Patch-ID# 109224-12

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security gss api interfaces kpasswd mit kdcs rfc2744
Synopsis: SunOS 5.8_x86: kpasswd, and patch
Date: Sep/27/2013

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 8_x86

SunOS Release: 5.8_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 109223

Topic: SunOS 5.8_x86: kpasswd, and patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #

Changes incorporated in this version: 15724537 15725603

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Files included with this patch:


Problem Description:

15724537 problem with Kerberos
15725603 problem with Kerberos
(from 109224-11)
6510866 libgss(3LIB) input checking needs to be improved
(from 109224-10)
6538001 KDC, kadmind stack overflow in krb5_klog_syslog (CVE-2007-0957)
(from 109224-09)
5014663 pam_krb5: auth prompts for password when principal does not exist
5025227 pam_krb5: auth returns PAM_AUTH_ERR in some cases instead of PAM_SYSTEM_ERR
6215066 kadm apps can not bind to kadmind if admin_server specifies port #
6246405 Solaris 9 (not Solaris 10) PAM stack will prompt for password twice with pam_unix & pam_krb5
6488352 non-Kerberos user attempting to change passwd with in pam.conf blanks passwd
(from 109224-08)
6410987 fix for 5008950 always causes last local user in gsscred table to be selected
6410919 patch 112908-24 will cause the kadmin -p kws/admin to exit with error message
(from 109224-07)
5008950 fix for 4957406 is incomplete
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 fix for 4786126 is not complete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
(from 109224-06)
4799173 GSSAPI_MECH_CONF environment variable should be removed
(from 109224-05)
4810632 kadmin -c <ccache> destroys the ccache when user quits the kadmin program
(from 109224-04)
4831653 pam_krb5 password aging causes a long delay if the admin_server is down
4838735 pam_krb5 not closing kadmin RPC sessions for pwd changes causing fd's to linger
(from 109224-03)
4829637 RFC2744 implementation in Kerberos Solaris 8 and 9/ Generic Security Service API
(from 109224-02)
4360141 kpasswd needs to be able to interface with MIT
(from 109224-01)
4308978 user level GSS-API Interfaces should be made public

Patch Installation Instructions:
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
       example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
       example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.

Special Install Instructions:
NOTE 1:  Install the patch in single user mode and do a reconfiguration
         boot (boot -r) immediately after patch installation.
NOTE 2:  To get the complete fix for these BugId's:
         5008950 fix for 4957406 is incomplete
         4957406 NFS on kerberized file systems thinks I'm nobody
         4860226 fix for 4786126 is not complete
         4786126 delegated credentials not provided to caller of
         please also install the following patch:
 	 112240-11 (or greater)  Supplemental Encryption Kerberos V5:

README -- Last modified date: Friday, September 27, 2013