Patch-ID# 107132-01 Keywords: y2000 upgrade 3.0b SP8 build_3083 Synopsis: Solstice FireWall-1 3.0b (Service Pack 8): Upgrade Patch (Non-VPN) Date: Feb/02/99 Solaris Release: 2.5 2.5.1 2.6 SunOS Release: 5.5 5.5.1 5.6 Unbundled Product: FireWall-1 Unbundled Release: 3.0b Relevant Architectures: sparc BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: 105817-10 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: bin/fw bin/fwconfig bin/fwui bin/router_load conf/fwopsec.conf conf/objects.patched conf/omi.conf conf/slapd.conf lib/base.def lib/code.def lib/control.map lib/formats.def lib/fwui_head.def lib/setup.C lib/snmp/mib.txt lib/snmp/mib4.txt lib/snmp/chkpnt.mib lib/snmp/acl.conf lib/snmp/context.conf lib/snmp/party.conf lib/snmp/view.conf lib/snmp/wellfleet.mib lib/snmp.def lib/table.def lib/traps.def modules/fwmod.5.x.o Problem Description: Security Servers ---------------- 1. Fixed a memory leak in SMTP when using MIME stripping. 2. Fixed a bug in the SMTP daemon where error mails were deleted from the spool directory if a server was unreachable, if the 'Notify sender on error' option was checked. 3. Fixed a bug which could cause the HTTP security server to crash when using URI resources with accounting and long URLs. 4. Fixed a bug in the handling of replacement URL which could cause delays in the appearance of the authentication prompt, depending on the length of the replacement URL. The default maximal length for replacement URL is 2048. This length can be configured by editing the value of the property :http_max_url_length in $FWDIR/conf/objects.C. 5. Fixed a bug that was introduced in Service Pack 3078, where the HTTP daemon would crash when using POST operations (e.g. sending out web forms). 6. Fixed bug in accounting for HTTP resources with 'accept outgoing packets' first. 7. In the HTTP security server made the match of the scheme (e.g. HTTP ) and the method (e.g. GET) case insensitive. 8. Fixed a bug on UNIX platforms, where the in.telnetd process was orphaned after the connection is closed in backward compatilibility mode when using user authentication with the FireWall as the destination. 9. Corrected handling of multiple simultaneous SecurID authentication sessions. Multiple users can now authenticate concurrently using SecurID. 10. To control the timeout when the security server gives up on connecting the destination server, you may now define (or modify) the au_connect_timout property in objects.C to specify the requested timeout (default is 10 seconds if no such property is specified). Encryption ---------- 1. Fixed bug in defragmentation which could cause connections to hang when using SKIP with large packets. 2. Enlarged the stack used on Solaris to prevent kernel crashes when using SKIP. 3. Fixed bug where connections were incorrectly rejected when using SKIP with ESP only or AH only and with User Authentication on the decrypt side, 4. Fixed a bug where SKIP 1.1 would not work on NT for some keys exported from Solaris. 5. Enabled multiple Gateway tunnels so that the Gateway can connect to two sites using Manual IPSEC. 6. Fixed the way decryption is handled in Manual IPSEC to prevent crashes. 7. Corrected logs to reflect if AH or ESP were used alone in Manual IPSEC, instead of always showing that they were used together. 8. Fixed bug in fwz encapsulation problem between SecuRemote 4.0 and FireWall 3.0. on all platforms except HP, where the problem still exists. 9. Fixed a bug which could cause the FireWall to crash when on a SecuRemote client the expiration timeout for the password was set to zero. 10. Dropped support for RC4 in Manual IPSEC, since connectivity is not guaranteed in this mode. GUI Client ---------- 1. Fixed a bug in the handling of nested user groups. When an item was deleted from an included group, the including group was not updated correctly. 2. Fixed Year 2000 bugs in select and find functions in the Log Viewer. With this fix, all known Year 2000 limitations on FireWall-1 3.0b are closed. 3. On Dual CPU machines, fixed a bug which prevented the GUI client and the Management from working when both were installed on the same machine. 4. Corrected GDI (specifically bitmaps) allocation which could cause the GUI client to get stuck on Win95 when working with very large rulebase. 5. When fetching interfaces for a network object, if a fetched interface existed previous to the fetch its definition will now be overriden by the result of the fetch. 6. It is no longer permitted to enter a drive prefix to the file name (e.g. 'a:filename') when using 'save as' for a policy. 7. Disabled the use of address range objects in the security policy rulebase. It is still available for defining NAT rules. OpenLook GUI ------------ 1. Fixed a bug where the values "Mail server" and "Error handling server" were not shown in the OpenLook GUI, although they were defined in objects.C. Router Management (RSC/SRE) --------------------------- To define "any" in the port field - enter ">0". Note that "<=", ">=" are currently illegal. source-port-from allows only "m", and source-port-to allows only "n", and the meaning is always the same as "m-n" in the port field. To put "any" in the source port, leave both source-port-from and source-port-to empty. 1. On Cisco, 3com and Steelhead routers, using the predefined RIP service produced incorrect access lists for that service. A RIP rule can now be correctly defined either from the access-list properties or from the rule-base editor. 2. Fixed a bug where using the format 'n" : Bigger than n, but not n "m-n" : between m and n, include m and n. "n" : only n To define "any" in the port field - enter ">0". "<=", ">=" are currently illegal. source-port-from allows only "m", and source-port-to allows only "n", and the meaning is always the same as "m-n" in the port field. To put "any" in the source port, leave both source-port-from and source-port-to empty. 3. Fixed a bug where on installation of a new policy the access list was uninstalled from a Bay router although the new policy had no rules to install on the router. Miscellaneous ------------- 1. Fix problem where 'fw lichosts' on HP was showing one month behind. 2. Removed from SNMP configuration files specific IP addresses which were being used as place holders. 3. Corrected the location of snmp_version and snmp_community_len in snmp.def. 4. Corrected the responses of the FireWall SNMP daemon. 5. Fixed file descriptor leak in Load Balancing, HTTP method. 6. When FireWall-1 is reconfigured using FwConfig on WinNT or fwconfig on UNIX platforms, if the change requires restarting the FireWall, only the daemons are now stopped instead of unloading the policy and disabling the FireWall module, as was done previously. 7. During the compilation of a policy, if conflicts are found between objects in the policy, the compilation will now fail where before only a warning message was given. 8. For FTP, match the PORT command in mixed case letters.. 9. Reduced the memory requirements for presenting kernel tables when using 'fw tab'. 10. For FireWall-1 Modules on Bay routers: updated the message describing the format for interfaces necessary for antispoofing to comply with Bay version 12.10 11. Fixed problem which prevented from synchronizing two FireWalls unidirectionally (i.e. FireWall A is updating B, but B is not updating A). Known Limitations: ------------------ 1. FWZ encapsulation problem exists between SecuRemote 4.0 and FireWall 3.0b for HPUX platforms. Note: To prevent the crashing of the Motif GUI due to unavailable colormap resources, this service pack includes a script - fwcolor_allocate - which starts a daemon that saves the colors for the GUI client (the daemon itself is part of the original Motif GUI installation). After installing the service pack, the fwcolor_allocate script can be found in $FWCLIDIR/bin. It should be executed prior to running the Motif GUI client. Usage: fwcolor_allocate [-display display_name] Patch Installation Instructions: -------------------------------- Refer to the Install.info file for instructios on using the each patch. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- 1. Important Note: If you have editted the control.map file in your FireWall-1 configuration, please note the following: This Service Pack includes a new control.map file which includes new configuration for OPSEC communications protocols.  Installing the Service Pack will Replace your existing control.map with the new one.  If you are not using OPSEC, you can replace the newly installed control.map with your old one. Otherwise you should manually merge the new control.map with your old one. 2. Issue 'fwstop' before installing the patch. 3. Use the generic 'installpatch' and 'backoutpatch' scripts provided with this patch. 4. If synchronization is wanted, change the following line: #define sync to: //#define sync ******************************************************************** IMPORTANT: This patch may not install properly unless the -u option is specified as follows: ./installpatch -u . ********************************************************************