OBSOLETE Patch-ID# 112390-14


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security encryption krb5 client authentication interfaces
Synopsis: Obsoleted by: 112390-15 SunOS 5.8: Supplemental Encryption Kerberos V5: mech_krb5.so.1 patch
Date: Mar/24/2009


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 8

SunOS Release: 5.8

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 112240

Topic: SunOS 5.8: Supplemental Encryption Kerberos V5: mech_krb5.so.1 patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
433862215025875
436014115034512
442381815055802
449667915077090
452620215086950
467760515106219
469135215109288
478612615135657
480701015142683
483667615152065
485195215156634
486022615159139
495740615186325
500895015199917
505587515213583
626168515262375
628486415271398
647326115351700
649617815362548
679988415538855
681208715545834


Changes incorporated in this version: 6799884 6812087

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch: 109223-02 (or greater)

Obsoleted by:

Files included with this patch:

/kernel/misc/kgss/do_kmech_krb5
/kernel/misc/kgss/sparcv9/do_kmech_krb5
/usr/lib/gss/do/mech_krb5.so
/usr/lib/gss/do/mech_krb5.so.1
/usr/lib/gss/do/sparcv9/mech_krb5.so
/usr/lib/gss/do/sparcv9/mech_krb5.so.1
/usr/lib/sparcv9/gss/do/mech_krb5.so

Problem Description:

6799884 pam_krb5 could allow authentication to an attacker's KDC
6812087 Solaris 8 fix for CR 6802931 requires a small portion of the 1.2.1 MIT resync code
 
(from 112390-13)
 
6473261 fail-over to master KDC when synchronization type errors are returned to the client
6496178 krb5 mech resends AS-REQ to the same KDC (master) after user enters a bad password
 
(from 112390-12)
 
5008950 fix for 4957406 is incomplete
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 fix for 4786126 is incomplete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
 
(from 112390-11)
 
6261685 security: buffer overflow, heap corruption in KDC
6284864 krb5_recvauth() may free memory twice under certain conditions
 
(from 112390-10)
 
4851952 krb5_os_localaddr() doesn't work correctly when multiple interfaces configured
 
(from 112390-09)
 
4807010 crash in the gssapi module
5055875 buffer overflow in (undocumented) auth_to_local rules
 
(from 112390-08)
 
4836676 bounds checks not in place for princs in krbv5
 
(from 112390-07)
 
4423818 krb5 mechanism validating the wrong encryption type field
4691352 multiple Kerberos vulnerabilities need to be fixed
 
(from 112390-06)
 
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
 
(from 112390-05)
 
4360141 kpasswd needs to be able to interface with MIT
 
(from 112390-04)
 
4677605 mech_krb5 patches need a dependency on the libgss patch
 
(from 112390-03)
 
4338622 buffer overrun vulnerabilities in Kerberos (SEAM)
 
(from 112390-02)
 
        This revision corrects the VERSION string in its pkginfo for S8U7B6.
 
(from 112390-01)
 
4496679 krb5 client authentication fails with 32 interfaces


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Perform patch installation in single user mode.  Reboot the system
         after patch installation.
 
NOTE 2:  This is a patch for the domestic encryption kit-enhanced installation
         of Kerberos.  If pkginfo -l SUNWpk does not show one of these two
         package versions, you will need the equivalent vanilla Kerberos
         patch, available as 112237 (or newer).
 
         PKGINST:  SUNWk5pu    with  VERSION:  11.8.0,REV=1999.12.07.04.22
         PKGINST:  SUNWk5pu.2  with  VERSION:  11.8.0,REV=1999.12.07.04.22
 
NOTE 3:  To correct several patch installation problems, please also install
         the following patch:
 
         108987-07 (or greater)  patch for patchadd and patchrm
 
NOTE 4:  To get the complete fix for BugId's 6799884 (pam_krb5 could allow
         authentication to an attacker's KDC) and 6812087 (Solaris 8 fix for
         CR 6802931 requires a small portion of the 1.2.1 MIT resync code),
         please also install the following patch:
 
         112237-16 (or greater)  mech_krb5.so.1 and pam_krb5.so.1 patch


README -- Last modified date: Friday, November 9, 2012