OBSOLETE Patch-ID# 105821-10 Keywords: Upgrade, jumbo, patch, 3.0b, build_3072 Synopsis: OBSOLETED by 107166 Date: Aug/25/98 Solaris Release: 2.5_x86 2.5.1_x86 2.6_x86 SunOS Release: 5.5_x86 5.5.1_x86 5.6_x86 Unbundled Product: FireWall-1 Unbundled Release: 3.0b Relevant Architectures: i386 BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: 107166 on Feb/04/99 Files included with this patch: bin/fwvpn bin/fwuivpn bin/router_load conf/fwopsec.conf conf/objects.patched conf/omi.conf conf/slapd.conf lib/base.def lib/code.def lib/control.map lib/formats.def lib/fwui_head.def lib/setup.C lib/table.def lib/traps.def lib/snmp/chkpnt.mib lib/snmp/mib.txt modules/fwvpnmod.5.x.o Problem Description: IMPORTANT !! ------------ This Service Pack includes a new control.map file which includes new configuration for OPSEC communications protocols. Installing the Service Pack will REPLACE your existing control.map with the new one. If you have changes in control.map which you want to save, you must copy the file aside before installing this Service Pack. After the installation you can then either merge the two files manually, or if you are not using OPSEC you can replace the newly installed control.map with your old one. Encryption: 1. Fixed reassembly of fragmented SKIP packets. 2. Fixed SKIP bug which occasionally caused the fw daemon to crash. Logging: 1. Fixed bug in 'fw logswitch' mechanism, related to the fw.logtrak file,which was causing the fw daemon to fail due to too many opn file descriptors. 2. Removed message "fwd: Unable to open 'dev/fw0'" which was being displayed on the management station whenever the active log file ($FWDIR/log/fw.vlog) exceeded the default size of 10KB. 3. Changed representation of date in 'fw log' output to be Y2K compliant. 4. Changed representation of date in the name of the log file switched by 'fw logswitch' to be Y2K compliant. Address Translation: 1. In Address translation made testing of minimum length be protocol sensitive. This fixes problems such as ICMP type 9 packets bein wrongly dropped when translation is applied. Router Management: 1. When using Cisco access-lists, it is now possible to define a filter that checks the source port of a packet. Security Servers: 1. The SMTP security server now adds full name, including domain, to the HELO command. 2. The SMTP security server now sends 5xx error messages for mail that's too large, and not 452. 3. Fixed handling of multiple messages on a single connection. 4. Fixed the sendmail.exe program for NT to correct a problem where mail alerts changed according to the date. 5. In FTP security server correct handling of 220 multiline messages. 6. In FTP security server fix a problem with Welcome message that ends with a new line (\n), which was preventing connections from opening. 7. In FTP security server the reason log for CVP server will be sent even if CVP message is empty. 8. Corrected handling of HTTP server replies which have no headers. User Authentication: 1. Defining a user with time limitation using the interval 00:00 to 23:59 now covers the minute from 23:59 to midnight. Kernel ------ 1. Protection from 'Radio Flyer' attack, where opening connections to the firewall management daemon could prevent any firewall administrator from connecting to the management station. 2. Protection from the fragmentation attack, where sending fragmented packets can cause the FireWall to stop forwarding packets. There are also several configurable parameters which can help the user fine tune FireWall-1 to deal best with this kind of attack. The packets come from a system pool controled by the operating system which grows dynamically as the need arises. In addition, for all platforms, the following 3 parameters may be defined in objects.C under the 'props:' line (after editing objects.C run fwstop and fwstart for the change to take effect): fwfrag_limit - how many fragment chains are allowed to be in the middle of assembly. Default is 1000. fwfrag_minsize - the smallest acceptable fragment size (maximum is 576). Default is 0. fwfrag_timeout - how long do we wait for fragment chain completion before we give up on the packet and free its resources. Default is 20 seconds. Limitations and Known Bugs: --------------------------- 1. Occasionally, during multiple, concurrent authentications between a FM and an ACE server, the challenge will return a failure even if the right PIN was entered. This will be fixed in a subsequent hot fix. 2. When managing pre-3072 modules with 3072 management, Security Status window in the GUI crashes, gets stuck or shows no info for pre-3072 modules. A hot fix is under development by Checkpoint and will be posted no later than the 1st week of September 1998. The workaround: 1. Stop the FireWall-1 management using 'fwstop'. 2. Edit the file $FWDIR/lib/snmp/mib.txt as follows: Change the line - checkpoint OBJECT IDENTIFIER ::= { enterprises 2620 } To the line - checkpoint OBJECT IDENTIFIER ::= { enterprises 1919 } 3. Start the FireWall-1 management using 'fwstart'. Patch Installation Instructions: -------------------------------- Refer to the Install.info file for instructios on using the each patch. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- Issue 'fwstop' before installing the patch. Use the generic 'installpatch' and 'backoutpatch' scripts provided with this patch. If synchronization is wanted, change the following line: #define sync to: //#define sync ******************************************************************** IMPORTANT: This patch may not install properly unless the -u option is specified as follows: ./installpatch -u . ******************************************************************** # @(#) Install.info 1.10 96/08/15 SMI # Copyright(c) 1995 SunSoft. All rights reserved. Patch Installation Instructions: -------------------------------------------------- Instructions to install patch using "installpatch" -------------------------------------------------- 1. Become super-user. 2. Apply the patch by typing:
.
See /tmp/log. for reason for failure.
Explanation and recommended action: The installation of one of
patch packages failed. Installpatch will backout the patch
to leave the system in its pre-patched state. See the log file
for the reason for failure. Correct the problem and
re-apply the patch.
Message:
Pkgadd of package failed with error code .
Will not backout patch...patch re-installation.
Warning: The system may be in an unstable state!
See /tmp/log. for reason for failure.
Explanation and recommended action: The installation of one of
the patch packages failed. Installpatch will NOT backout the
patch. You may manually backout the patch using backoutpatch,
then re-apply the entire patch. Look in the log file for the
reason pkgadd failed. Correct the problem and re-apply the
patch.
Message:
installpatch is unable to find the INST_RELEASE file. This file
must be present for installpatch to function correctly.
Explanation and recommended action: The file INST_RELEASE is
missing from the system. This file is created during either
initial installation or during an update. Contact customer
service.
Message:
A previous installation of patch was invoked
that saved files that were to be patched. Since files
were saved, you must run this instance of installpatch
without the -d option.
Explanation and recommended action: If a patch was previously
installed without using the '-d' option, then the re-installation
attempt must also be invoked without the '-d' option. Execute
installpatch without the '-d' option.
Message:
A previous installation of patch was invoked
with the -d option. (i.e. Do not save files that would
be patched) Therefore, this invocation of installpatch
must also be run with the -d option.
Explanation and recommended action: If a patch was previously
installed using the '-d' option, then the re-installation
attempt must also be invoked with the '-d' option. Execute
installpatch with the '-d' option.
Patch Installation Messages:
---------------------------
Note: the messages listed below are not necessarily considered errors
as indicated in the explanations given. These messages are, however,
recorded in the patch installation log for diagnostic reference.
Message:
Package not patched:
PKG=SUNxxxx
Original package not installed
Explanation: One of the components of the patch would have patched a
package that is not installed on your system. This is not
necessarily an error. A Patch may fix a related bug for several
packages.
Example: suppose a patch fixes a bug in both the
online-backup and fddi packages. If you had online-backup installed
but didn't have fddi installed, you would get the message
Package not patched:
PKG=SUNWbf
Original package not installed
This message only indicates an error if you thought the package
was installed on your system. If this is the case, take the
necessary action to install the package, backout the patch (if
it installed other packages) and re-install the patch.
Message:
Package not patched:
PKG=SUNxxx
ARCH=xxxxxxx
VERSION=xxxxxxx
Architecture mismatch
Explanation: One of the components of the patch would have patched a
package for an architecture different from your system. This is not
necessarily an error. Any patch to one of the architecture specific
packages may contain one element for each of the possible
architectures. For example, Assume you are running on a sun4m. If
you were to install a patch to package SUNWcar, you would see the
following (or similar) messages:
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4c
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4d
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4e
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
Package not patched:
PKG=SUNWcar
ARCH=sparc.sun4
VERSION=11.5.0,REV=2.0.18
Architecture mismatch
The only time these messages indicate an error condition
is if installpatch does not correctly recognize your architecture.
Message:
Package not patched:
PKG=SUNxxxx
ARCH=xxxx
VERSION=xxxxxxx
Version mismatch
Explanation: The version of software to which the patch is applied is
not installed on your system. For example, if you were running Solaris
5.3, and you tried to install a patch against Solaris 5.2, you would
see the following (or similar) message:
Package not patched:
PKG=SUNWcsu
ARCH=sparc
VERSION=10.0.2
Version mismatch
This message does not necessarily indicate an error. If
the version mismatch was for a package you needed patched, either
get the correct patch version or install the correct package version.
Then backout the patch (if necessary) and re-apply.
Message:
Re-installing Patch.
Explanation: The patch has already been applied, but there is
at least one package in the patch that could be added. For
example, if you applied a patch that had both Openwindows and
Answerbook components, but your system did not have Answerbook
installed, the Answerbook parts of the patch would not have
been applied. If, at a later time, you pkgadd Answerbook, you
could re-apply the patch, and the Answerbook components of the
patch would be applied to the system.
Message:
Installpatch Interrupted.
Installpatch is terminating.
Explanation: Installpatch was interrupted during execution
(usually through pressing ^C). Installpatch will clean up
its working files and exit.
Message:
Installpatch Interrupted.
Backing out Patch...
Explanation: Installpatch was interrupted during execution
(usually through pressing ^C). Installpatch will clean up
its working files, backout the patch, and exit.
Patch Backout Errors:
---------------------
Message:
prebackout patch exited with return code .
Backoutpatch exiting.
Explanation and corrective action: the prebackout script
supplied with the patch exited with a return code other
than 0. Generate a script trace of backoutpatch to determine
why the prebackout script failed. Correct the reason for
failure, and re-execute backoutpatch.
Message:
postbackout patch exited with return code .
Backoutpatch exiting."
Explanation and corrective action: the postbackout script
supplied with the patch exited with a return code other than
0. Look at the postbackout script to determine why it failed.
Correct the failure and, if necessary, RE-EXECUTE THE
POSTBACKOUT SCRIPT ONLY.
Message:
Only one service may be defined.
Explanation and corrective action: You have attempted to specify
more than one service from which to backout a patch. Different
services must have their patches backed out with different
invocations of backoutpatch.
Message:
The -S and -R arguments are mutually exclusive.
Explanation and recommended action: You have specified both a
non-native service to backout, and a package installation root.
These two arguments are mutually exclusive. If backing out a
patch from a non-native usr partition, the -S option should be
used. If backing out a patch from a client's root
partition (either native or non-native), the -R option
should be used.
Message:
The service cannot be found on this system.
Explanation and recommended action: You have specified a non-
native service from which to backout a patch, but the
specified service is not installed on your system. Correctly
specify the service when backing out the patch.
Message:
Only one rootdir may be defined.
Explanation and recommended action: You have specified more than
one package install root using the -R option. The -R option
may be used only once per invocation of backoutpatch.
Message:
The directory cannot be found on this system.
Explanation and recommended action: You have specified a
directory using the -R option which is either not mounted,
or does not exist on your system. Verify the directory name
and re-backout the patch.
Message:
Patch has not been successfully applied to this system.
Explanation and recommended action: You have attempted to backout
a patch that is not applied to this system. If you must
restore previous versions of patched files, you may have to
restore the original files from the initial installation CD.
Message:
Patch has not been successfully applied to this system.
Will remove directory
Explanation and recommended action: You have attempted to back
out a patch that is not applied to this system. While the
patch has not been applied, a residual
/var/sadm/patch/ (perhaps from an unsuccessful
installpatch) directory still exists. The patch cannot be
backed out. If you must restore old versions of the patched
files, you may have to restore them from the initial
installation CD.
Message:
This patch was obsoleted by patch .
Patches must be backed out in the order in
which they were installed. Patch backout aborted.
Explanation and recommended action: You are attempting to backout
Patches out of order. Patches should never be backed-out out
of sequence. This could undermine the integrity of the more
current patch.
Message:
Patch was installed without backing up the original
files. It cannot be backed out.
Explanation and recommended action: Either the -d option of
installpatch was set when the patch was applied, or the save
area of the patch was deleted to regain space. As a result, the
original files are not saved and backoutpatch cannot be used.
The original files can only be recovered from the original
installation CD.
Message:
pkgrm of package failed return code .
See /var/sadm/patch//log for reason for failure.
Explanation and recommended action: The removal of one of
patch packages failed. See the log file for the reason for
failure. Correct the problem and run the backout script again.
Message:
Restore of old files failed.
Explanation and recommended action: The backout script uses the
cpio command to restore the previous versions of the files
that were patched. The output of the cpio command should
have preceded this message. The user should take the
appropriate action to correct the cpio failure.
KNOWN PROBLEMS:
On client server machines the patch package is NOT applied
to existing clients or to the client root template space.
Therefore, when appropriate, ALL CLIENT MACHINES WILL NEED
THE PATCH APPLIED DIRECTLY USING THIS SAME INSTALLPATCH
METHOD ON THE CLIENT. See instructions above for
applying patches to a client.
A bug affecting a package utility (eg. pkgadd, pkgrm, pkgchk)
could affect the reliability of installpatch or backoutpatch
which uses package utilities to install and backout the patch
package. It is recommended that any patch that fixes package
utility problems be reviewed and, if necessary, applied before
other patches are applied. Such existing patches are:
100901 Solaris 2.1
101122 Solaris 2.2
101331 Solaris 2.3
SEE ALSO
pkgadd, pkgchk, pkgrm, pkginfo, showrev, cpio