWut/lib/utxexec /opt/SUNWut/lib/utxinit /opt/SUNWut/lib/utxset /opt/SUNWut/lib/yuvfile /opt/SUNWut/sbin/utdesktop /opt/SUNWut/sbin/utfwadm /opt/SUNWut/sbin/utresadm /opt/SUNWut/sbin/utresdef /opt/SUNWut/sbin/utuser /usr/lib/secure/libc_ut.so /usr/lib/secure/sparcv9/libc_ut.so /usr/openwin/server/modules/ddxSUNWsunray.so.1 Problem Description: 4759966 utdevmgrd: getting double mapping error messages and incorrect $UTDEVROOT link 4775352 Second screen in MH config goes blank on its own 4838376 cannot issue CLEAR_FEATURE command on USB bulk endpoint 4841245 Random port selections aren't random enough 4842800 utaudio and utxset don't do bw management properly 4847413 Screen update does not occur when flipping screens 4847657 Rasterop lines are drawn twice 4849042 Group manager segment violation when too many interfaces are configured 4850576 Degenerate multihead breaks and remakes connection when switching screens 4857347 forceInsert porperty is not cleared until the next redirection 4917981 Add keyboard, mouse, monitor to card reader and you can bypass security policy 4937735 double ldap_value_free() call in ut_incGeneration() 4942260 Firmware upgrades fail over high latency, lbw connections 4944875 Need to explicitly request vendor parameters 4945510 utload can't load firmware to Copernicus hardware or to multihead secondaries 4954684 Firmware load icon can display incorrect FW server 4958479 ut_check_name needs to be public 4960514 Sun Ray 1G needs normal blanking interval 1600x1200 at 60 Hz timing 4963980 Need server-side support for 1600x1200@60 VESA timing 4965543 Sun Ray DTUs don't work behind NAT gateways 4965942 svclib/svcs needs to use unique ut_ naming for register callbacks. 4965958 usblib returns incorrect value for I/O calls when length exceeds MAX_DATA 4967253 DHCP lease renewal algorithm is flawed 4976175 X server crashes in newtPolyFillRect 4977771 Load Balancing doesn't work properly in LAN deployment of SRS2.0 4979769 rendering issues on SR1G 4980867 Icons don't show up at all on a P7 based SR100 4985620 USB mass storage service needs to know display ID 4992187 svclib device struct missing certain device descriptor fields 4992396 authd not responding to callback requests 4994404 server side OSD icons change to 26D after some time 4995913 sunray firmware closes tcp connection unnecessarily 4997442 device link name generation should be consistent 4997503 long delay between card insertion and PIN loginGUI. 5003520 Recursive mutex locking in processing callme causes false deadlock detection 5006545 Loss of network connection is not reported quickly enough 5009497 Scrolling of a textedit window continues after button release 5010353 Crossing screens in degenerate mode can cause the mouse to hang 5010789 Add support for Quatech DSU-100 devices 5012100 scbus library always passes UID=0 to DM 5013617 mouse freezes when dragging windows across multiheads 5013715 set boot protocol is missing for some mice devices 5014959 X server font cache disables itself on output disable/reenable 5016553 X server calls ALP rendering functions from a signal handler 5024925 SunRayServer 2.0 failover groups fail 5028734 firmware needs to support short reads for control transfers (from 114880-03) 4889019 Card Recognition fails at times on P4 hardware 4902617 Provide firmware support for Sunray Plus (P7) models 4905168 Oberthur cards don't work with on SunRays 4913927 Unable to read ATR on P4 boards. 4931943 Firmware returns wrong data for some APDUs 4934961 The audio quality from Sunray is quite poor. 4958188 tmds pll programming on SR 1g incorrect 4959964 SRCOM library needs to support PC/SC 4959969 scbus library has terminal list race condition 4959976 Update smartcard config file to extract username from CAC (from 114880-02) 4369691 Firmware info displayed in GUI/CLI for DTU is confusing to user. 4781321 SunRay Module causes SunMC agent VM to grow 4792984 pam.conf update ignores existing pam entries for dtlogin/dtsession 4834790 Firmware returns wrong data for return code 0x63XX during an APDU transaction. 4838105 utuser -p $CORONA_TOKEN sometimes fails when raw token is JavaBadge 4855375 Load balancing takes too long to even out unbalanced load. 4858575 /usr/lib/libc_ut.so library's stat routine seg. faults at NULL file argument 4863617 ut_isServerAlive SEGFAULTS if server times out 4877262 GNC vulnerability in non-default session types 4878246 off-by-one memory write in library key/value code 4881981 Admin library calls use multithread unsafe system calls. 4890267 New Quatech SSU-100 devices (PID 0xC020) not working with SunRays 4894276 Sun Ray firmware responds to arbitrary multicast ping 4898094 Freed memory is being referenced later in the code. 4907215 utinfo::issuePropertiesCallback() should block for connected (from 114880-01) 4433854 Sometimes smartcard removal is not detected and session stays active 4810192 X server rendering cleanup 4810962 A forceInsert on redirect should carry forward the redirectProps values 4813815 username property does not get carried along for redirects to non-trusted hosts 4817187 Minor mathematical manipulation mitigates multihead mouse mispositioning 4825312 CAM/kiosk session does not restart after logout on fast hardware 4825808 Javabadge smartcards are sometimes recogonized as OpenPlatform cards. 4828674 sunray_get_user.so does not work correctly if stacked multiple times 4833004 Determine the home server for a DTU 4836233 Lazy Authentication, authd should push authentication to as late as possible 4838723 Remove the acceptRedirectToken property from auth.props 4839252 SRSS2.0; outline of StarOffice window remains 4839685 X server drops to lbw limit when packets are lost 4840440 postpatch script needs to handle LAN case for utfwadm 4841227 Bad processing after lost packet causes bad command interpretation 4841279 utfwadm -N all with no LAN subnets gives bogus errors 4841623 Need a new PAM module to get username infomation 4841678 utfwadm -A -a -N all does not work 4842640 Need utility interfaces for lazy auth (sunray_get_user) 4842791 Redirection from server doing encryption to one that's not fails 4844714 Add DHCP XDM option to specify Sun Ray server list 4874498 Sun/Fujitsu mouse rev(05c/06c) may fail to work in SunRay due to bad packets Patch Installation Instructions: -------------------------------- For Solaris 2.8 & 9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/114880-04 The following example removes a patch from a standalone system: example# patchrm 114880-04 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- "NOTE 1: To get the complete fix for 4484759, Solaris 8 users should also install 108528-15 (or later): kernel update patch". "NOTE 2: To get the complete fix for 4678927, Solaris 8 users should also install 108652-59 (or later): Xsun patch". "NOTE 3: To get the complete fix for 4642695, Solaris 8 users should also install 108940-46 (or later): Motif runtime library patch, Solaris 7 users should install 107081-51 (or later), Solaris 2.6 users should also install 105284-50 (or later). Required Patches ---------------- Warnings & Errors ----------------- ** WARNING: This patch should only be applied to systems which have Sun Ray Server Software 2.0 fully installed. Do not attempt to add this patch to the UFS image to be applied as part of the install process ** ** WARNING: Unconfiguring the Sun Ray Server Software before removal of this patch may lead to error messages and/or removal failure ** WARNING: Login behavior for Non-SmartCard Mobility sessions is slightly different, see the following section on LAN Security Enhancement. LAN Security Enhancement ------------------------ LAN Security for Non-SmartCard Mobility (NSCM) has been improved, and this results in a very slightly different user experience when logging in, which users may wish to be prepared for. The property acceptRedirectTokens in /etc/opt/SUNWut/auth.props no longer exists. Instead, normal login for NSCM now may redirect a user after the username is entered and before the password-entry screen is presented. This results in final authentication occurring on the server where the user's session will be accessed or created. This has two user-visible effects, when contrasted to the previous default case where acceptRedirectTokens=false: 1. Users will never need to enter their username and password twice. 2. After entering the username, the NSCM screen will disappear and some Sun Ray On Screen Display (OSD) icons will briefly appear while the Sun Ray is being redirected to the correct server, after which the NSCM screen for "Enter password" will appear. Note that type-ahead will no longer function during this interval. The user must now wait for the password-entry screen to be drawn before typing their password. It is hoped that this should not present a significantly different login experience to users, while providing increased security. Sun Ray Firmware Upgrades ------------------------- This patch includes firmware updates for Sun Ray appliances. The updated firmware will be loaded by your Sun Ray appliances through the usual Sun Ray firmware download mechanism. The firmware changes are independent of the Sun Ray Server Software changes but are delivered in this patch for your convenience. If this patch is being applied to servers configured into a Sun Ray failover group it must be applied to all servers in the group at your earliest convenience. While some members of the group remain unpatched the restart time of your Sun Ray appliances may be noticeably longer than usual. The increased restart time can be avoided by taking the action described in step 1 below. The following additional steps are required when adding this patch on a live system: (before applying patch to system) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after applying patch) 3. Reboot the Sun Ray server To remove this patch, carry out these steps in the following order: (before removing the patch) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after removing the patch) 3. Reboot the Sun Ray server Detailed Steps -------------- 1. Suppress firmware downloads If the server being patched is not a member of a Sun Ray failover group you should skip this step. If the server being patched is a member of a Sun Ray failover group then this step is optional but is strongly recommended. At Patch Installation --------------------- Before adding this patch to servers configured into a Sun Ray failover group we advise that you disable Sun Ray firmware delivery from all unpatched hosts in the failover group. On each host in the group: For each of the dedicated network interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -n For each of the shared subnetwork interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -N Do this only one time, before adding this patch to any server in the group. The purpose of this step is to prevent unpatched servers from offering old firmware to Sun Ray appliances that have already accepted the new firmware delivered with this patch. If this patch is being applied to a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been added to all servers in the failover group. At Patch Removal ---------------- Before removing this patch from servers configured into a Sun Ray failover group we advise that you disable firmware delivery from any hosts in the failover group that have this patch installed. On each already-patched host in the group: For each of the dedicated network interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -n For each of the shared subnetwork interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -N Do this only one time, before removing this patch from any of the already-patched servers in the group. The purpose of this step is to prevent already-patched servers from offering new firmware to Sun Ray appliances. If this patch is being removed from a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been removed from all servers in the failover group. 2. Stopping Sun Ray services and login sessions Before applying this patch to a Sun Ray server or removing this patch from a Sun Ray server all users should be logged out of their Sun Ray sessions. Stop the Sun Ray services using the following command: $ /etc/init.d/utsvc stop This command will terminate any Sun Ray sessions that were not already logged out. Next, add or remove the patch using the instructions outlined above in the section "Patch Installation Instructions". Adding the patch automatically prepares the server to advertise new firmware to your Sun Ray appliances. Removing the patch automatically prepares the server to revert to advertising pre-patch firmware to your Sun Ray appliances. 3. Rebooting the Sun Ray server The Sun Ray server must be rebooted after the addition or removal of the patch. README -- Last modified date: Tuesday, April 27, 2004