Patch-ID# 105047-21 Keywords: ENCRYPTION INTERNATIONAL security y2000 NAT CDP ftp-related Synopsis: SunScreen SPF-200 1.0: Patch for miscellaneous fixes Date: Jul/12/99 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** The patch kit consists of: 1) Installation diskette 2) Uninstall diskette 3) Patch Guide with instructions and graphics on installing the 105047-21 patch on the SunScreen SPF-200 Screen and the SunScreen SPF-200 Administration Station. Solaris Release: SunOS Release: Unbundled Product: SunScreen SPF-200 Unbundled Release: 1.0 Relevant Architectures: BugId's fixed with this patch: 4029284 4030235 4031389 4031724 4033446 4038852 4039375 4041271 4043433 4044176 4044668 4045517 4047032 4047722 4049377 4050031 4051749 4052731 4057888 4059755 4059903 4060737 4060904 4061340 4061468 4061678 4067854 4069063 4069499 4069837 4070166 4073825 4074678 4075922 4075927 4076193 4076261 4077079 4083582 4085306 4085741 4089187 4089713 4090912 4091790 4091840 4094076 4095144 4095765 4097776 4097784 4097788 4097791 4097797 4101297 4101343 4101345 4103464 4103479 4103474 4104090 4104092 4106544 4107511 4109363 4110326 4110830 4111324 4116626 4116880 4119033 4120691 4123705 4124225 4127203 4130643 4137394 4138476 4156033 4156072 4156706 4157151 4157540 4157562 4157648 4158512 4158806 4159288 4160224 4160971 4160830 4160833 4160975 4162426 4162495 4163233 4163773 4163905 4164072 4164979 4169730 4170425 BugId's fixed with this patch: 4169730 4170425 Patches accumulated and obsoleted by this patch: 105047-20 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: SUNWicgSS /etc/init.d/sunscreen /etc/opt/SUNWicg/SunScreen/version.txt /kernel/drv/screen /opt/SUNWicg/SunScreen/admin/cgi-bin/config_detail /opt/SUNWicg/SunScreen/admin/cgi-bin/interfaces /opt/SUNWicg/SunScreen/admin/cgi-bin/traffic /opt/SUNWicg/SunScreen/bin/natcompiler /opt/SUNWicg/SunScreen/bin/spf_backup /opt/SUNWicg/SunScreen/bin/spf_logger /opt/SUNWicg/SunScreen/bin/spf_restore /opt/SUNWicg/SunScreen/bin/ss_active_config /opt/SUNWicg/SunScreen/bin/ss_backup /opt/SUNWicg/SunScreen/bin/ss_certificate /opt/SUNWicg/SunScreen/bin/ss_compiler /opt/SUNWicg/SunScreen/bin/ss_configuration /opt/SUNWicg/SunScreen/bin/ss_copy_key /opt/SUNWicg/SunScreen/bin/ss_getskip /opt/SUNWicg/SunScreen/bin/ss_interfaces /opt/SUNWicg/SunScreen/bin/ss_log /opt/SUNWicg/SunScreen/bin/ss_logd /opt/SUNWicg/SunScreen/bin/ss_patch /opt/SUNWicg/SunScreen/bin/ss_putskip /opt/SUNWicg/SunScreen/bin/ss_rule /opt/SUNWicg/SunScreen/bin/ss_server /opt/SUNWicg/SunScreen/bin/ss_sys_info /opt/SUNWicg/SunScreen/bin/ss_traffic_stats /opt/SUNWicg/SunScreen/bin/ss_xbackup /opt/SUNWicg/SunScreen/support/findcore /opt/SUNWicg/SunScreen/support/help /opt/SUNWicg/SunScreen/support/screeninfo /opt/SUNWicg/SunScreen/support/versions /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio SUNWicgSA /opt/SUNWicg/SunScreenAdmin/bin/.jumpstart/finish.spf /opt/SUNWicg/SunScreenAdmin/bin/.jumpstart/finish.u2 /opt/SUNWicg/SunScreenAdmin/bin/.jumpstart/profile.spf /opt/SUNWicg/SunScreenAdmin/bin/.jumpstart/rules.ok /opt/SUNWicg/SunScreenAdmin/bin/sas_logdump /opt/SUNWicg/SunScreenAdmin/bin/sas_registry /opt/SUNWicg/SunScreenAdmin/bin/spf_admin_backup /opt/SUNWicg/SunScreenAdmin/bin/spf_admin_install /opt/SUNWicg/SunScreenAdmin/bin/spf_admin_restore /opt/SUNWicg/SunScreenAdmin/bin/spf_remote_backup /opt/SUNWicg/SunScreenAdmin/bin/spf_remote_restore /opt/SUNWicg/SunScreenAdmin/bin/ss_admin_backup /opt/SUNWicg/SunScreenAdmin/bin/ss_client /opt/SUNWicg/SunScreenAdmin/lib/sas_address /opt/SUNWicg/SunScreenAdmin/lib/sas_rules /opt/SUNWicg/SunScreenAdmin/man/cat1m/sas_logdump.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/sas_main.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/sas_registry.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/spf_admin_backup.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/spf_admin_restore.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/spf_remote_backup.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/spf_remote_restore.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/spf_upgrade_skip.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_configuration.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_interfaces.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_network.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_patch.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_rule.1m /opt/SUNWicg/SunScreenAdmin/man/cat1m/ss_traffic_stats.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/sas_logdump.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/sas_main.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/sas_registry.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/spf_admin_backup.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/spf_admin_restore.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/spf_remote_backup.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/spf_remote_restore.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/spf_upgrade_skip.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_configuration.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_interfaces.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_network.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_patch.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_rule.1m /opt/SUNWicg/SunScreenAdmin/man/man1m/ss_traffic_stats.1m SUNWicgSP /etc/init.d/spf_config /kernel/strmod/spf /opt/SUNWicg/SunScreen/bin/spf_harden_os.file_list.default /opt/SUNWicg/SunScreen/bin/spf_harden_os.file_list.ultra SUNWicgEF /kernel/strmod/efs Problem Description: 4103479 - Screen's root partition fills up (SUNWicgSS) 4159288 - ss_traffic_stats manpage thinks it's ss_traffic (SUNWicgSA) 4169730 - "ss_client spf versions" reports "screen*d" no such file or directory (SUNWicgSS) 4170425 - ss_server dumps core after running ss_client cmds a few days (SUNWicgSS) (from 105047-20) 4041271 - Screen panics on MP machines (SUNWicgSS) 4069063 - compiler error msg needs clarity (can't use CertGrp for Encryption) (SUNWicgSS) 4162426 - "ss_configuration" shows year as YY - not y2000 compliant (SUNWicgSS) (from 105047-19) 4029284 - man pages are not installed (SUNWicgSA) 4031389 ss_client fails every other time - thread1: unexpected exit (SUNWicgSA) 4033446 - wrong interface definition block Screen <-> commication (SUNWicgSS) 4038852 - selecting logging on add interface screen doesn't take affect (SUNWicgSS) 4044176 - install fails if spf_admin_install runs while SKIP passwd protection enabled (SUNWicgSA) 4057888 - Interfaces page, SPF Network Address, Start Address confusing (SUNWicgSS) 4061340 - sas_logdump doesn't know traffic alg 0xf2 is RC2-40 (SUNWicgSA) 4067854 - need better error reporting from ss_client (SUNWicgSA) 4069837 - spf_admin_restore fails to save the ACLs that it restores (SUNWicgSA) 4075922 - address list's listbox is not sorted at first (SUNWicgSS) 4075927 - ss_configuration export does not always produce correct output (SUNWicgSS) 4076193 - need better means to gather info from screen when problems occur(SUNWicgSA) 4089187 - spf_admin_install does not create floppy correctly with Solaris 2.6 (SUNWicgSA) 4091840 - System log file size is limited to 200k (SUNWicgSA) 4097776 - Log files are not displaying any entry for year. (SUNWicgSA) 4097784 - activation window is showing 2 digit year date. (SUNWicgSS) 4097788 - Log screen shows year in 2 digits. (SUNWicgSS) 4097791 - Information screen through netscape browser dispays year in 2 digits(ambiguous) (SUNWicgSS) 4097797 - Configuration screen displays year in two digits(ambiguous). (SUNWicgSS) 4101343 - date printed by ss_server into log entries is not Y2K compliant (SUNWicgSS) 4101345 - date shown after year 2000 is three digit e.g 100 (SUNWicgSS) 4106544 - sas_logdump -v does not show complete info (SUNWicgSA) 4107511 - spf_admin_restore with DOS floppy does not fix localid filenames (SUNWicgSA) 4124225 - cannot create certificate group with more than 267 members (SUNWicgSA) 4127203 - sas_registry does not load CA local identity correctly with Solaris 2.6 (SUNWicgSA) 4130643 - spf_admin_install needs to allow qfe as Screen's admin interface (SUNWicgSA) 4156033 - Darin HW nees MU to be installed (SUNWicgSA) 4156072 - spf_harden_os doesn't remove adb lib installed with 2.5.1 11/97 (SUNWicgSP) 4156706 - floppy patch install on Darwin hardware never completes (SUNWicgSS) 4157151 - ss_interfaces doesn't interpret SNMP_EMIT (as per man page) (SUNWicgSS) 4157540 - Can't install on Solaris 2.6 admin station with CA keys (SUNWicgSA) 4157562 - ss_configuration export lists unusable certificate groups. (SUNWicgSS) 4157648 - Can't install on E450 as the SPF-200DW Screen (SUNWicgSA) 4158512 - SPF200DW beta: customer must edit install or patch diskette between uses. (SUNWicgSS) 4158806 - SNMP alert counter is incremented, although no alerts are to be sent (SUNWicgSS) 4160224 - The version number ins incorrect in ss_sys_info command and the info GUI (SUNWicgSS) 4160830 - The ss_network man page should mention the instance starts with 0 (SUNWicgSA) 4160833 - The ss_network man page examples use bad netmasks (SUNWicgSA) 4160971 - If adding an existing configuration name wipes out the rules in configuration (SUNWicgSS) 4160975 - The ss_configuration report command gives reports even for non-existing config. (SUNWicgSS) 4162495 - "ss_log stats" returns an error message (SUNWicgSS) 4163233 - "sas_logdump" shows year as YY - not y2000 compliant (SUNWicgSA) 4163773 - The man page for spf_upgrade_skip should tell the user to eject floppy manually (SUNWicgSA) 4163905 - "Incorrect Error Reason for SNMP alert (SUNWicgSS) 4164072 - screeninfo fails to report disk usage (SUNWicgSS) 4164979 - multicast ethernet packets do not pass with ether state engine (SUNWicgSP) (from 105047-18) 4043433 Screen's spf_backup should verify configs (min. active one) (SUNWicgSA, SUNWicgSS) 4044668 - spf_restore doesn't check for floppy's presence (SUNWicgSS) 4045517 - can't enter 0 as a octets of the screen, router, or DNSsvr address (SUNWicgSA) 4049377 "versions" should examine screen_skip and /usr/kernel/misc/ modules (SUNWicgSS) 4052731 - spf_restore: could not get keyboard type US keyboard assumed (SUNWicgSS) 4069499 - fail reason 270 "bad policy" needs to be more specific (SUNWicgSS) 4073825 - need to have all drivers installed (in case hw is added) (SUNWicgSA) 4076261 - certain valid IP addresses are rejected by spf_admin_install (SUNWicgSA) 4077079 "ss_client screen findcore" is undependable (SUNWicgSS) 4085306 - Admin can't remove SPF-200 Screen local identities (SUNWicgSS) 4085741 - CU wants the reporting functionality of the spf 100 on the spf 200 (SUNWicgSS) 4090912 - sending an SNMP alert gets counted as nocanput (SUNWicgSS) 4095144- SPF-200 sas_logdump should sort on why and interface received (SUNWicgSA) 4104090 - summary packets need to include 40 bytes beyond MAC header (SUNWicgSS) 4104092 - error if ENCRYP rule does not refer to Screen's cert needs clarity (SUNWicgSS) 4116626 - SKIP connections with tunneling only one direction can fail (SUNWicgSP) 4116880 - Extra ACK before open causes connection to be re rejected (SUNWicgSS) 4137394 - SNMP traps don't get sent to all trap receivers (SUNWicgSS) 4138476 - SNMP stats are wrong (SUNWicgSS) (SUNWicgSP) (from 105047-17) 4123705 - remote restore does not restore all certificates (SUNWicgSS) (from 105047-16) 4109363 - spf_backup fails if the diskette gets filled (SUNWicgSA) 4110326 - spf_backup fails if more than 224 files written to DOS diskette (SUNWicgSA) 4119033 - SPF ss_certificate command fails if large number of certs specified (SUNWicgSS) 4120691 - Bad TCP checksum with NAT & FTP "PORT" command (SUNWicgSS) (from 105047-15) 4030235 - Support for Backup/Restore from remote admin station needed (SUNWicgSA, SUNWicgSS) 4047722 - missing ability to sort rules by service, from, or to address (SUNWicgSA, SUNWicgSS) 4110830 - ftp with NAT fails if the public/private addresses differ in length (SUNWicgSS) (from 105047-14) 4111324 - Bad address rewrite using Dynamic NAT (SUNWicgSS) (from 105047-13) 4095765 - SPF-200: Problems with NAT/Decryption, Admin Stn can't connect to Screen (SUNWicgSS) (from 105047-12) 4103464 - memory leak with ICMP rejects on failed packets (SUNWicgSS) 4103474 - memory leak with SNMP alerts on failed packets (SUNWicgSS) (from 105047-11) 4101297 - SPF-200 screen mbuf leak (SUNWicgSS) (from 105047-10) 4089713 - Compiler dumps core when compiling skip rule (SUNWicgSS) 4094076 Screen will panic when using Dynamic NAT with a one:one relationship defined. (SUNWicgSS) (from 105047-08) 4031724 realaudio pkts can fail why=261(invalid format) (SUNWicgSS) 4061678 packets logged are missing their ethernet (MAC) header (SUNWicgSA) 4083582 screen reboots under special circumstances (port scanning with ftp)(SUNWicgSS) (from 105047-07) 4051749 Screen freezes - kernel memory leak handling big packets (SUNWicgSS) 4091790 cannot get session logging to work for encrypted rules (SUNWicgSS) (from 105047-05) 4074678 spf crashes processing UDP port 1640 packets that are not CDP (SUNWicgSS) (from 105047-04) 4070166 SPF proxy ARP'ing for private STATIC NAT addresses (SUNWicgSS) (from 105047-03) 4061468 SPF-200's hme interfaces connected to 10Mbit stop working (SUNWicgSP) (from 105047-02) 4059755 public source address corrupted when mapping a list of networks (SUNWicgSS) 4060737 NAT occurs when it should not (between two private addresses) (SUNWicgSS) 4060904 passive ftp fails (SUNWicgSS) (from 105047-01) 4039375 spf_admin_install netmask prompt looks like y/n question (SUNWicgSA) 4047032 screen can be accessed during install cycle (SUNWicgSA) 4050031 Can delete active config - no warning - screen can't be managed any longer (SUNWicgSS) 4059903 rip broadcast packets dest=255.255.255.255 fail (SUNWicgSS) Instructions to install patch on SunScreen SPF-200 Administration Station ------------------------------------------------------------------------- Note: Only the SUNWicgSA part of the patch will be applied to the Administration Station with this part of the procedure. 1. Become root on the Admin Station. 2. Insert the same patch floppy into the Admin Station's floppy drive. 3. Then type: # volcheck # cd /floppy/floppy0/Patches # 105047-21/installpatch 105047-21 4. Restart any SPF administrative applications. Instructions to install patch on SunScreen SPF-200 Screen --------------------------------------------------------- Note: All three parts of the patch (SUNWicgSA, SUNWicgSS and SUNWicgSP) will be applied to the screen with this part of the procedure. 1. Insert the install patch floppy into the Screen's floppy drive. 2. Reminder: the SunScreen SPF-200 CD-ROM must be in the Screen's CD-ROM drive, as is usually the case. 3. Turn the Screen off; wait ten seconds; turn the Screen on. 4. Activation of the currently active configuration with a 'Compile and Activate' using the Configuration page of the HTML manager is required to have the RIP broadcast bug (4059903) fix applied. Instructions for identifying patches installed on system -------------------------------------------------------- 1. To identify the patch level on your SunScreen SPF-200 screen (since there is no keyboard or monitor), you must use this command: #ss_client packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 2. To identify the patch level on your SunScreen SPF-200 Administrative Workstation, execute the commands directly. %ls -lt /var/sadm/patch > admin.pkginfo %pkginfo -l >> admin.pkginfo Instructions to backout patch on SunScreen SPF-200 Administration Station ------------------------------------------------------------------------- 1. Become root on the Admin Station. 2. Then type: # cd /var/sadm/patch # 105047-21/backoutpatch 105047-21 Instructions to backout patch on SunScreen SPF-200 Screen --------------------------------------------------------- 1. Insert the backout patch floppy into the Screen's floppy drive. 2. Reminder: the SunScreen SPF-200 CD-ROM must be in the Screen's CD-ROM drive, as is usually the case. 3. Turn the Screen off; wait ten seconds; turn the Screen on.