Patch Name: PHNE_11306 Patch Description: s700 10.24 (VVOS) Network Cumulative Patch Creation Date: 97/06/06 Post Date: 97/09/17 Hardware Platforms - OS Releases: s700: 10.24 Products: N/A Filesets: OS-Core.CORE-KRN VirtualVaultOS.VVOS-KRN Networking.NET-KRN Networking.NET-RUN Automatic Reboot?: Yes Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700/10.X/PHNE_11306 Symptoms: PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Allows multilevelserver tcp endpoints to be accessed from the outside interface, when there is no filtering router present. Excessive audit records generated as a result of using non-blocking system calls. TCP does not use random sequence numbers by default. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. Defect Description: PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Introduces a mechanism for further restricting traffic from/to certain interfaces, to/from multilevel servers. During system initialization the ifconfig command, based on information in the Device Assignment database, marks interfaces from which traffic is to be restricted. The ifconfig command also reports this information, when displaying other characteristics of the interface. Applications using non-blocking interfaces to network and file/record locking APIS cause excessive audit records to be generated. These interfaces include accept(), read(), recv() lockf(), and fcntl(). TCP should use random sequence numbers. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. SR: 4701356741 4701354597 4701349761 4701349399 4701347532 4701335596 4701348631 4701348623 4701348656 Patch Files: /usr/conf/lib/libsec.a(audit_stub.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) /usr/conf/lib/libuipc.a(uipc_syscall.o) /usr/conf/lib/libuipc.a(uipc_usrreq.o) /usr/conf/lib/libhp-ux.a(vfs_scalls.o) /usr/conf/lib/libhp-ux.a(vfs_lockf.o) /usr/conf/lib/libhp-ux.a(kern_dscrp.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(sec_subrs.o) /usr/conf/lib/libuipc.a(uipc_compat.o) /usr/conf/lib/libnet.a(raw_usrreq.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(ip_output.o) /usr/conf/lib/libinet.a(ip_input.o) /usr/conf/lib/libinet.a(udp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libnet.a(if.o) /usr/sbin/ifconfig /usr/lib/nls/msg/C/ifconfig.cat what(1) Output: /usr/conf/lib/libsec.a(audit_stub.o): kern/sec/audit_stub.c, sysaudit, vvos_davis, davis22 $Date: 97/08/05 15:54:37 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket.o): kern/sys/uipc_socket.c, hpuxsysuipc, vvos_davis, dav is22 $Date: 97/08/05 15:53:49 $ $Revision: 1 .49.1.1 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, vvos_davis, da vis22 $Date: 97/08/05 15:53:49 $ $Revision: 1.4 PATCH_10.24 (PHNE_11096) $ /usr/conf/lib/libuipc.a(uipc_syscall.o): kern/sys/uipc_syscall.c, hpuxsysuipc, vvos_davis, da vis22 $Date: 97/08/05 15:53:50 $ $Revision: 1.37 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_usrreq.o): kern/sys/uipc_usrreq.c, hpuxsysuipc, vvos_davis, dav is25 $Date: 97/08/05 16:16:46 $ $Revision: 1 .26 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libhp-ux.a(vfs_scalls.o): kern/sys/vfs_scalls.c, hpuxsysvfs, vvos_davis, davis 22 $Date: 97/08/05 15:54:03 $ $Revision: 1.2 8 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(vfs_lockf.o): kern/sys/vfs_lockf.c, hpuxsysvfs, vvos_davis, davis2 2 $Date: 97/08/05 15:58:15 $ $Revision: 1.3 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(kern_dscrp.o): kern/sys/kern_dscrp.c, hpuxsysmisc, vvos_davis, davi s22 $Date: 97/08/05 15:54:04 $ $Revision: 1. 24 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(nm_tune.o): kern/netinet/nm_tune.c, hpuxsysinet, vvos_davis, dav is22 $Date: 97/08/05 15:53:51 $ $Revision: 1 .13 PATCH_10.24 (PHNE_10161) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): kern/sec/sec_vvosnet.c, sysmisc, vvos_davis, davis25 $Date: 97/08/05 16:16:46 $ $Revision: 1.19. 2.6 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(sec_subrs.o): kern/sec/sec_subrs.c, sysmisc, vvos_davis, davis25 $ Date: 97/08/05 16:16:46 $ $Revision: 1.13.3. 4 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libuipc.a(uipc_compat.o): kern/sys/uipc_compat.c, hpuxsysuipc, vvos_davis, dav is22 $Date: 97/08/05 15:57:59 $ $Revision: 1 .4 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(raw_usrreq.o): kern/net/raw_usrreq.c, hpuxsysnet, vvos_davis, davis 22 $Date: 97/08/05 15:53:42 $ $Revision: 1.2 0 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, vvos_davis, d avis25 $Date: 97/08/05 16:16:47 $ $Revision: 1.41.1.3 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libinet.a(ip_output.o): kern/netinet/ip_output.c, hpuxsysinet, vvos_davis, d avis22 $Date: 97/08/05 15:53:43 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(ip_input.o): kern/netinet/ip_input.c, hpuxsysinet, vvos_davis, da vis22 $Date: 97/08/05 15:53:43 $ $Revision: 1.33 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(udp_usrreq.o): kern/netinet/udp_usrreq.c, hpuxsysinet, vvos_davis, davis25 $Date: 97/08/05 16:16:47 $ $Revision : 1.40 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, vvos_davis, da vis22 $Date: 97/08/05 15:53:45 $ $Revision: 1.27 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(if.o): kern/net/if.c, hpuxsysnet, vvos_davis, davis22 $Date : 97/08/05 15:53:41 $ $Revision: 1.32 PATCH_ 10.24 (PHNE_10476) $ /usr/sbin/ifconfig: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Tue Aug 5 16:27:42 EDT 1997 $ lanlink/NET/commands/ifconfig/ifconfig.c, hpuxcmdnet , vvos_davis, davis22 $Date: 97/08/05 15:55: 18 $ $Revision: 1.10 PATCH_10.24 (PHNE_10475 ) $ NET: Version: B.10.10 $Date: 96/05/09 11:26:18 $ /usr/lib/nls/msg/C/ifconfig.cat: (None) cksum(1) Output: 1217107263 8516 /usr/conf/lib/libsec.a(audit_stub.o) 3334229125 21672 /usr/conf/lib/libuipc.a(uipc_socket.o) 731575304 21028 /usr/conf/lib/libuipc.a(uipc_socket2.o) 486993231 17520 /usr/conf/lib/libuipc.a(uipc_syscall.o) 1144591810 13876 /usr/conf/lib/libuipc.a(uipc_usrreq.o) 117064926 29744 /usr/conf/lib/libhp-ux.a(vfs_scalls.o) 728177403 14708 /usr/conf/lib/libhp-ux.a(vfs_lockf.o) 2127952468 15848 /usr/conf/lib/libhp-ux.a(kern_dscrp.o) 526884263 10432 /usr/conf/lib/libhp-ux.a(nm_tune.o) 2401332144 9584 /usr/conf/lib/libsec.a(sec_vvosnet.o) 3859168310 9620 /usr/conf/lib/libsec.a(sec_subrs.o) 4079147806 9376 /usr/conf/lib/libuipc.a(uipc_compat.o) 1894309836 5748 /usr/conf/lib/libnet.a(raw_usrreq.o) 925324995 21732 /usr/conf/lib/libinet.a(tcp_input.o) 4054845486 12632 /usr/conf/lib/libinet.a(ip_output.o) 398874231 18564 /usr/conf/lib/libinet.a(ip_input.o) 3503785615 16248 /usr/conf/lib/libinet.a(udp_usrreq.o) 2043913080 10712 /usr/conf/lib/libinet.a(tcp_subr.o) 1607339545 8660 /usr/conf/lib/libnet.a(if.o) 2700269134 24576 /usr/sbin/ifconfig 808123659 1886 /usr/lib/nls/msg/C/ifconfig.cat Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_10161 PHNE_10325 PHNE_10476 PHNE_11096 Equivalent Patches: PHNE_11307: s800: 10.24 Patch Package Size: 390 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_11306 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_11306.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_11306.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_11306. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_11306.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_11306.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None