Patch-ID# 112908-16 Keywords: security encryption international gl_kmech_krb5 kerberos krb5 Synopsis: SunOS 5.9: krb5 shared object Patch Date: Sep/27/2004 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: Install in Single User Mode Reboot immediately after patch is installed Solaris Release: 9 SunOS Release: 5.9 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 113990 Topic: SunOS 5.9: krb5 shared object Patch *********************************************************** NOTE: This patch may contain one or more OEM-specific platform ports. See the appropriate OEM_NOTES file within the patch for information specific to these platforms. DO NOT INSTALL this patch on an OEM system if a corresponding OEM_NOTES file is not present (or is present, but instructs not to install the patch), unless the OEM vendor directs otherwise. *********************************************************** Relevant Architectures: sparc sparc.sun4u BugId's fixed with this patch: 4197937 4220042 4430138 4516537 4521000 4526202 4630574 4642879 4657596 4666887 4671577 4690212 4691352 4711993 4727224 4743181 4744280 4794436 4807010 4830044 4836676 4837278 4841013 4846024 4847827 4865664 4881066 4882946 4995543 5004688 5055875 5063407 Changes incorporated in this version: 4807010 4837278 4865664 5055875 5063407 Patches accumulated and obsoleted by this patch: 112726-03 Patches which conflict with this patch: Patches required with this patch: 112907-03 or greater Obsoleted by: Files included with this patch: /kernel/misc/kgss/do_kmech_krb5 /kernel/misc/kgss/gl_kmech_krb5 /kernel/misc/kgss/sparcv9/do_kmech_krb5 /kernel/misc/kgss/sparcv9/gl_kmech_krb5 /platform/sun4u/kernel/misc/kgss/gl_kmech_krb5 /platform/sun4u/kernel/misc/kgss/sparcv9/gl_kmech_krb5 /usr/lib/gss/gl/abi/abi_mech_krb5.so.1 /usr/lib/gss/gl/abi/sparcv9/abi_mech_krb5.so.1 /usr/lib/gss/gl/mech_krb5.so.1 /usr/lib/gss/gl/sparcv9/mech_krb5.so.1 /usr/lib/security/pam_krb5.so.1 /usr/lib/security/pam_krb5_migrate.so /usr/lib/security/pam_krb5_migrate.so.1 /usr/lib/security/sparcv9/pam_krb5.so.1 /usr/lib/security/sparcv9/pam_krb5_migrate.so.1 Problem Description: Respun to correct a pkg version string mismatch. (from 112908-15) 4807010 Crash in the gssapi module 4837278 Kerberos utilities should include automigrate capability 5055875 buffer overflow in (undocumented) auth_to_local rules 4865664 gssapi/krb5 may hang with corrupted data 5063407 memory corruption between decode_krb5_ap_req() and krb5_gss_accept_sec_context() (from 112908-14) This patch was respun to require patch 112907-03 (from 112908-13) 4995543 pam_krb5.so.1 from 112908-12 causes SEGV when using *su* or dtsession lock 5004688 Kerberos patch 112908-12 causes user passwords to be logged in clear text (from 112908-12) 4794436 strict TGT verification in pam_krb5 should be configurable 4430138 pam_krb5 has wrong return codes for some service module function 4516537 pam_krb5 does not conform to the PAM standards set forth in pam(3PAM) 4711993 mech_krb5: memory caching MUST be enabled in kerberos mech 4841013 krb5 memory cache code should use mktemp instead of mkstemp 4846024 krb5 err msg: login: /tmp/krb5cc_35224 owned by 35224 instead of 0 4881066 pam_krb5 setcred function causes BUS error due to incorrectly freed memory (from 112908-11) 4882946 GSS_C_NO_BUFFER: gss_init_sec_context gives an Error code (from 112908-10) 4836676 Bounds checks not in place for princs in krbv5 (from 112908-09) 4847827 Kerberos patch 112908-07 Error verifying TGT with host, Bad encryption type (from 112908-08) 4830044 pam_krb5 needs to be repository aware (from 112908-07) 4630574 pam_krb5 should not reimplement utility functions and use libpam utilities 4743181 gss/kerberos frees a buffer returned to caller (from 112908-06) 4727224 user application hangs at rpc_gss_seccreate() 4744280 gss_display_status() always returning error (from 112908-05) 4526202 pam_krb5 auth can fail with multiple ftp sessions of same user (from 112908-04) 4521000 krb5_gss_wrap_size_limit() does not work 4671577 mech_krb5.so should expose krb5_c_verify_checksum function 4691352 Multiple Kerberos vulnerabilities need to be fixed (from 112908-03) 4666887 decrypt_as_reply can cause SEGV when request is NULL. (from 112908-02) 4657596 passwd aging fix does not work for passwords greater than 8 characters. 4690212 krb5/gss nfs users all getting mapped to user nobody (from 112908-01) This patch revision was generated to accumulate and obsolete the changes introduced in Solaris Update: s9u1 feature point patch: 112726-03 (from 112726-03) This patch revision was generated to fix the Stab table problem in the previous revision. (from 112726-02) This patch revision was generated to synchronize the package version string between s9 and s9u1 (from 112726-01) 4642879 Kerberos Mechanism Re-sync with MIT 1.2.1 4197937 gss_init_sec_context() doesn't set GSS_C_TRANS_FLAG 4220042 "kadmin: add_principal -expire "9/1/1999 7:00am" xhu" doesn't work Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: To get the complete Kerberos feature, please also install the following patches: 112921-01 (or newer) adm5 112922-01 (or newer) krb5 lib 112923-01 (or newer) usr lib krb 112924-01 (or newer) usr sbin krb 112925-01 (or newer) util admin NOTE 2: To get the complete fix of bug 4836676 "Bounds checks not in place for princs in krbv5" please also install the following patches: 112925-03 (or newer) kdb5_util 112923-03 (or newer) krb5kdc 112921-02 (or newer) libkadm5srv.so.1 NOTE 3: To get the complete fix of bug 4807010, please also install the following patch: 117177-01 (or newer) GSS-API patch NOTE 4: To get the complete fix of bug 4837278, please also install the following patches. Note that not all patches listed in this section as needed for the completion of a fix or feature may be available at the same time as this patch. This method of staggered patch releases allows other fixes/features to be made available sooner. 112925-04 (or newer) kerberos utilities patch 112921-05 (or newer) libkadm5 patch README -- Last modified date: Monday, September 27, 2004