OBSOLETE Patch-ID# 114435-16


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security hardware key storage ike ipv6 ipsecconf socket
Synopsis: Obsoleted by: 114423-09 SunOS 5.9_x86: IKE patch
Date: Aug/09/2010


Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 9_x86

SunOS Release: 5.9_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 113451

Topic: SunOS 5.9_x86: IKE patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
466668615103959
466787315104213
467156315105006
467333315105354
467333815105358
468723715108081
470446015112258
473157515119149
473974615121545
474261915122369
474549315123242
474570915123304
474571615123308
475246615125336
476221915128187
480429915141792
482366515148035
483256215150747
484009015153229
484236815154035
489023615167628
491974715176273
491980215176293
492742915178343
493039915179188
494123215182010
496381715188188
497485315191215
497675915191716
497733515191850
498242915193291
501662815202334
620965415241479
621446015243174
625997315261765
626540315263790
626812415264946
631686315284238
631702715284311
632658415288050
633115915289702
633369315290725
634077015293656
634736415296558
634858515297092
636795915304793
643558015334312
646923615349877
675094715509907
683413215558805


Changes incorporated in this version: 6209654

Patches accumulated and obsoleted by this patch: 115261-01 120026-01

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 114423-09

Files included with this patch:

/etc/security/exec_attr
/usr/lib/abi/abi_libike.so.1
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libike.so.1
/usr/sbin/ikeadm
/usr/sbin/ikecert
/usr/sbin/ipsecconf

Problem Description:

6209654 IKE cert payload has problem with certificate chains
 
(from 114435-15)
 
6834132 S9 IPsec/in.iked rport only selector fails with 113451-11
 
(from 114435-14)
 
6750947 libike needs more rigorous packet checks
 
(from 114435-13)
 
4745716 IKE door operations cause in.iked leaks
 
(from 114435-12)
 
6435580 isakmp_negotiation structure passed to ike_call_callbacks() should not contain NULL pointers
 
(from 114435-11)
 
6469236 libike's RSA signature checking slightly incorrect
 
(from 114435-10)
 
6347364 SafeNet plugs ASN.1 leaks
6348585 ISAKMP notification sent to peer contains garbage
6367959 large numbers of certlib entries corrupt active Phase I SA state
6333693 in.iked needs better handling of port-only selectors
6340770 multiple-personality disorder affects inverse_acquire, too
6331159 if the only pre-shared key is deleted, the IKE daemon can not add new keys from a file
6326584 comedy of mismerges puts a quarter-twist into quick mode identities
 
(from 114435-09)
 
6316863 in.iked stops responding after 8 hours because cookies have been updated
6265403 short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup
6259973 IKE phase2 exchange fails to occur when phase1 SA nears expiry
6268124 ikeadm won't remove expiring phase1 SA's by address
6317027 libike tries to dereference the wrong negotiation
 
(from 114435-08)
 
4963817 IKE p2 negotiation failures on x86 with per-socket policies
 
(from 114435-07)
 
5016628 ikecert certrldb -e "certspec" does not work
4976759 callers of ssh_x509_crl_decode() should check for SSH_X509_OK/FAILURE
4977335 ssh_x509_crl_decode() can fail but return SSH_X509_OK
4974853 certrldb will dump core if pem_to_ber() returns NULL
 
(from 114435-06)
 
4982429 patch 113451-06 adds certlocal entry to exec_attr redundantly
 
(from 114435-05)
 
4762219 ikeadm write preshared causes in.iked heartburn
4941232 deleting P1 SAs by address should delete ALL matching P1 SAs
 
(from 114435-04)
 
4804299 failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec
4919747 p2_lifetime default value is too high
4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA
4667873 in.iked door protocol handles some key lengths badly
4840090 why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info?
4890236 in.iked botches PF_KEY identity extensions
4927429 some deleted Phase lingers slightly too long
 
(from 114435-03)
 
4930399 ASN.1 patches from SSH, Inc.
 
(from 114435-02)
 
        This revision accumulates S9U5 feature point patch 115261-01.
 
(from 114435-01)
 
4673333 IKE should support hardware assist for certs and Oakley groups
4666686 patch libike with 4/8/2002 SSH patches
4687237 ssh_fatal() calls abort()
4704460 ikeadm:  strcpy() should be replaced by strlcpy()
4739746 single-buffer memory leak in start_ike_servers()
4745493 more patches from SSH Inc.
4745709 SSH IKE code leaks hostent structures
 
(from 115261-01)
 
4671563 RFE: ikecert -lv should list algorithm signature
4673338 IKE should support HW storage of private keys and certificates
4731575 IKE should work with IPv6
4742619 HW-IKE should be more robust when choosing pkcs11 slots
4752466 race in in.iked causes coredump in add_new_sa()
4823665 in.iked becomes confused about sender and receiver
4832562 certdb malformed cert causes core dump
4842368 memory leak for rsa_encryption initiator
 
(from 120026-01)
 
6214460 ipsecconf backs out valid rules if it runs into a duplicate rule


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Perform patch installation in single user mode.
         Perform a reconfiguration boot, boot -r, after patch installation.
 
NOTE 2:  To get the complete Hardware Acceleration for IKE feature, please
         also install the following patch:
 
         114436-01 (or greater)  config.sample
 
NOTE 3:  To get the complete Hardware Key Storage for IKE and IKE for IPV6
         feature, please also install the following patches:
 
         114337-08 (or greater)  ip patch
         114978-01 (or greater)  ipsecah Patch


README -- Last modified date: Saturday, November 10, 2012