OBSOLETE Patch-ID# 114435-16
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security hardware key storage ike ipv6 ipsecconf socket
Synopsis: Obsoleted by: 114423-09 SunOS 5.9_x86: IKE patch
Date: Aug/09/2010
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 9_x86
SunOS Release: 5.9_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 113451
Topic: SunOS 5.9_x86: IKE patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6209654
Patches accumulated and obsoleted by this patch: 115261-01 120026-01
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by: 114423-09
Files included with this patch:
/etc/security/exec_attr
/usr/lib/abi/abi_libike.so.1
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libike.so.1
/usr/sbin/ikeadm
/usr/sbin/ikecert
/usr/sbin/ipsecconf
Problem Description:
6209654 IKE cert payload has problem with certificate chains
(from 114435-15)
6834132 S9 IPsec/in.iked rport only selector fails with 113451-11
(from 114435-14)
6750947 libike needs more rigorous packet checks
(from 114435-13)
4745716 IKE door operations cause in.iked leaks
(from 114435-12)
6435580 isakmp_negotiation structure passed to ike_call_callbacks() should not contain NULL pointers
(from 114435-11)
6469236 libike's RSA signature checking slightly incorrect
(from 114435-10)
6347364 SafeNet plugs ASN.1 leaks
6348585 ISAKMP notification sent to peer contains garbage
6367959 large numbers of certlib entries corrupt active Phase I SA state
6333693 in.iked needs better handling of port-only selectors
6340770 multiple-personality disorder affects inverse_acquire, too
6331159 if the only pre-shared key is deleted, the IKE daemon can not add new keys from a file
6326584 comedy of mismerges puts a quarter-twist into quick mode identities
(from 114435-09)
6316863 in.iked stops responding after 8 hours because cookies have been updated
6265403 short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup
6259973 IKE phase2 exchange fails to occur when phase1 SA nears expiry
6268124 ikeadm won't remove expiring phase1 SA's by address
6317027 libike tries to dereference the wrong negotiation
(from 114435-08)
4963817 IKE p2 negotiation failures on x86 with per-socket policies
(from 114435-07)
5016628 ikecert certrldb -e "certspec" does not work
4976759 callers of ssh_x509_crl_decode() should check for SSH_X509_OK/FAILURE
4977335 ssh_x509_crl_decode() can fail but return SSH_X509_OK
4974853 certrldb will dump core if pem_to_ber() returns NULL
(from 114435-06)
4982429 patch 113451-06 adds certlocal entry to exec_attr redundantly
(from 114435-05)
4762219 ikeadm write preshared causes in.iked heartburn
4941232 deleting P1 SAs by address should delete ALL matching P1 SAs
(from 114435-04)
4804299 failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec
4919747 p2_lifetime default value is too high
4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA
4667873 in.iked door protocol handles some key lengths badly
4840090 why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info?
4890236 in.iked botches PF_KEY identity extensions
4927429 some deleted Phase lingers slightly too long
(from 114435-03)
4930399 ASN.1 patches from SSH, Inc.
(from 114435-02)
This revision accumulates S9U5 feature point patch 115261-01.
(from 114435-01)
4673333 IKE should support hardware assist for certs and Oakley groups
4666686 patch libike with 4/8/2002 SSH patches
4687237 ssh_fatal() calls abort()
4704460 ikeadm: strcpy() should be replaced by strlcpy()
4739746 single-buffer memory leak in start_ike_servers()
4745493 more patches from SSH Inc.
4745709 SSH IKE code leaks hostent structures
(from 115261-01)
4671563 RFE: ikecert -lv should list algorithm signature
4673338 IKE should support HW storage of private keys and certificates
4731575 IKE should work with IPv6
4742619 HW-IKE should be more robust when choosing pkcs11 slots
4752466 race in in.iked causes coredump in add_new_sa()
4823665 in.iked becomes confused about sender and receiver
4832562 certdb malformed cert causes core dump
4842368 memory leak for rsa_encryption initiator
(from 120026-01)
6214460 ipsecconf backs out valid rules if it runs into a duplicate rule
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Perform patch installation in single user mode.
Perform a reconfiguration boot, boot -r, after patch installation.
NOTE 2: To get the complete Hardware Acceleration for IKE feature, please
also install the following patch:
114436-01 (or greater) config.sample
NOTE 3: To get the complete Hardware Key Storage for IKE and IKE for IPV6
feature, please also install the following patches:
114337-08 (or greater) ip patch
114978-01 (or greater) ipsecah Patch
README -- Last modified date: Saturday, November 10, 2012