OBSOLETE Patch-ID# 118371-10

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.

For further information on patching best practices and resources, please see the following links:

Keywords: security elfsign libike keystore memory libpkcs11
Synopsis: Obsoleted by: 120011-14 SunOS 5.10: elfsign patch
Date: Apr/16/2007

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 118372

Topic: SunOS 5.10: elfsign patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR #	Bug #
4797442	15139273
4987141	15194677
5019131	15202954
5057756	15214100
5099921	15226818
6196062	15236830
6214106	15243054
6214824	15243284
6216464	15243983
6218014	15244669
6218030	15244675
6220136	15245574
6221396	15246016
6222046	15246287
6222935	15246731
6238177	15253036
6238962	15253372
6239551	15253590
6258804	15261419
6258976	15261445
6259973	15261765
6265403	15263790
6268124	15264946
6269601	15265520
6282641	15270519
6283570	15270881
6301500	15278071
6317027	15284311
6326584	15288050
6331159	15289702
6333693	15290725
6340770	15293656
6347364	15296558
6348585	15297092
6367959	15304793
6442165	15337261
6443338	15337775
6452474	15341847
6455443	15343335
6456365	15343937
6463482	15347280
6469236	15349877
6475734	15352779
6494630	15361708

Changes incorporated in this version: 4797442 6269601 6442165 6443338 6452474 6455443 6456365 6463482

Patches accumulated and obsoleted by this patch: 119265-02

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 120011-14

Files included with this patch:

/usr/bin/elfsign
/usr/lib/crypto/kcfd
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libelfsign.so.1
/usr/lib/libike.so.1

Problem Description:

4797442 enable AES encryption for the IKE exchange
6269601 gcc and in.iked don't get along
6442165 pluck_out_low_high() leaks memory in in.iked(1M)
6443338 in.iked needs to fork() again after setsid()
6452474 in.iked(1M) fails to offer all keylength sizes in Phase1 transform list with certain config files
6455443 IKE phase1 debug messages should include key lengths
6456365 in.iked does not supply IPSEC_CLASSES_KEY_LENGTH attr for IKE phase2 for blowfish
6463482 in.iked should check keylengths in phase2 proposals for variable-sized ciphers more thoroughly
 
(from 118371-09)
 
6475734 CRLs with reason code 9 are rejected as invalid
6494630 qs21 may be validating cert chains incorrectly
 
(from 118371-08)
 
6469236 libike's RSA signature checking slightly incorrect
 
(from 118371-07)
 
6367959 large numbers of certlib entries corrupt active Phase I SA state
6282641 policy with AH can cause in.iked to exit when NAT-T triggered
6333693 in.iked needs better handling of port-only selectors
6258804 IKE p1 delete notifications not being sent immediately on flush
5099921 in.iked pfkey.c: should pull memset into extract_exts()
6340770 multiple-personality disorder affects inverse_acquire, too
6326584 comedy of mismerges puts a quarter-twist into quick mode identities
6347364 SafeNet plugs ASN.1 leaks
6348585 ISAKMP notification sent to peer contains garbage
6331159 if the only pre-shared key is deleted, IKE daemon can not add new keys from a file
 
(from 118371-06)
 
6265403 short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup
6259973 IKE phase2 exchange fails to occur when phase1 SA nears expiry
6268124 ikeadm won't remove expiring phase1 SA's by address
6317027 libike tries to dereference the wrong negotiation
 
(from 118371-05)
 
6301500 multiple elfsign failures in SPARC & X86 SUNWgcc package
 
(from 118371-04)
 
6258976 kcfd dies under a barrage of verification requests
6283570 misaligned ELF64 section heads
 
(from 118371-03)
 
6238177 ikecert certlocal -a dumps core
6238962 ikecert cache has artificially small maximum value
6239551 in.iked doesn't parse config.sample as expected
 
(from 118371-02)
 
        This revision accumulates S10U1 feature point patch 119265-02.
 
(from 118371-01)
 
5057756 elfsign should put OU in subject name in its own AttributeTypeAndValue
6214106 elfsign damages some executables
 
(from 119265-02)
 
        Uprev due to the intersection between Feature and Generic gates.
 
(from 119265-01)
 
4987141 misleading comments in do_p1getdel() function
5019131 IKE should use uCF's libpkcs11 by default for performance improvement
6196062 drop SafeNet QuickSec 2.1 into libike
6214824 update NAT-T Support to full RFC 3947 compliance
6216464 memory leak if ssh_ike_connect_ipsec() fails immediately
6218014 qs21 putback broke tools/version of elfsign
6218030 fix for 6218014 needs a more elegant solution
6220136 elfsign request fails
6221396 libike PKCS#11 D-H native glue needs to guard against trimmed leading-zeroes
6222046 usr/src/lib/libike needed in its entirety to build usr/src/tools
6222935 keystore generation is broken post-qs21

Patch Installation Instructions:

--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.

Special Install Instructions:

-----------------------------
 
Not all patches listed in this section as needed for the completion
of a fix or feature, may be available at the same time as this patch.
This allows the remaining fixes/features to be made available sooner.
 
NOTE 1:  If you're planning to set up Zones on this system, please make
         sure to install the following patch which fixes bugid 6216195
         (zone installation confused by UPDATE=yes in pkginfo(4) file):
 
         119015-01 (or greater)  Install and Patch Utilities Patch
 
         (Note that 119254 has superseded 119015; installation of the
          current version is recommended to be preferred, due to its
          central role in the installation and removal of patches.)
 
NOTE 2:  If the patch is being applied to the live system, please do the following:
 
	 svcadm disable -t cryptosvc
 
	 Apply the patch to elfsign, libelfsign and kcfd
 
	 svcadm enable -t cryptosvc
 
NOTE 3:  To get the complete fix for bugid 6265403 (short-lived Phase I SAs get
         bitten by libike's retransmit-driven delayed cleanup), please also
         install the following patch:
 
	 121406-01 (or greater)  ikeadm patch

README -- Last modified date: Saturday, November 10, 2012