Patch Name: PHNE_14735 Patch Description: s700 10.24 (VVOS) ARPA Transport cumulative patch Creation Date: 98/04/14 Post Date: 98/04/18 Hardware Platforms - OS Releases: s700: 10.24 Products: N/A Filesets: OS-Core.CORE-KRN VirtualVaultOS.VVOS-KRN Networking.NET-KRN Networking.NET-RUN Automatic Reboot?: Yes Status: General Superseded Critical: Yes PHNE_14735: PANIC Based on a portion of HP-UX PHNE_14504: PANIC Based on a portion of HP-UX PHNE_13469: PANIC Based on a portion of HP-UX PHNE_13289: PANIC Based on a portion of HP-UX PHNE_13245: PANIC Based on a portion of HP-UX PHNE_12407: PANIC Based on a portion of HP-UX PHNE_11530: PANIC Based on a portion of HP-UX PHNE_9106: PANIC Based on a portion of HP-UX PHNE_9098: PANIC Based on a portion of HP-UX PHNE_9036: PANIC Path Name: /hp-ux_patches/s700/10.X/PHNE_14735 Symptoms: PHNE_14735: Socket send(2) returning ENOLINK. Transient TCP error conditions are reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: This patch replaces PHNE_13289. See Defect Description PHKL_12391: symlink system call audit records incorrectly contain the link name as the target name. unlink and execve system call audit records contain incorrect object sensitivity labels. PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Allows multilevelserver tcp endpoints to be accessed from the outside interface, when there is no filtering router present. Excessive audit records generated as a result of using non-blocking system calls. TCP does not use random sequence numbers by default. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. Defect Description: PHNE_14735: Transient TCP error conditions had been reported to the application. Because TCP retransmission logic does ultimately correct a transient condition, transient errors are no longer sent to the application. Fatal and permanent TCP errors are still reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: If the system is a single processor machine they may see it hang. It will still respond to "ping" but the console and all other activity will stop. If the system is a multiprocessor machine the customer may see that one processor is 100% busy running netisr. The rest of the system will be working OK with the exception of the one processor being out of the picture. Networking may be slow or not working at all. Netstat will show one of this systems IP addresses connected to itsself along with the local and remote port being the same. The state of the socket will be SYN_RCVD. PHKL_12391: Incorrect placement of audit stub hooks, results in incorrect information in audit records for system calls symlink(2) and unlink(2). PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Introduces a mechanism for further restricting traffic from/to certain interfaces, to/from multilevel servers. During system initialization the ifconfig command, based on information in the Device Assignment database, marks interfaces from which traffic is to be restricted. The ifconfig command also reports this information, when displaying other characteristics of the interface. Applications using non-blocking interfaces to network and file/record locking APIS cause excessive audit records to be generated. These interfaces include accept(), read(), recv() lockf(), and fcntl(). TCP should use random sequence numbers. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. SR: 4701356741 4701354597 4701349761 4701349399 4701347532 4701335596 4701348631 4701348623 4701348656 4701366252 1653239764 5003327973 4701387333 Patch Files: /usr/conf/lib/libsec.a(audit_stub.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) /usr/conf/lib/libuipc.a(uipc_syscall.o) /usr/conf/lib/libuipc.a(uipc_usrreq.o) /usr/conf/lib/libhp-ux.a(vfs_scalls.o) /usr/conf/lib/libhp-ux.a(vfs_lockf.o) /usr/conf/lib/libhp-ux.a(kern_dscrp.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(sec_subrs.o) /usr/conf/lib/libsec.a(spd_mac.o) /usr/conf/lib/libuipc.a(uipc_compat.o) /usr/conf/lib/libnet.a(raw_usrreq.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(ip_output.o) /usr/conf/lib/libinet.a(ip_input.o) /usr/conf/lib/libinet.a(udp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libnet.a(if.o) /usr/sbin/ifconfig /usr/lib/nls/msg/C/ifconfig.cat what(1) Output: /usr/conf/lib/libsec.a(audit_stub.o): kern/sec/audit_stub.c, sysaudit, vvos_davis, davis95 $Date: 98/04/14 21:10:38 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket.o): kern/sys/uipc_socket.c, hpuxsysuipc, vvos_davis, dav is95 $Date: 98/04/14 21:09:51 $ $Revision: 1 .49.1.1 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, vvos_davis, da vis95 $Date: 98/04/14 21:09:51 $ $Revision: 1.4 PATCH_10.24 (PHNE_11096) $ /usr/conf/lib/libuipc.a(uipc_syscall.o): kern/sys/uipc_syscall.c, hpuxsysuipc, vvos_davis, da vis95 $Date: 98/04/14 21:09:51 $ $Revision: 1.37 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_usrreq.o): kern/sys/uipc_usrreq.c, hpuxsysuipc, vvos_davis, dav is95 $Date: 98/04/14 21:09:52 $ $Revision: 1 .26 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libhp-ux.a(vfs_scalls.o): kern/sys/vfs_scalls.c, hpuxsysvfs, vvos_davis, davis 95 $Date: 98/04/14 21:10:04 $ $Revision: 1.2 7.1.2 PATCH_10.24 (PHKL_12391) $ /usr/conf/lib/libhp-ux.a(vfs_lockf.o): kern/sys/vfs_lockf.c, hpuxsysvfs, vvos_davis, davis9 5 $Date: 98/04/14 21:14:09 $ $Revision: 1.3 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(kern_dscrp.o): kern/sys/kern_dscrp.c, hpuxsysmisc, vvos_davis, davi s95 $Date: 98/04/14 21:10:05 $ $Revision: 1. 24 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(nm_tune.o): kern/netinet/nm_tune.c, hpuxsysinet, vvos_davis, dav is95 $Date: 98/04/14 21:09:53 $ $Revision: 1 .13 PATCH_10.24 (PHNE_10161) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): kern/sec/sec_vvosnet.c, sysmisc, vvos_davis, davis95 $Date: 98/04/14 21:13:53 $ $Revision: 1.19. 2.6 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(sec_subrs.o): kern/sec/sec_subrs.c, sysmisc, vvos_davis, davis95 $ Date: 98/04/14 21:10:19 $ $Revision: 1.13.3. 4 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(spd_mac.o): kern/sec/spd_mac.c, sysmacilb, vvos_davis, davis95 $ Date: 98/04/14 21:10:18 $ $Revision: 1.31 PA TCH_10.24 (PHKL_12391) $ /usr/conf/lib/libuipc.a(uipc_compat.o): kern/sys/uipc_compat.c, hpuxsysuipc, vvos_davis, dav is95 $Date: 98/04/14 21:13:55 $ $Revision: 1 .4 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(raw_usrreq.o): kern/net/raw_usrreq.c, hpuxsysnet, vvos_davis, davis 95 $Date: 98/04/14 21:09:44 $ $Revision: 1.2 0 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, vvos_davis, d avis99 $Date: 98/04/14 21:16:39 $ $Revision: 1.41.1.7 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(tcp_usrreq.o): kern/netinet/tcp_usrreq.c, hpuxsysinet, vvos_davis, davis99 $Date: 98/04/14 21:16:39 $ $Revision : 1.5 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(ip_output.o): kern/netinet/ip_output.c, hpuxsysinet, vvos_davis, d avis95 $Date: 98/04/14 21:09:46 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(ip_input.o): kern/netinet/ip_input.c, hpuxsysinet, vvos_davis, da vis95 $Date: 98/04/14 21:09:45 $ $Revision: 1.33 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(udp_usrreq.o): kern/netinet/udp_usrreq.c, hpuxsysinet, vvos_davis, davis95 $Date: 98/04/14 21:09:47 $ $Revision : 1.40 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, vvos_davis, da vis95 $Date: 98/04/14 21:09:47 $ $Revision: 1.27 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(if.o): kern/net/if.c, hpuxsysnet, vvos_davis, davis95 $Date : 98/04/14 21:09:44 $ $Revision: 1.32 PATCH_ 10.24 (PHNE_10476) $ /usr/sbin/ifconfig: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Tue Apr 14 21:20:47 EDT 1998 $ lanlink/NET/commands/ifconfig/ifconfig.c, hpuxcmdnet , vvos_davis, davis95 $Date: 98/04/14 21:11: 20 $ $Revision: 1.10 PATCH_10.24 (PHNE_10475 ) $ NET: Version: B.10.10 $Date: 96/05/09 11:26:18 $ /usr/lib/nls/msg/C/ifconfig.cat: None cksum(1) Output: 3266247291 8528 /usr/conf/lib/libsec.a(audit_stub.o) 1132412059 21688 /usr/conf/lib/libuipc.a(uipc_socket.o) 684856580 21044 /usr/conf/lib/libuipc.a(uipc_socket2.o) 4265266890 17536 /usr/conf/lib/libuipc.a(uipc_syscall.o) 923947293 13892 /usr/conf/lib/libuipc.a(uipc_usrreq.o) 343148642 29804 /usr/conf/lib/libhp-ux.a(vfs_scalls.o) 3422071932 14720 /usr/conf/lib/libhp-ux.a(vfs_lockf.o) 2895962942 15860 /usr/conf/lib/libhp-ux.a(kern_dscrp.o) 2875824576 10448 /usr/conf/lib/libhp-ux.a(nm_tune.o) 1401827066 9600 /usr/conf/lib/libsec.a(sec_vvosnet.o) 4247332564 9632 /usr/conf/lib/libsec.a(sec_subrs.o) 4142469828 13276 /usr/conf/lib/libsec.a(spd_mac.o) 4197472995 9392 /usr/conf/lib/libuipc.a(uipc_compat.o) 31226132 5760 /usr/conf/lib/libnet.a(raw_usrreq.o) 3209877227 21736 /usr/conf/lib/libinet.a(tcp_input.o) 2055741188 12152 /usr/conf/lib/libinet.a(tcp_usrreq.o) 20172151 12644 /usr/conf/lib/libinet.a(ip_output.o) 1283552030 18580 /usr/conf/lib/libinet.a(ip_input.o) 4023328104 16260 /usr/conf/lib/libinet.a(udp_usrreq.o) 2749361345 10728 /usr/conf/lib/libinet.a(tcp_subr.o) 365460710 8672 /usr/conf/lib/libnet.a(if.o) 127898565 24576 /usr/sbin/ifconfig 808123659 1886 /usr/lib/nls/msg/C/ifconfig.cat Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_10161 PHNE_10325 PHNE_10476 PHNE_11096 PHNE_11306 PHKL_12391 PHNE_13888 Equivalent Patches: PHNE_14736: s800: 10.24 Patch Package Size: 410 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_14735 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_14735.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_14735.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_14735. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_14735.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_14735.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None