Patch-ID# 118371-07 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: security elfsign libike keystore memory libpkcs11 Synopsis: SunOS 5.10: elfsign Patch Date: May/04/2006 Install Requirements: Reconfigure immediately after patch is installed Install in Single User Mode Solaris Release: 10 SunOS Release: 5.10 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 118372 Topic: SunOS 5.10: elfsign Patch Relevant Architectures: sparc BugId's fixed with this patch: 4987141 5019131 5057756 5099921 6196062 6214106 6214824 6216464 6218014 6218030 6220136 6221396 6222046 6222935 6238177 6238962 6239551 6258804 6258976 6259973 6265403 6268124 6282641 6283570 6301500 6317027 6326584 6331159 6333693 6340770 6347364 6348585 6367959 Changes incorporated in this version: 5099921 6258804 6282641 6326584 6331159 6333693 6340770 6347364 6348585 6367959 Patches accumulated and obsoleted by this patch: 119265-02 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/bin/elfsign /usr/lib/crypto/kcfd /usr/lib/inet/certdb /usr/lib/inet/certlocal /usr/lib/inet/certrldb /usr/lib/inet/in.iked /usr/lib/libelfsign.so.1 /usr/lib/libike.so.1 Problem Description: 6367959 Large numbers of certlib entries corrupt active Phase I SA state. 6282641 Policy with AH can cause in.iked to exit when NAT-T triggered 6333693 in.iked needs better handling of port-only selectors 6258804 IKE p1 delete notifications not being sent immediately on flush 5099921 in.iked pfkey.c: should pull memset into extract_exts() 6340770 multiple-personality disorder affects inverse_acquire, too 6326584 comedy of mismerges puts a quarter-twist into quick mode identities 6347364 SafeNet plugs ASN.1 leaks 6348585 ISAKMP notification sent to peer contains garbage 6331159 If the only pre-shared key is deleted, the IKE daemon can not add new keys from a file (from 118371-06) 6265403 Short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup 6259973 IKE phase2 exchange fails to occur when phase1 SA nears expiry 6268124 ikeadm won't remove expiring phase1 SA's by address 6317027 libike tries to dereference the wrong negotiation (from 118371-05) 6301500 Multiple elfsign failures in SPARC & X86 SUNWgcc package (from 118371-04) 6258976 kcfd dies under a barrage of verification requests 6283570 misaligned ELF64 section heads (from 118371-03) 6238177 ikecert certlocal -a dumps core 6238962 ikecert cache has artificially small maximum value 6239551 in.iked doesn't parse config.sample as expected (from 118371-02) This patch revision accumulates/obsoletes Solaris Update S10U1 feature point patch 119265-02. (from 118371-01) 5057756 elfsign should put OU in subject name in its own AttributeTypeAndValue 6214106 elfsign damages some executables (from 119265-02) Uprev due to the intersection between Feature and Generic gates (from 119265-01) 4987141 Misleading comments in do_p1getdel() function. 5019131 IKE should use uCF's libpkcs11 by default for performance improvement 6196062 Drop SafeNet QuickSec 2.1 into libike 6214824 Update NAT-T Support to full RFC 3947 compliance. 6216464 Memory leak if ssh_ike_connect_ipsec() fails immediately 6218014 qs21 putback broke tools/version of elfsign 6218030 Fix for 6218014 needs a more elegant solution 6220136 elfsign request fails 6221396 libike PKCS#11 D-H native glue needs to guard against trimmed leading-zeroes. 6222046 usr/src/lib/libike needed in its entirety to build usr/src/tools 6222935 Keystore generation is broken post-qs21 Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Not all patches listed in this section as needed for the completion of a fix or feature, may be available at the same time as this patch. This allows the remaining fixes/features to be made available sooner. NOTE 1: If you're planning to set up Zones on this system, please make sure to install the following patch which fixes bugid 6216195 (zone installation confused UPDATE=yes in pkginfo(4) file.) 119254-06 (or greater) Install and Patch Utilities Patch NOTE 2: If the patch is being applied to the live system, please do the following: svcadm disable -t cryptosvc Apply the patch to elfsign, libelfsign and kcfd svcadm enable -t cryptosvc NOTE 3: To get the complete fix for bugid 6265403 (short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup), please also install the following patch: 121406-01 (or greater) ikeadm patch README -- Last modified date: Thursday, May 4, 2006