Patch-ID# 122608-02 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: solaris Synopsis: Solaris Security Toolkit 4.2 Date: Aug/07/2006 Install Requirements: NA Solaris Release: 8 8_x86 9 9_x86 10 10_x86 SunOS Release: 5.8 5.8_x86 5.9 5.9_x86 5.10 5.10_x86 Unbundled Product: Solaris Security Toolkit Unbundled Release: 4.2 Xref: Topic: patch Solaris Security Toolkit 4.2 Relevant Architectures: all BugId's fixed with this patch: 6306397 6307744 6310948 6314984 6315251 6325774 6341501 6347065 6347513 6350467 6364993 6390548 6390918 6394832 6428961 6436186 6442889 6453754 Changes incorporated in this version: 6306397 6310948 6314984 6315251 6325774 6341501 6347065 6347513 6350467 6390548 6390918 6428961 6436186 6442889 6453754 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /opt/SUNWjass/Audit/disable-dtlogin.aud /opt/SUNWjass/Audit/disable-keyserv-uid-nobody.aud /opt/SUNWjass/Audit/disable-syslogd-listen.aud /opt/SUNWjass/Audit/disable-uucp.aud /opt/SUNWjass/Audit/disable-vold.aud /opt/SUNWjass/Audit/enable-ftp-syslog.aud /opt/SUNWjass/Audit/enable-ftpaccess.aud /opt/SUNWjass/Audit/enable-inetd-syslog.aud /opt/SUNWjass/Audit/enable-ipfilter.aud /opt/SUNWjass/Audit/install-ftpusers.aud /opt/SUNWjass/Audit/print-jumpstart-environment.aud /opt/SUNWjass/Audit/set-banner-ftpd.aud /opt/SUNWjass/Audit/set-banner-sshd.aud /opt/SUNWjass/Audit/set-banner-telnetd.aud /opt/SUNWjass/Audit/set-ftpd-umask.aud /opt/SUNWjass/Audit/set-sys-suspend-restrictions.aud /opt/SUNWjass/Audit/update-at-deny.aud /opt/SUNWjass/Documentation/INSTALL /opt/SUNWjass/Drivers/clean.run /opt/SUNWjass/Drivers/driver.run /opt/SUNWjass/Drivers/driver_private.funcs /opt/SUNWjass/Drivers/driver_public.funcs /opt/SUNWjass/Drivers/finish.init /opt/SUNWjass/Drivers/suncluster3x-secure.driver /opt/SUNWjass/Drivers/undo.run /opt/SUNWjass/Files/etc/ipf/ipf.conf /opt/SUNWjass/Files/etc/ipf/ipf.conf-15k_sc /opt/SUNWjass/Files/etc/ipf/ipf.conf-server /opt/SUNWjass/Files/etc/security/audit_class+5.10 /opt/SUNWjass/Files/etc/security/audit_control /opt/SUNWjass/Files/etc/security/audit_event+5.10 /opt/SUNWjass/Finish/disable-autoinst.fin /opt/SUNWjass/Finish/disable-dtlogin.fin /opt/SUNWjass/Finish/disable-rpc.fin /opt/SUNWjass/Finish/disable-sma.fin /opt/SUNWjass/Finish/disable-uucp.fin /opt/SUNWjass/Finish/disable-vold.fin /opt/SUNWjass/Finish/enable-ipfilter.fin /opt/SUNWjass/Finish/install-jass.fin /opt/SUNWjass/Finish/install-security-mode.fin /opt/SUNWjass/Finish/print-jumpstart-environment.fin /opt/SUNWjass/Finish/set-root-password.fin /opt/SUNWjass/Finish/update-at-deny.fin /opt/SUNWjass/Finish/update-cron-log-size.fin /opt/SUNWjass/Finish/update-inetd-conf.fin /opt/SUNWjass/bin/jass-execute /opt/SUNWjass/lib/locale/C/LC_MESSAGES/jass.po Problem Description: 6306397 enable-process-accounting.fin appears to hang if $VISUAL env variable is set 6310948 JASS: copy_files does not maintain permissions or ownership 6314984 set-ftpd-umask.aud script has incorrect service and servfil settings 6315251 copy_files and symlinks behave unexpectedly with FILE_COPY_KEYWORD 6325774 jass-execute -r must behave more like JASS_STANDALONE=0 6341501 root account should not be added to at.deny file by update-at-deny.fin 6347065 Failure of pkgrm of SUNWjass during undo is not flagged as an error. 6347513 Files saved by backup_file_in_safe_directory() in JumpStart mode cause jass-check-sum to fail 6350467 SST reports audit failures on properties of uninstalled services 6390548 After applying secure.driver & NIS is enabled, root can't login or change password after reboot 6390918 JASS 4.2 & Sun Cluster 3.1: mdcomm service should not be disabled with Multi-owner diskset (oban) 6428961 disable-uucp.fin should not remove /etc/rc2.d/S70uucp 6436186 could not install SST patch during the JumpStart installation 6442889 Handle service conversions in S10U2: vold 6453754 Allow ssh traffic through ipfilter for secure.driver (From 122608-01) 6307744 Sample ipf.conf* files block all udp traffic (ydp typo) 6364993 enable-ipfilter installs config file in the wrong path 6394832 ipfilter fails to start due to "ipf.conf syntax error error at "" Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: The fix for "6436186 could not install SST patch during the JumpStart installation" changes the way that patches are installed by the install-recommended-patches.fin script. In order to install patches to SST4.2, itself, through the JumpStart mechanism, perform the following: 1) Create a directory named SST in the ${JASS_PATCH_DIR} directory. # mkdir ${JASS_PATCH_DIR}/SST 2) Copy this patch there. # cp -r 122608-02 ${JASS_PATCH_DIR}/SST The install-recommended-patches.fin script will check the ${JASS_PATCH_DIR}/SST directory and install all patches present. This script will continue to install any appropriate Recommended Patch cluster or Security Patch cluster that it finds in the ${JASS_PATCH_DIR} directory. README -- Last modified date: Monday, August 7, 2006