Patch-ID# 112960-20 Keywords: security libsldap ldap_cachemgr ldap sigbus buffer libldap Synopsis: SunOS 5.9: patch libsldap ldap_cachemgr libldap Date: Oct/22/2004 Install Requirements: Install in Single User Mode Reboot immediately after patch is installed Solaris Release: 9 SunOS Release: 5.9 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 114241 Topic: SunOS 5.9: patch libsldap ldap_cachemgr libldap Relevant Architectures: sparc BugId's fixed with this patch: 4192824 4248430 4357827 4390053 4523936 4614945 4624458 4630226 4643366 4645604 4648140 4648146 4658569 4658625 4660019 4670947 4677591 4682120 4683522 4700602 4709300 4720818 4723361 4743707 4746114 4747441 4751386 4751394 4754634 4756113 4757282 4765506 4768140 4774607 4776571 4779333 4780109 4787488 4793719 4802414 4805635 4830406 4830525 4873939 4874749 4877796 4887906 4890233 4890303 4913437 4920444 4966423 4977110 4980441 4981868 4988859 5003953 5005602 5006801 5012514 5014993 5044522 5067333 Changes incorporated in this version: 5005602 5044522 Patches accumulated and obsoleted by this patch: 113152-01 113166-01 113476-13 Patches which conflict with this patch: Patches required with this patch: 112874-06 or greater Obsoleted by: Files included with this patch: /usr/include/ldap.h /usr/lib/abi/abi_libldap.so.5 /usr/lib/abi/abi_libsldap.so.1 /usr/lib/abi/sparcv9/abi_libsldap.so.1 /usr/lib/ldap/ldap_cachemgr /usr/lib/libldap.so.4 /usr/lib/libldap.so.5 /usr/lib/libpam.so.1 /usr/lib/libsldap.so.1 /usr/lib/llib-lldap /usr/lib/llib-lldap.ln /usr/lib/llib-lpasswdutil /usr/lib/llib-lpasswdutil.ln /usr/lib/llib-lsldap /usr/lib/llib-lsldap.ln /usr/lib/nss_ldap.so.1 /usr/lib/passwdutil.so.1 /usr/lib/security/pam_authtok_check.so.1 /usr/lib/security/pam_authtok_get.so.1 /usr/lib/security/pam_authtok_store.so.1 /usr/lib/security/pam_dhkeys.so.1 /usr/lib/security/pam_ldap.so.1 /usr/lib/security/pam_passwd_auth.so.1 /usr/lib/security/pam_unix_account.so.1 /usr/lib/security/pam_unix_auth.so.1 /usr/lib/security/sparcv9/pam_authtok_check.so.1 /usr/lib/security/sparcv9/pam_authtok_get.so.1 /usr/lib/security/sparcv9/pam_authtok_store.so.1 /usr/lib/security/sparcv9/pam_dhkeys.so.1 /usr/lib/security/sparcv9/pam_ldap.so.1 /usr/lib/security/sparcv9/pam_passwd_auth.so.1 /usr/lib/security/sparcv9/pam_unix_account.so.1 /usr/lib/security/sparcv9/pam_unix_auth.so.1 /usr/lib/sparcv9/libldap.so.4 /usr/lib/sparcv9/libldap.so.5 /usr/lib/sparcv9/libpam.so.1 /usr/lib/sparcv9/libsldap.so.1 /usr/lib/sparcv9/llib-lldap.ln /usr/lib/sparcv9/llib-lpasswdutil.ln /usr/lib/sparcv9/llib-lsldap.ln /usr/lib/sparcv9/nss_ldap.so.1 /usr/lib/sparcv9/passwdutil.so.1 Problem Description: 5005602 ldapaddent does not work with iDS 5.2 5044522 Root is able to change user passwd if no of attempts > max_attempts in nis+. (from 112960-19) 4981868 "passwd " with NIS+ backend chooses wrong uid/credentials for update (from 112960-18) 5014993 user logins may fail when nsswitch compat mode is used with NIS+ or LDAP 5067333 S9 needs fix for 5036036 (from 112960-17) 4966423 RBAC exec_attr search in LDAP: everything's wild 4988859 passwd -g, -e, -h cause segfault 5003953 Logins to Solaris 9 NIS+ clients always talk to master even when it is down (from 112960-16) 4913437 Changing password in NIS+ fails on S9 clients with "Permission denied" 5012514 'passwd ' fails as root on NIS+ systems 4980441 PAM module pam_dhkeys fails to retrieve changed credentials (from 112960-15) 5006801 getprojent(3project) dumps core with LDAP project(4) database (from 112960-14) 4977110 passwd doesn't work with compat entries in /etc/nsswitch.conf (from 112960-13) 4890303 pam_ldap should return PAM_AUTH_ERROR instead of PAM_PERM_DENIED (from 112960-12) 4920444 libldap.so.4 ber encoding memory corruption (from 112960-11) 4523936 mountd memory leak when using Native LDAP (from 112960-10) 4787488 ldapaddent can only add ethers or bootparams for the same hosts, not both. (from 112960-09) 4643366 Groups with no members broken 4779333 ldap get*ent requests may free already freed memory 4780109 __ns_ldap_firstEntry may return a cookie that is freed 4830525 Buffer overflow in nss_ldap.so.1 (from 112960-08) 4802414 Client does not follow referral without hostname. 4658569 Following referrals does not work in all cases (from 112960-07) 4757282 ldapclient init fails with SIGBUS if SSD's are > 15 in profile (from 112960-06) 4624458 if hostname is used in NS_LDAP_SERVERS, ldap goes into loop 4723361 log messages when resolving hostname for ldap_server 4776571 Applications running on SSL enabled native ldap clients may crash at termination (from 112960-05) 4751386 ether_ntohost() fails with rc 1 when resolving data from LDAP (from 112960-04) 4720818 LDAP naming services fails when domainname is greater than 23 characters (from 112960-03) 4357827 pam_ldap should fully support password aging 4677591 implement PSARC/2002/241 - PAM binding control flag 4660019 nss_ldap.so may return non '-1' values for getspnam() 4682120 get/set_item conversation function tracing needs improvement. 4658625 pam_framework doesn't trace pam_chauthtok PAM_TRY_AGAIN return. 4683522 pam_get_data tracing could improve. (from 112960-02) 4614945 Memleak in getgrent() when using against Native Ldap. (from 112960-01) 4645604 A race condition in ldap_cachemgr cause ldapclient to fail 4630226 __s_api_requestServer fails when ldap_cachemgr is updating the profile 4648140 libsldap fails when NS_LDAP_CACHETTL = 0 4648146 __ns_ldap_getParam returned incorrect value for the NS_LDAP_EXP parameter (from 113476-13) 4887906 pam_sm_chauthtok() returns 13 (PAM_USER_UNKNOWN) if lastchg=0 for local users (from 113476-12) 4890233 using 'use_first_pass' for pam_ldap does not work (from 113476-11) 4746114 libpam internationalized messages are off by 1 for locale != C 4793719 pam_authtok_check.so.1::circ() too space-conservative 4805635 root may change enduser password in NIS+ without entering its own password 4877796 passwd (passwdutil) inadvertently resets aging information (from 113476-10) 4873939 pam and compat does not work after applying patch 108993-18 (from 113476-09) 4874749 passwd -x modifies the lastchg field also in /etc/shadow file (from 113476-08) 4765506 NIS+ password problems with Solaris 9 4768140 passwd core dumps when changing shell (from 113476-07) 4774607 pam_ldap gets confused when root tries to change user's password (from 113476-06) 4830406 passwdutil is too dumb to handle NIS+ subdomains correctly (from 113476-05) 4743707 non-default nsswitch backends confuse passwdutil.so.1 4747441 pam_authtok_store does not map all the PWU errors to PAM errors 4751394 non decisive modules should not return PAM_SUCCESS 4754634 passwd command seg faults when updating user can't be authenticated to LDAP (from 113476-04) 4756113 libc version number is incorrect in s9u2 (from 113476-03) 4709300 passwd fails if the pam_authtok_store service was specified with server_policy (from 113476-02) 4670947 logins failing when NIS is backend for authentication (from 113476-01) This patch revision was generated to accumulate and obsolete the changes introduced in Solaris Update: s9u2 feature point patches: 113152-01 113166-01 (from 113152-01) 4357827 pam_ldap should fully support password aging 4677591 implement PSARC/2002/241 - PAM binding control flag 4660019 nss_ldap.so may return non '-1' values for getspnam() 4682120 get/set_item conversation function tracing needs improvement. 4658625 pam_framework doesn't trace pam_chauthtok PAM_TRY_AGAIN return. 4683522 pam_get_data tracing could improve. (from 113166-01) 4390053 crypt(3c) needs to interoperate with *BSD and Linux 4248430 RFE: NIS+ should support alternate encryption algorithms for the user password 4192824 newkey/chkey should use a configurable crypt() to encrypt the users password 4700602 crypt_gensalt should be version SUNW_1.22 instead of SUNW_1.21 Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: To get the complete Flexible Crypt feature, please also install the following patches: 113475-01 (or newer) libsecurity crypt 113480-01 (or newer) pam_unix Patch 113481-01 (or newer) nispasswdd 113482-01 (or newer) sbin/sulogin 113483-01 (or newer) rpc.ypasswdd NOTE 2: To get the complete fix for the bug 4765506, please install the following patch in addition to this patch: 113319-14 (or newer) rpc.nispasswdd NOTE 3: Migrating Your Sun Java System Directory Server Schema changes were implemented between the release of Sun Java System (formerly Sun ONE) Directory Server 5.1 and the release of Directory Server 5.2. ldapaddent now adds "objectclass: device" to the entries of ethers/bootparams. Therefore, if you choose to use the LDAP commands to migrate directory data from Directory Server 5.1 to 5.2, you must use ldapaddent -d to export data and ldapaddent to import data. Otherwise, if you use the Sun Java System Directory Server tools db2ldif and ldif2db to migrate data, you must apply Directory Server 5.2 with all patches before migrating the data or the data import could fail. README -- Last modified date: Friday, October 22, 2004