Patch Name: PHNE_17413 Patch Description: s700 10.24 (VVOS) ARPA Transport cumulative patch Creation Date: 99/01/20 Post Date: 99/02/18 Hardware Platforms - OS Releases: s700: 10.24 Products: N/A Filesets: OS-Core.CORE-KRN VirtualVaultOS.VVOS-KRN Networking.NET-KRN Networking.NET-RUN Automatic Reboot?: Yes Status: General Superseded Critical: No (superseded patches were critical) PHNE_15733: HANG PHNE_14735: PANIC Based on a portion of HP-UX PHNE_14504: PANIC Based on a portion of HP-UX PHNE_13469: PANIC Based on a portion of HP-UX PHNE_13289: PANIC Based on a portion of HP-UX PHNE_13245: PANIC Based on a portion of HP-UX PHNE_12407: PANIC Based on a portion of HP-UX PHNE_11530: PANIC Based on a portion of HP-UX PHNE_9106: PANIC Based on a portion of HP-UX PHNE_9098: PANIC Based on a portion of HP-UX PHNE_9036: PANIC Path Name: /hp-ux_patches/s700/10.X/PHNE_17413 Symptoms: PHNE_17413: No visible symptoms. PHNE_15733: Network may hang when an application forks off multiple children that call accept() on the same socket. PHNE_14735: Socket send(2) returning ENOLINK. Transient TCP error conditions are reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: This patch replaces PHNE_13289. See Defect Description PHKL_12391: symlink system call audit records incorrectly contain the link name as the target name. unlink and execve system call audit records contain incorrect object sensitivity labels. PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Allows multilevelserver tcp endpoints to be accessed from the outside interface, when there is no filtering router present. Excessive audit records generated as a result of using non-blocking system calls. TCP does not use random sequence numbers by default. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. Defect Description: PHNE_17413: Bad call to bzero() in ip_output() could cause major problems. PHNE_15733: Repackaged part of HP-UX patch PHNE_9098 to fix a race condition in a socket function, sodequeue(). This race condition could result in a hung network when an application forks multiple children that call accept() on the same socket. PHNE_14735: Transient TCP error conditions had been reported to the application. Because TCP retransmission logic does ultimately correct a transient condition, transient errors are no longer sent to the application. Fatal and permanent TCP errors are still reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: If the system is a single processor machine they may see it hang. It will still respond to "ping" but the console and all other activity will stop. If the system is a multiprocessor machine the customer may see that one processor is 100% busy running netisr. The rest of the system will be working OK with the exception of the one processor being out of the picture. Networking may be slow or not working at all. Netstat will show one of this systems IP addresses connected to itsself along with the local and remote port being the same. The state of the socket will be SYN_RCVD. PHKL_12391: Incorrect placement of audit stub hooks, results in incorrect information in audit records for system calls symlink(2) and unlink(2). PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Introduces a mechanism for further restricting traffic from/to certain interfaces, to/from multilevel servers. During system initialization the ifconfig command, based on information in the Device Assignment database, marks interfaces from which traffic is to be restricted. The ifconfig command also reports this information, when displaying other characteristics of the interface. Applications using non-blocking interfaces to network and file/record locking APIS cause excessive audit records to be generated. These interfaces include accept(), read(), recv() lockf(), and fcntl(). TCP should use random sequence numbers. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. SR: 4701413435 4701356741 4701354597 4701349761 4701349399 4701347532 4701335596 4701348631 4701348623 4701348656 4701366252 1653239764 5003327973 4701387333 4701339044 5003424002 Patch Files: /usr/conf/lib/libsec.a(audit_stub.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) /usr/conf/lib/libuipc.a(uipc_syscall.o) /usr/conf/lib/libuipc.a(uipc_usrreq.o) /usr/conf/lib/libhp-ux.a(vfs_scalls.o) /usr/conf/lib/libhp-ux.a(vfs_lockf.o) /usr/conf/lib/libhp-ux.a(kern_dscrp.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(sec_subrs.o) /usr/conf/lib/libsec.a(spd_mac.o) /usr/conf/lib/libuipc.a(uipc_compat.o) /usr/conf/lib/libnet.a(raw_usrreq.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(ip_output.o) /usr/conf/lib/libinet.a(ip_input.o) /usr/conf/lib/libinet.a(udp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libnet.a(if.o) /usr/sbin/ifconfig /usr/lib/nls/msg/C/ifconfig.cat what(1) Output: /usr/conf/lib/libsec.a(audit_stub.o): kern/sec/audit_stub.c, sysaudit, vvos_davis, davis13 5 $Date: 99/01/19 10:04:39 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket.o): $Source: kern/sys/uipc_socket.c, hpuxsysuipc, vvos_d avis, davis135 $Date: 99/01/19 10:03:54 $ $R evision: 1.49.1.2 PATCH_10.24 (PHNE_15733) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, vvos_davis, da vis135 $Date: 99/01/19 10:03:54 $ $Revision: 1.4 PATCH_10.24 (PHNE_11096) $ /usr/conf/lib/libuipc.a(uipc_syscall.o): $Source: kern/sys/uipc_syscall.c, hpuxsysuipc, vvos_ davis, davis135 $Date: 99/01/19 10:03:54 $ $ Revision: 1.39 PATCH_10.24 (PHNE_15733) $ /usr/conf/lib/libuipc.a(uipc_usrreq.o): kern/sys/uipc_usrreq.c, hpuxsysuipc, vvos_davis, dav is135 $Date: 99/01/19 10:03:55 $ $Revision: 1.26 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libhp-ux.a(vfs_scalls.o): kern/sys/vfs_scalls.c, hpuxsysvfs, vvos_davis, davis 135 $Date: 99/01/19 10:04:07 $ $Revision: 1. 27.1.2 PATCH_10.24 (PHKL_12391) $ /usr/conf/lib/libhp-ux.a(vfs_lockf.o): kern/sys/vfs_lockf.c, hpuxsysvfs, vvos_davis, davis1 35 $Date: 99/01/19 10:08:09 $ $Revision: 1.3 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(kern_dscrp.o): kern/sys/kern_dscrp.c, hpuxsysmisc, vvos_davis, davi s135 $Date: 99/01/19 10:04:08 $ $Revision: 1 .24 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(nm_tune.o): kern/netinet/nm_tune.c, hpuxsysinet, vvos_davis, dav is135 $Date: 99/01/19 10:03:57 $ $Revision: 1.13 PATCH_10.24 (PHNE_10161) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): kern/sec/sec_vvosnet.c, sysmisc, vvos_davis, davis13 5 $Date: 99/01/19 10:07:55 $ $Revision: 1.19 .2.6 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(sec_subrs.o): kern/sec/sec_subrs.c, sysmisc, vvos_davis, davis135 $Date: 99/01/19 10:04:21 $ $Revision: 1.13.3 .4 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(spd_mac.o): kern/sec/spd_mac.c, sysmacilb, vvos_davis, davis135 $Date: 99/01/19 10:04:19 $ $Revision: 1.31 P ATCH_10.24 (PHKL_12391) $ /usr/conf/lib/libuipc.a(uipc_compat.o): kern/sys/uipc_compat.c, hpuxsysuipc, vvos_davis, dav is135 $Date: 99/01/19 10:07:57 $ $Revision: 1.4 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(raw_usrreq.o): kern/net/raw_usrreq.c, hpuxsysnet, vvos_davis, davis 135 $Date: 99/01/19 10:03:46 $ $Revision: 1. 20 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, vvos_davis, d avis135 $Date: 99/01/19 10:03:49 $ $Revision : 1.41.1.7 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(tcp_usrreq.o): kern/netinet/tcp_usrreq.c, hpuxsysinet, vvos_davis, davis135 $Date: 99/01/19 10:04:06 $ $Revisio n: 1.5 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(ip_output.o): kern/netinet/ip_output.c, hpuxsysinet, vvos_davis, d avis136 $Date: 99/01/19 10:11:02 $ $Revision : 1.23 PATCH_10.24 (PHNE_17413) $ /usr/conf/lib/libinet.a(ip_input.o): kern/netinet/ip_input.c, hpuxsysinet, vvos_davis, da vis135 $Date: 99/01/19 10:03:48 $ $Revision: 1.33 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(udp_usrreq.o): kern/netinet/udp_usrreq.c, hpuxsysinet, vvos_davis, davis135 $Date: 99/01/19 10:03:50 $ $Revisio n: 1.40 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, vvos_davis, da vis135 $Date: 99/01/19 10:03:49 $ $Revision: 1.27 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(if.o): kern/net/if.c, hpuxsysnet, vvos_davis, davis135 $Dat e: 99/01/19 10:03:46 $ $Revision: 1.32 PATCH _10.24 (PHNE_10476) $ /usr/sbin/ifconfig: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Tue Jan 19 10:11:24 EST 1999 $ lanlink/NET/commands/ifconfig/ifconfig.c, hpuxcmdnet , vvos_davis, davis135 $Date: 99/01/19 10:05 :21 $ $Revision: 1.10 PATCH_10.24 (PHNE_1047 5) $ NET: Version: B.10.10 $Date: 96/05/09 11:26:18 $ /usr/lib/nls/msg/C/ifconfig.cat: None cksum(1) Output: 581319567 8536 /usr/conf/lib/libsec.a(audit_stub.o) 1668583955 21720 /usr/conf/lib/libuipc.a(uipc_socket.o) 2176111885 21048 /usr/conf/lib/libuipc.a(uipc_socket2.o) 2653773226 17564 /usr/conf/lib/libuipc.a(uipc_syscall.o) 3555104674 13900 /usr/conf/lib/libuipc.a(uipc_usrreq.o) 2337588918 29804 /usr/conf/lib/libhp-ux.a(vfs_scalls.o) 3530575083 14724 /usr/conf/lib/libhp-ux.a(vfs_lockf.o) 4204275885 15856 /usr/conf/lib/libhp-ux.a(kern_dscrp.o) 2608323468 10452 /usr/conf/lib/libhp-ux.a(nm_tune.o) 596407035 9608 /usr/conf/lib/libsec.a(sec_vvosnet.o) 3551948452 9632 /usr/conf/lib/libsec.a(sec_subrs.o) 2813452651 13280 /usr/conf/lib/libsec.a(spd_mac.o) 3230643726 9388 /usr/conf/lib/libuipc.a(uipc_compat.o) 3033131581 5760 /usr/conf/lib/libnet.a(raw_usrreq.o) 2610967921 21740 /usr/conf/lib/libinet.a(tcp_input.o) 780938545 12152 /usr/conf/lib/libinet.a(tcp_usrreq.o) 4125698477 12648 /usr/conf/lib/libinet.a(ip_output.o) 3835118466 18580 /usr/conf/lib/libinet.a(ip_input.o) 378424874 16260 /usr/conf/lib/libinet.a(udp_usrreq.o) 3917311042 10728 /usr/conf/lib/libinet.a(tcp_subr.o) 4286020176 8672 /usr/conf/lib/libnet.a(if.o) 2310325010 24576 /usr/sbin/ifconfig 808123659 1886 /usr/lib/nls/msg/C/ifconfig.cat Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_10161 PHNE_10325 PHNE_10476 PHNE_11096 PHNE_11306 PHKL_12391 PHNE_13888 PHNE_14735 PHNE_15733 Equivalent Patches: PHNE_17414: s800: 10.24 Patch Package Size: 410 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_17413 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_17413.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_17413.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_17413. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_17413.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_17413.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None