Patch-ID# 116405-01 Keywords: unlabeled hardened network tcp Synopsis: Trusted_Solaris_8_HW_12/02: tcp patch Date: Oct/31/2003 Install Requirements: Additional instructions may be listed below Reboot after installation Solaris Release: Trusted_Solaris_8_HW_12/02 SunOS Release: Trusted_Solaris_8_HW_12/02 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 116406 Topic: Trusted_Solaris_8_HW_12/02: tcp patch Relevant Architectures: sparc BugId's fixed with this patch: 4894365 Changes incorporated in this version: 4894365 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 116146-02 or greater Obsoleted by: Files included with this patch: /kernel/drv/sparcv9/tcp /kernel/drv/tcp Problem Description: 4894365 Request telnet not send - SYN/ACK/Rst downlabel during improper telnet Patch Installation Instructions: -------------------------------- Refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Trusted Solaris. Any other special or non-generic installation instructions should be described below as special instructions. For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are installed. NOTE 2: To get the complete hardening feature for bug 4894365, one needs to install the following patches: 116142-02 (or newer) ip patch 116144-02 (or newer) inetinit patch 116146-02 (or newer) genunix_policy patch 116405-01 (or newer) tcp patch NOTE 3: To activate the complete hardening feature for bug 4894365: After installing 116144-02 (or newer), update /etc/init.d/inetinit by removing the pound sign (#) from the ndd entry: #/usr/sbin/ndd -set /dev/tcp tcp_strict_syn_policy 1 This file may be updated after all 4 patches have been installed: 116142-02 (or newer) ip patch 116144-02 (or newer) inetinit patch 116146-02 (or newer) genunix_policy patch 116405-01 (or newer) tcp patch NOTE 4: It is recommended to save a copy of the /etc/init.d/inetinit file before removing 116144-01 (or newer). The installation of this patch will not preserve any user modifications made to the /etc/init.d/inetinit file after the patch is installed. A copy of the /etc/init.d/inetinit file is preserved before the patch installation is complete. The user should be aware after the patch is removed, the pre-patch version of /etc/init.d/inetinit file will not be restored to the system. The steps below assume the patch has been put into an ADMIN_LOW directory in /var/tmp and the patch file label is configured to ADMIN_LOW. Create a role which contains the Software Installation profile (typically admin role is assigned this profile) and whose label range includes the ADMIN_LOW label. All the steps in the patch installation should be executed at ADMIN_LOW. The patch should be owned by this role. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchadd". The result should be: /usr/sbin/patchadd uid=0, privs=all, label=admin_low 2) cd into /var/tmp and install the patch file. # cd /var/tmp # patchadd /var/tmp/ where is the patch number. Special Backout Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are removed. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchrm". The result should be: /usr/sbin/patchrm uid=0, privs=all, label=admin_low 2) Backout patch by typing: # patchrm where is the patch number. README -- Last modified date: Friday, October 31, 2003