OBSOLETE Patch-ID# 114435-16

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.

For further information on patching best practices and resources, please see the following links:

Keywords: security hardware key storage ike ipv6 ipsecconf socket
Synopsis: Obsoleted by: 114423-09 SunOS 5.9_x86: IKE patch
Date: Aug/09/2010

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

SunOS Release: 5.9_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 113451

Topic: SunOS 5.9_x86: IKE patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR #	Bug #
4666686	15103959
4667873	15104213
4671563	15105006
4673333	15105354
4673338	15105358
4687237	15108081
4704460	15112258
4731575	15119149
4739746	15121545
4742619	15122369
4745493	15123242
4745709	15123304
4745716	15123308
4752466	15125336
4762219	15128187
4804299	15141792
4823665	15148035
4832562	15150747
4840090	15153229
4842368	15154035
4890236	15167628
4919747	15176273
4919802	15176293
4927429	15178343
4930399	15179188
4941232	15182010
4963817	15188188
4974853	15191215
4976759	15191716
4977335	15191850
4982429	15193291
5016628	15202334
6209654	15241479
6214460	15243174
6259973	15261765
6265403	15263790
6268124	15264946
6316863	15284238
6317027	15284311
6326584	15288050
6331159	15289702
6333693	15290725
6340770	15293656
6347364	15296558
6348585	15297092
6367959	15304793
6435580	15334312
6469236	15349877
6750947	15509907
6834132	15558805

Changes incorporated in this version: 6209654

Patches accumulated and obsoleted by this patch: 115261-01 120026-01

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 114423-09

Files included with this patch:

/etc/security/exec_attr
/usr/lib/abi/abi_libike.so.1
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libike.so.1
/usr/sbin/ikeadm
/usr/sbin/ikecert
/usr/sbin/ipsecconf

Problem Description:

6209654 IKE cert payload has problem with certificate chains
 
(from 114435-15)
 
6834132 S9 IPsec/in.iked rport only selector fails with 113451-11
 
(from 114435-14)
 
6750947 libike needs more rigorous packet checks
 
(from 114435-13)
 
4745716 IKE door operations cause in.iked leaks
 
(from 114435-12)
 
6435580 isakmp_negotiation structure passed to ike_call_callbacks() should not contain NULL pointers
 
(from 114435-11)
 
6469236 libike's RSA signature checking slightly incorrect
 
(from 114435-10)
 
6347364 SafeNet plugs ASN.1 leaks
6348585 ISAKMP notification sent to peer contains garbage
6367959 large numbers of certlib entries corrupt active Phase I SA state
6333693 in.iked needs better handling of port-only selectors
6340770 multiple-personality disorder affects inverse_acquire, too
6331159 if the only pre-shared key is deleted, the IKE daemon can not add new keys from a file
6326584 comedy of mismerges puts a quarter-twist into quick mode identities
 
(from 114435-09)
 
6316863 in.iked stops responding after 8 hours because cookies have been updated
6265403 short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup
6259973 IKE phase2 exchange fails to occur when phase1 SA nears expiry
6268124 ikeadm won't remove expiring phase1 SA's by address
6317027 libike tries to dereference the wrong negotiation
 
(from 114435-08)
 
4963817 IKE p2 negotiation failures on x86 with per-socket policies
 
(from 114435-07)
 
5016628 ikecert certrldb -e "certspec" does not work
4976759 callers of ssh_x509_crl_decode() should check for SSH_X509_OK/FAILURE
4977335 ssh_x509_crl_decode() can fail but return SSH_X509_OK
4974853 certrldb will dump core if pem_to_ber() returns NULL
 
(from 114435-06)
 
4982429 patch 113451-06 adds certlocal entry to exec_attr redundantly
 
(from 114435-05)
 
4762219 ikeadm write preshared causes in.iked heartburn
4941232 deleting P1 SAs by address should delete ALL matching P1 SAs
 
(from 114435-04)
 
4804299 failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec
4919747 p2_lifetime default value is too high
4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA
4667873 in.iked door protocol handles some key lengths badly
4840090 why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info?
4890236 in.iked botches PF_KEY identity extensions
4927429 some deleted Phase lingers slightly too long
 
(from 114435-03)
 
4930399 ASN.1 patches from SSH, Inc.
 
(from 114435-02)
 
        This revision accumulates S9U5 feature point patch 115261-01.
 
(from 114435-01)
 
4673333 IKE should support hardware assist for certs and Oakley groups
4666686 patch libike with 4/8/2002 SSH patches
4687237 ssh_fatal() calls abort()
4704460 ikeadm:  strcpy() should be replaced by strlcpy()
4739746 single-buffer memory leak in start_ike_servers()
4745493 more patches from SSH Inc.
4745709 SSH IKE code leaks hostent structures
 
(from 115261-01)
 
4671563 RFE: ikecert -lv should list algorithm signature
4673338 IKE should support HW storage of private keys and certificates
4731575 IKE should work with IPv6
4742619 HW-IKE should be more robust when choosing pkcs11 slots
4752466 race in in.iked causes coredump in add_new_sa()
4823665 in.iked becomes confused about sender and receiver
4832562 certdb malformed cert causes core dump
4842368 memory leak for rsa_encryption initiator
 
(from 120026-01)
 
6214460 ipsecconf backs out valid rules if it runs into a duplicate rule

Patch Installation Instructions:

--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.

Special Install Instructions:

-----------------------------
 
NOTE 1:  Perform patch installation in single user mode.
         Perform a reconfiguration boot, boot -r, after patch installation.
 
NOTE 2:  To get the complete Hardware Acceleration for IKE feature, please
         also install the following patch:
 
         114436-01 (or greater)  config.sample
 
NOTE 3:  To get the complete Hardware Key Storage for IKE and IKE for IPV6
         feature, please also install the following patches:
 
         114337-08 (or greater)  ip patch
         114978-01 (or greater)  ipsecah Patch

README -- Last modified date: Saturday, November 10, 2012