OBSOLETE Patch-ID# 112240-13
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security encryption krb5 client authentication interfaces
Synopsis: Obsoleted by: 112240-14 SunOS 5.8_x86: Supplemental Encryption Kerberos V5: mech_krb5.so.1 patch
Date: Mar/24/2009
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 8_x86
SunOS Release: 5.8_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 112390
Topic: SunOS 5.8_x86: Supplemental Encryption Kerberos V5: mech_krb5.so.1 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6799884 6812087
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch: 109224-02 (or greater)
Obsoleted by:
Files included with this patch:
/kernel/misc/kgss/do_kmech_krb5
/usr/lib/gss/do/mech_krb5.so
/usr/lib/gss/do/mech_krb5.so.1
Problem Description:
6799884 pam_krb5 could allow authentication to an attacker's KDC
6812087 Solaris 8 fix for CR 6802931 requires a small portion of the 1.2.1 MIT resync code
(from 112240-12)
6473261 fail-over to master KDC when synchronization type errors are returned to the client
6496178 krb5 mech resends AS-REQ to the same KDC (master) after user enters a bad password
(from 112240-11)
5008950 fix for 4957406 is incomplete
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 fix for 4786126 is incomplete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
(from 112240-10)
6261685 security: buffer overflow, heap corruption in KDC
6284864 krb5_recvauth() may free memory twice under certain conditions
(from 112240-09)
4851952 krb5_os_localaddr() doesn't work correctly when multiple interfaces configured
(from 112240-08)
4807010 crash in the gssapi module
5055875 buffer overflow in (undocumented) auth_to_local rules
(from 112240-07)
4836676 bounds checks not in place for princs in krbv5
(from 112240-06)
4423818 krb5 mechanism validating the wrong encryption type field
4691352 multiple Kerberos vulnerabilities need to be fixed
(from 112240-05)
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
(from 112240-04)
4360141 kpasswd needs to be able to interface with MIT
(from 112240-03)
4677605 mech_krb5 patches need a dependency on the libgss patch
(from 112240-02)
4338622 buffer overrun vulnerabilities in Kerberos (SEAM)
(from 112240-01)
4496679 krb5 client authentication fails with 32 interfaces
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Perform patch installation in single user mode. Reboot the system
after patch installation.
NOTE 2: This is a patch for the domestic encryption kit-enhanced installation
of Kerberos. If pkginfo -l SUNWpk does not show one of these two
package versions, you will need the equivalent vanilla Kerberos
patch, available as 112238 (or newer).
PKGINST: SUNWk5pu with VERSION: 11.8.0,REV=1999.12.07.03.31
PKGINST: SUNWk5pu.2 with VERSION: 11.8.0,REV=1999.12.07.03.31
NOTE 3: To correct several patch installation problems, please also install
the following patch:
108988-07 (or greater) patch for patchadd and patchrm
NOTE 4: To get the complete fix for BugId's 6799884 (pam_krb5 could allow
authentication to an attacker's KDC) and 6812087 (Solaris 8 fix for
CR 6802931 requires a small portion of the 1.2.1 MIT resync code),
please also install the following patch:
112238-15 (or greater) mech_krb5.so.1 and pam_krb5.so.1 patch
README -- Last modified date: Friday, November 9, 2012