Patch-ID# 114880-06 Keywords: sun ray update patch security Synopsis: Sun Ray Server version 2.0 Patch Update Date: Aug/30/2004 Install Requirements: Reboot after installation Solaris Release: 8 9 SunOS Release: 5.8 5.9 Unbundled Product: Sun Ray Enterprise Server Software Unbundled Release: 2.0 Xref: Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4369691 4433854 4759966 4775352 4781321 4792984 4810192 4810962 4813815 4817187 4825312 4825808 4828674 4833004 4834790 4836233 4838105 4838376 4838723 4839252 4839685 4840440 4841227 4841245 4841279 4841623 4841678 4842640 4842791 4842800 4844714 4847413 4847657 4849042 4850576 4855375 4857347 4858575 4863617 4874498 4877262 4878246 4881981 4889019 4890267 4894276 4898094 4902617 4905168 4907215 4913927 4917981 4931943 4934961 4937735 4942260 4944875 4945510 4954684 4958188 4958479 4959964 4959969 4959976 4960514 4963980 4965543 4965942 4965958 4967253 4976175 4977771 4979769 4980867 4985620 4992187 4992396 4994404 4995913 4997442 4997503 5003520 5006545 5009497 5010353 5010789 5012100 5013617 5013715 5014959 5016553 5024925 5028734 5028900 5039558 5041770 5043517 5043539 5046583 5047600 5048434 5049181 5049272 5053302 5054679 5057683 5057692 5057957 5061144 5061744 5063300 5063454 5064629 5066288 5066776 5068631 5069497 5073665 5076106 5079645 Changes incorporated in this version: 5063454 5066288 5068631 5053302 5064629 5069497 5073665 5076106 5079645 5049272 5066776 5039558 5028900 5061144 5063300 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWut/gulogin.start /etc/opt/SUNWut/loginGUI.start /etc/opt/SUNWut/reaper.conf.template /etc/opt/SUNWut/sessionTypes.props /etc/opt/SUNWut/smartcard/ActivCardGoldJavaCard.cfg /etc/opt/SUNWut/smartcard/JavaBadgeCAC.cfg /etc/opt/SUNWut/smartcard/probe_order.conf /etc/opt/SUNWut/tokenreader.start /etc/opt/SUNWut/waitforprimary.start /opt/SUNWut/bin/utaudio /opt/SUNWut/cgi-bin/desktop /opt/SUNWut/cgi-bin/log /opt/SUNWut/kiosk/bin/utrootkiosk /opt/SUNWut/lib/app-defaults/guloginGUI.res /opt/SUNWut/lib/firmware/CoronaP1 /opt/SUNWut/lib/firmware/CoronaP2 /opt/SUNWut/lib/firmware/CoronaP3 /opt/SUNWut/lib/firmware/CoronaP4 /opt/SUNWut/lib/firmware/CoronaP5 /opt/SUNWut/lib/firmware/CoronaP6 /opt/SUNWut/lib/firmware/CoronaP7 /opt/SUNWut/lib/guloginGUI /opt/SUNWut/lib/libsrcom.so.2 /opt/SUNWut/lib/libutgrpmgr.so /opt/SUNWut/lib/libutinfo.so.1 /opt/SUNWut/lib/libutjadmin.so /opt/SUNWut/lib/libutscr.so.2 /opt/SUNWut/lib/libutsmon.so.1 /opt/SUNWut/lib/modules/Authxlation.jar /opt/SUNWut/lib/modules/StartSession.jar /opt/SUNWut/lib/modules/StartxlationSession.jar /opt/SUNWut/lib/modules/TerminalId.jar /opt/SUNWut/lib/nscloginGUI /opt/SUNWut/lib/pixmaps/GUdefault.xpm /opt/SUNWut/lib/pixmaps/GUsunray.xpm /opt/SUNWut/lib/prototype/Xsetup.SUNWut.prototype /opt/SUNWut/lib/prototype/Xstartup.SUNWut.prototype /opt/SUNWut/lib/scloginGUI /opt/SUNWut/lib/settings.jar /opt/SUNWut/lib/sunray_get_user.so.1 /opt/SUNWut/lib/tokenreader.yuv /opt/SUNWut/lib/utauthd.jar /opt/SUNWut/lib/utdevctl /opt/SUNWut/lib/utdevmgrd /opt/SUNWut/lib/utdmsession /opt/SUNWut/lib/utdtsession /opt/SUNWut/lib/utgenpolicy /opt/SUNWut/lib/utload /opt/SUNWut/lib/utpamcfg /opt/SUNWut/lib/utparalleld /opt/SUNWut/lib/utprefs-helper /opt/SUNWut/lib/utresexec /opt/SUNWut/lib/utseriald /opt/SUNWut/lib/utsessiond /opt/SUNWut/lib/utxexec /opt/SUNWut/lib/utxinit /opt/SUNWut/lib/utxset /opt/SUNWut/lib/yuvfile /opt/SUNWut/sbin/utdesktop /opt/SUNWut/sbin/utfwadm /opt/SUNWut/sbin/utresadm /opt/SUNWut/sbin/utresdef /opt/SUNWut/sbin/utuser /usr/lib/secure/libc_ut.so /usr/lib/secure/sparcv9/libc_ut.so /usr/openwin/server/modules/ddxSUNWsunray.so.1 Problem Description: 5028900 NSCM login GUI should have maximum number of characters for username 5039558 Sunmc agent keeps dying on Sun Ray servers 5049272 logitech first mouse scroll wheel doesn't work 5053302 Mouse freezes in multihead operation 5061144 SRSS2.0; login failure with NSCM and native-LDAP 5063300 excessive .Xauthxxxxx files in /tmp cause NSCM login performance degradation 5063454 Default hardware revision string is "1", but should be "0". 5064629 Xsun crashes in cfb32SolidSpansCopy on Sunray 2.0 5066288 Debug print doing lines affects graphics performance. 5066776 Firmware should support SST flash 5068631 Dashed lines have performance and correctness problems 5069497 logitech MouseMan Plus does not work 5073665 x11perf -dline100 renders incorrectly when window is partially obscured 5076106 Wavelet quantization needs to be tuned to be as visually lossless as possible 5079645 more scroll wheel mouse regressions (from 114880-05) 5041770 Add support for 1400x1050 resolution for Tadpole Comet 5043517 CAC/JavaBadge cards with usernames longer than 9 characters cannot login 5043539 utaudio cpu consumption is increased 20 fold from patch 2 to 3 5046583 DTU may reset when audiokeys are pressed 5047600 Compression strategy sometimes uses wavelets inappropriately 5048434 Multihead problem with windowpane on non primary monitor. 5049181 X server crashes in newtCachePolyText8 5054679 installation of SR2.0 patch 114880-04 causes 'utgstatus' segmentation fault 5057683 interrupt transfer descriptors are requeued with incorrect length 5057692 microsoft intellimouse 2.0 wireless tilt scroll wheel combo mouse does not work 5057957 Text rendering through font cache clips entire line at screen edge. 5061744 security: screenlock not available on detach after login on TSol (from 114880-04) 4759966 utdevmgrd: getting double mapping error messages and incorrect $UTDEVROOT link 4775352 Second screen in MH config goes blank on its own 4838376 cannot issue CLEAR_FEATURE command on USB bulk endpoint 4841245 Random port selections aren't random enough 4842800 utaudio and utxset don't do bw management properly 4847413 Screen update does not occur when flipping screens 4847657 Rasterop lines are drawn twice 4849042 Group manager segment violation when too many interfaces are configured 4850576 Degenerate multihead breaks and remakes connection when switching screens 4857347 forceInsert porperty is not cleared until the next redirection 4917981 Add keyboard, mouse, monitor to card reader and you can bypass security policy 4937735 double ldap_value_free() call in ut_incGeneration() 4942260 Firmware upgrades fail over high latency, lbw connections 4944875 Need to explicitly request vendor parameters 4945510 utload can't load firmware to Copernicus hardware or to multihead secondaries 4954684 Firmware load icon can display incorrect FW server 4958479 ut_check_name needs to be public 4960514 Sun Ray 1G needs normal blanking interval 1600x1200 at 60 Hz timing 4963980 Need server-side support for 1600x1200@60 VESA timing 4965543 Sun Ray DTUs don't work behind NAT gateways 4965942 svclib/svcs needs to use unique ut_ naming for register callbacks. 4965958 usblib returns incorrect value for I/O calls when length exceeds MAX_DATA 4967253 DHCP lease renewal algorithm is flawed 4976175 X server crashes in newtPolyFillRect 4977771 Load Balancing doesn't work properly in LAN deployment of SRS2.0 4979769 rendering issues on SR1G 4980867 Icons don't show up at all on a P7 based SR100 4985620 USB mass storage service needs to know display ID 4992187 svclib device struct missing certain device descriptor fields 4992396 authd not responding to callback requests 4994404 server side OSD icons change to 26D after some time 4995913 sunray firmware closes tcp connection unnecessarily 4997442 device link name generation should be consistent 4997503 long delay between card insertion and PIN loginGUI. 5003520 Recursive mutex locking in processing callme causes false deadlock detection 5006545 Loss of network connection is not reported quickly enough 5009497 Scrolling of a textedit window continues after button release 5010353 Crossing screens in degenerate mode can cause the mouse to hang 5010789 Add support for Quatech DSU-100 devices 5012100 scbus library always passes UID=0 to DM 5013617 mouse freezes when dragging windows across multiheads 5013715 set boot protocol is missing for some mice devices 5014959 X server font cache disables itself on output disable/reenable 5016553 X server calls ALP rendering functions from a signal handler 5024925 SunRayServer 2.0 failover groups fail 5028734 firmware needs to support short reads for control transfers (from 114880-03) 4889019 Card Recognition fails at times on P4 hardware 4902617 Provide firmware support for Sunray Plus (P7) models 4905168 Oberthur cards don't work with on SunRays 4913927 Unable to read ATR on P4 boards. 4931943 Firmware returns wrong data for some APDUs 4934961 The audio quality from Sunray is quite poor. 4958188 tmds pll programming on SR 1g incorrect 4959964 SRCOM library needs to support PC/SC 4959969 scbus library has terminal list race condition 4959976 Update smartcard config file to extract username from CAC (from 114880-02) 4369691 Firmware info displayed in GUI/CLI for DTU is confusing to user. 4781321 SunRay Module causes SunMC agent VM to grow 4792984 pam.conf update ignores existing pam entries for dtlogin/dtsession 4834790 Firmware returns wrong data for return code 0x63XX during an APDU transaction. 4838105 utuser -p $CORONA_TOKEN sometimes fails when raw token is JavaBadge 4855375 Load balancing takes too long to even out unbalanced load. 4858575 /usr/lib/libc_ut.so library's stat routine seg. faults at NULL file argument 4863617 ut_isServerAlive SEGFAULTS if server times out 4877262 GNC vulnerability in non-default session types 4878246 off-by-one memory write in library key/value code 4881981 Admin library calls use multithread unsafe system calls. 4890267 New Quatech SSU-100 devices (PID 0xC020) not working with SunRays 4894276 Sun Ray firmware responds to arbitrary multicast ping 4898094 Freed memory is being referenced later in the code. 4907215 utinfo::issuePropertiesCallback() should block for connected (from 114880-01) 4433854 Sometimes smartcard removal is not detected and session stays active 4810192 X server rendering cleanup 4810962 A forceInsert on redirect should carry forward the redirectProps values 4813815 username property does not get carried along for redirects to non-trusted hosts 4817187 Minor mathematical manipulation mitigates multihead mouse mispositioning 4825312 CAM/kiosk session does not restart after logout on fast hardware 4825808 Javabadge smartcards are sometimes recogonized as OpenPlatform cards. 4828674 sunray_get_user.so does not work correctly if stacked multiple times 4833004 Determine the home server for a DTU 4836233 Lazy Authentication, authd should push authentication to as late as possible 4838723 Remove the acceptRedirectToken property from auth.props 4839252 SRSS2.0; outline of StarOffice window remains 4839685 X server drops to lbw limit when packets are lost 4840440 postpatch script needs to handle LAN case for utfwadm 4841227 Bad processing after lost packet causes bad command interpretation 4841279 utfwadm -N all with no LAN subnets gives bogus errors 4841623 Need a new PAM module to get username infomation 4841678 utfwadm -A -a -N all does not work 4842640 Need utility interfaces for lazy auth (sunray_get_user) 4842791 Redirection from server doing encryption to one that's not fails 4844714 Add DHCP XDM option to specify Sun Ray server list 4874498 Sun/Fujitsu mouse rev(05c/06c) may fail to work in SunRay due to bad packets Patch Installation Instructions: -------------------------------- For Solaris 2.8 & 9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/114880-06 The following example removes a patch from a standalone system: example# patchrm 114880-06 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- "NOTE 1: To get the complete fix for 4642695, Solaris 8 users should also install 108940-46 (or later): Motif runtime library patch, "NOTE 2: (for Trusted Solaris) To get the complete fix for 5061744 (TSOL bug 5026455), Trusted Solaris 8 HW 12/02 users should also install 116336-05 (or later): dtsession dtlogin patch Trusted Solaris 8 HW 7/03 users should install 117581-02 (or later) Also Trusted Solaris 8 HW 12/02 and 7/03 users should follow the "Post-Login Enhancement for Trusted Solaris" instructions in this README file. Warnings & Errors ----------------- ** WARNING: This patch should only be applied to systems which have Sun Ray Server Software 2.0 fully installed. Do not attempt to add this patch to the UFS image to be applied as part of the install process ** ** WARNING: Unconfiguring the Sun Ray Server Software before removal of this patch may lead to error messages and/or removal failure ** WARNING: Login behavior for Non-SmartCard Mobility sessions is slightly different, see the following section on LAN Security Enhancement. LAN Security Enhancement ------------------------ LAN Security for Non-SmartCard Mobility (NSCM) has been improved, and this results in a very slightly different user experience when logging in, which users may wish to be prepared for. The property acceptRedirectTokens in /etc/opt/SUNWut/auth.props no longer exists. Instead, normal login for NSCM now may redirect a user after the username is entered and before the password-entry screen is presented. This results in final authentication occurring on the server where the user's session will be accessed or created. This has two user-visible effects, when contrasted to the previous default case where acceptRedirectTokens=false: 1. Users will never need to enter their username and password twice. 2. After entering the username, the NSCM screen will disappear and some Sun Ray On Screen Display (OSD) icons will briefly appear while the Sun Ray is being redirected to the correct server, after which the NSCM screen for "Enter password" will appear. Note that type-ahead will no longer function during this interval. The user must now wait for the password-entry screen to be drawn before typing their password. It is hoped that this should not present a significantly different login experience to users, while providing increased security. Post-Login Enhancement for Trusted Solaris ------------------------------------------ On Trusted Solaris systems that require the fix for bug 5061744 (TSOL bug 5026455), besides installing the necessary patches in NOTE 4, the administrator should create a file /etc/opt/SUNWut/reaper.conf containing the following lines: REAPER_TIMEOUT=0 REAPER_DEFER_DISARM=1 Please review the file /etc/opt/SUNWut/reaper.conf.template for additional details. Sun Ray Firmware Upgrades ------------------------- This patch includes firmware updates for Sun Ray appliances. The updated firmware will be loaded by your Sun Ray appliances through the usual Sun Ray firmware download mechanism. The firmware changes are independent of the Sun Ray Server Software changes but are delivered in this patch for your convenience. If this patch is being applied to servers configured into a Sun Ray failover group it must be applied to all servers in the group at your earliest convenience. While some members of the group remain unpatched the restart time of your Sun Ray appliances may be noticeably longer than usual. The increased restart time can be avoided by taking the action described in step 1 below. The following additional steps are required when adding this patch on a live system: (before applying patch to system) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after applying patch) 3. Reboot the Sun Ray server To remove this patch, carry out these steps in the following order: (before removing the patch) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after removing the patch) 3. Reboot the Sun Ray server Detailed Steps -------------- 1. Suppress firmware downloads If the server being patched is not a member of a Sun Ray failover group you should skip this step. If the server being patched is a member of a Sun Ray failover group then this step is optional but is strongly recommended. At Patch Installation --------------------- Before adding this patch to servers configured into a Sun Ray failover group we advise that you disable Sun Ray firmware delivery from all unpatched hosts in the failover group. On each host in the group: For each of the dedicated network interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -n For each of the shared subnetwork interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -N Do this only one time, before adding this patch to any server in the group. The purpose of this step is to prevent unpatched servers from offering old firmware to Sun Ray appliances that have already accepted the new firmware delivered with this patch. If this patch is being applied to a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been added to all servers in the failover group. At Patch Removal ---------------- Before removing this patch from servers configured into a Sun Ray failover group we advise that you disable firmware delivery from any hosts in the failover group that have this patch installed. On each already-patched host in the group: For each of the dedicated network interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -n For each of the shared subnetwork interconnects: $ /opt/SUNWut/sbin/utfwadm -a -D -N Do this only one time, before removing this patch from any of the already-patched servers in the group. The purpose of this step is to prevent already-patched servers from offering new firmware to Sun Ray appliances. If this patch is being removed from a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been removed from all servers in the failover group. 2. Stopping Sun Ray services and login sessions Before applying this patch to a Sun Ray server or removing this patch from a Sun Ray server all users should be logged out of their Sun Ray sessions. Stop the Sun Ray services using the following command: $ /etc/init.d/utsvc stop This command will terminate any Sun Ray sessions that were not already logged out. Next, add or remove the patch using the instructions outlined above in the section "Patch Installation Instructions". Adding the patch automatically prepares the server to advertise new firmware to your Sun Ray appliances. Removing the patch automatically prepares the server to revert to advertising pre-patch firmware to your Sun Ray appliances. 3. Rebooting the Sun Ray server The Sun Ray server must be rebooted after the addition or removal of the patch. README -- Last modified date: Monday, August 30, 2004