Patch Name: PHSS_16761 Patch Description: s700_800 10.20 Praesidium/Security Service V1.0 Y2K cumul Creation Date: 98/12/23 Post Date: 98/12/23 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: B5406AA_APZ Praesidium/Security Service V1.0 Filesets: DESS-Core.DESS-CORE-RUN,B.10.20 DESS-CoreAdmin.DESS-ACCT-MGR,B.10.20 DESS-SEC-Srvr.DESS-SEC-SRVR,B.10.20 DESS-SrvMonExt.DESS-SM-INTEG,B.10.20 Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_16761 Symptoms: PHSS_16761: 1. Executing "dcecp>principal catalog" command with cell name that does not exist followed by "dcecp> errtext $_e" command dumps core. 2. dcecp memory leaks while modifying acls. 3. account manager mishandles ERA attrset with more that one uuid 4. dced hangs on startup when "starton boot" servers are configured 5. secd dumps core with too long names for principal, which results in Denial of Service Attack. 6. dcecp dumps core when modifying acls of dced objects in local mode 7. secd dumps core when client requests authentication but with wrong password in a keytab. This cumulates till the secd reaches the maxdsize of about 70-80 MB and then cores. PHSS_16171: 1. klist display of year 2000 and beyond is incorrect. PHSS_7877: 1. When configuring an initial security server using dess_config, if the user enters something other than the default cell_admin password when prompted, the script will fail and give an error on the "dcecp account create" command to create the krb5 host account. The error that dess_config will give is "Data integrity error" from dcecp. This patch fixes dess_config to allow the user to enter something other than the default cell_admin password when prompted. 2. The dess_config script does not configure the Kerberos beta 5 configuration file, /etc/krb5.conf, correctly. More specifically, there is a missing "=" sign in the domain_realm section of the configuration file. This patch contains a fix to dess_config to create the Kerberos beta 5 configuration file with the correct contents. 3. The dess_pwd_strengthd server is not properly stopped when the user selects "3. STOP - Stop daemons" from the dess_config menu. This problem is also seen by the system shutdown script, init.d/dess, where the dess_pwd_strengthd server is not shut down automatically when the system is being shut down. This patch contains a fix to properly shut down the dess_pwd_strengthd server in both cases. 4. If the number of hosts being discovered is big, the Distributed Enterprise/server monitor (DE/sm) extension for Praesidium/Security Service will cause the DE/sm Discovery engine to abort. This patch contains a fix to make the extension work with a large number of hosts. Defect Description: PHSS_16761: 1. Executing "dcecp>principal catalog" command with cell name that does not exist followed by "dcecp> errtext $_e" command dumps core. 2. dcecp memory leaks while modifying acls. 3. account manager mishandles ERA attrset with more that one uuid 4. dced hangs on startup when "starton boot" servers are configured 5. secd dumps core with too long names for principal, which results in Denial of Service Attack. 6. dcecp dumps core when modifying acls of dced objects in local mode 7. secd dumps core when client requests authentication but with wrong password in a keytab. This cumulates till the secd reaches the maxdsize of about 70-80 MB and then cores. PHSS_16171: 1. klist display of year 2000 and beyond is incorrect. PHSS_7877: 1. When configuring an initial security server using dess_config, if the user enters something other than the default cell_admin password when prompted, the script will fail and give an error on the "dcecp account create" command to create the krb5 host account. The error that dess_config will give is "Data integrity error" from dcecp. This patch fixes dess_config to allow the user to enter something other than the default cell_admin password when prompted. 2. The dess_config script does not configure the Kerberos beta 5 configuration file, /etc/krb5.conf, correctly. More specifically, there is a missing "=" sign in the domain_realm section of the configuration file. This patch contains a fix to dess_config to create the Kerberos beta 5 configuration file with the correct contents. 3. The dess_pwd_strengthd server is not properly stopped when the user selects "3. STOP - Stop daemons" from the dess_config menu. This problem is also seen by the system shutdown script, init.d/dess, where the dess_pwd_strengthd server is not shut down automatically when the system is being shut down. This patch contains a fix to properly shut down the dess_pwd_strengthd server in both cases. 4. If the number of hosts being discovered is big, the Distributed Enterprise/server monitor (DE/sm) extension for Praesidium/Security Service will cause the DE/sm Discovery engine to abort. This patch contains a fix to make the extension work with a large number of hosts. SR: 0000000000 4701332114 Patch Files: /opt/dcadmin/desm/exts/de/dess_disc.10.tcl /opt/dce/bin/css/klist.css /opt/dce/bin/dess_config /opt/dce/bin/css/pwd_config.css /opt/dce/bin/dess_shutdown /opt/dce/bin/css/dcecp.css /usr/lib/libdcecpcss.1 /opt/dce/bin/css/acctmgrcss /usr/lib/libdcedpvtcss.1 /opt/dce/sbin/css/secd.css what(1) Output: /opt/dcadmin/desm/exts/de/dess_disc.10.tcl: None /opt/dce/bin/css/klist.css: HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R evision: 74.03 $ krb5rpc.c 3 - 10/10/91 krb5-manual-glue.c 13 - 12/12/91 rc_base.c 3 - 10/24/91 localaddr.c 3 - 10/24/91 locate_kdc.c 3 - 10/24/91 Praesidium/Security Service 1.0 PHSS_16761 Module: k list.css (Export) Date: Oct 27 1998 01:19:51 $RCSfile: environment.c,v $ $Revision: /main/HPDCE02 /2 $ (OSF) $Date: 1994/12/05 19:53 UTC $ /opt/dce/bin/dess_config: Module: dce_config $Revision: /main/HPDCE02/HPDESS02 /2 $ $Date: 1997/10/15 13:39 UTC $ /opt/dce/bin/css/pwd_config.css: None /opt/dce/bin/dess_shutdown: Module: dce_shutdown $Revision: /main/HPDCE02/HPDESS 02/1 $ $Date: 1997/10/06 12:35 UTC $ /opt/dce/bin/css/dcecp.css: HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R evision: 74.03 $ Praesidium/Security Service 1.0 PHSS_16761 Module: d cecp.css (Export) Date: Nov 4 1998 19:55:56 /usr/lib/libdcecpcss.1: Praesidium/Security Service 1.0 PHSS_16761 Module: l ibdcecpcss.sl (Export) Date: Nov 4 1998 19: 15:35 /opt/dce/bin/css/acctmgrcss: Praesidium/Security Server 1.0 Module: Praesidium/Se curity Server Account Manager Date: Tue Oct 13 22:52:02 IST 1998 main.tcl $Revision: /main/HPDESS01/4 $ $Date : 1996/06/13 16:06 UTC $ acledit.tcl $Revision: /main/HPDESS01/2 $ $Date : 1996/05/17 14:25 UTC $ secmgr.tcl $Revision: /main/HPDESS01/4 $ $Date: 1996/06/13 16:19 UTC $ fbrowse.tcl $Revision: /main/HPDESS01/2 $ $Date : 1996/04/11 15:43 UTC $ /usr/lib/libdcedpvtcss.1: Praesidium/Security Service 1.0 PHSS_16761 Module: l ibdcedpvtcss.sl (Export) Date: Oct 27 1998 0 0:53:21 /opt/dce/sbin/css/secd.css: HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R evision: 74.03 $ kdb_rsdb.c 25 - 12/05/91 krb5rpc.c 3 - 10/10/91 krb5-manual-glue.c 13 - 12/12/91 rc_base.c 3 - 10/24/91 localaddr.c 3 - 10/24/91 locate_kdc.c 3 - 10/24/91 Praesidium/Security Service 1.0 PHSS_16761 Module: s ecd.css (Export) Date: Oct 27 1998 01:17:23 $RCSfile: environment.c,v $ $Revision: /main/HPDCE02 /2 $ (OSF) $Date: 1994/12/05 19:53 UTC $ cksum(1) Output: 2177025505 34347 /opt/dcadmin/desm/exts/de/dess_disc.10.tcl 325528791 1388160 /opt/dce/bin/css/klist.css 2248972384 121769 /opt/dce/bin/dess_config 2891558745 26570 /opt/dce/bin/css/pwd_config.css 358280774 12332 /opt/dce/bin/dess_shutdown 1924084459 646784 /opt/dce/bin/css/dcecp.css 3328577185 1359872 /usr/lib/libdcecpcss.1 929166692 626098 /opt/dce/bin/css/acctmgrcss 1399401848 176128 /usr/lib/libdcedpvtcss.1 5208061 2436736 /opt/dce/sbin/css/secd.css Patch Conflicts: None Patch Dependencies: s700: 10.20: PHSS_15731 s800: 10.20: PHSS_15731 Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_7877 PHSS_16171 Equivalent Patches: None Patch Package Size: 6740 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_16761 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_16761.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHSS_16761.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_16761. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_16761.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_16761.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: This patch(PHSS_16761) requires the DCE patch PHSS_15731 as a pre-requisite. Use "Match What Target Has" option while installing the DCE patch PHSS_15731. You may choose to ignore the dependency errors for the filesets which are not required for Pr/SS while installing PHSS_15731. Also, If PHSS_16761 is to be removed, DCE patch PHSS_15731 should also be removed as the previous DESS product(B5406AA_APZ)/patch(PHSS_7877) are not compatible with DCE patch PHSS_15731.