OBSOLETE Patch-ID# 119435-29
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security ip ipsec_find_sel ipmp nic phyints arp_publish_count modulo udp tcp packet icmp
Synopsis: Obsoleted by: 122301-62 SunOS 5.9_x86: ip patch
Date: Mar/05/2010
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 9_x86
SunOS Release: 5.9_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 114344
Topic: SunOS 5.9_x86: ip patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6634488
Patches accumulated and obsoleted by this patch: 114859-04 114925-07 115013-01 115015-01 117470-09 119446-02
Patches which conflict with this patch:
Patches required with this patch: 115684-02 117172-17 (or greater)
Obsoleted by: 122301-62
Files included with this patch:
/kernel/drv/arp
/kernel/drv/icmp
/kernel/drv/ip
/kernel/drv/ipsecah
/kernel/drv/spdsock
/kernel/drv/tcp
/kernel/drv/udp
/kernel/strmod/arp
/kernel/strmod/icmp
/kernel/strmod/ip
/kernel/strmod/ipsecah
/kernel/strmod/tcp
/kernel/strmod/udp
/sbin/in.mpathd
/usr/include/inet/arp.h
/usr/include/inet/common.h
/usr/include/inet/ip.h
/usr/include/inet/ip_if.h
/usr/include/inet/tcp.h
/usr/include/ipmp.h
/usr/include/ipmp_mpathd.h
/usr/include/ipmp_query.h
/usr/include/net/if.h
/usr/include/netinet/in.h
/usr/lib/abi/abi_libipmp.so.1
/usr/lib/adb/tcp
/usr/lib/inet/in.mpathd
/usr/lib/libipmp.so
/usr/lib/libipmp.so.1
/usr/lib/llib-lipmp
/usr/lib/llib-lipmp.ln
/usr/sbin/if_mpadm
Problem Description:
6634488 bind() to a reserved port fails on Solaris 9 when euid is 0
(from 119435-28)
6741377 in.mpathd dumps core when running in a Solaris 8 branded zone
(from 119435-27)
6708106 IPMP standby interface responds to the multicast ping requests
(from 119435-26)
6673488 IPsec and IP need to disallow self-encapsulated packets without IPsec protection
(from 119435-25)
6507173 sockets should allocate minor numbers from higher order arena
(from 119435-24)
4956997 DL_{EN,DIS}ABMULTI_REQ handling in IP is out-of-order
(from 119435-23)
6402737 IP spends too much time identifying bad remote host when under SYN attack
(from 119435-22)
6621380 panic in ip_rput_local_options caused by IP-in-IP packet
(from 119435-21)
5079629 multicast joins may fail due to holes in ARP and IP
(from 119435-20)
4773220 provide API to set source address of UDP/IPv4 datagrams
6240205 IP fragments issue
6564842 assertion failed: ire->ire_type != 0x0020, file: ../../common/inet/ip/ip.c, line : 4253
(from 119435-19)
6532784 no-op SIOCSLIFFLAGS from in.mpathd impacts performance under stress tests
(from 119435-18)
6561086 patch 114344-25 affects Oracle/RAC performance dramatically
(from 119435-17)
6459412 ip_strict_dst_multihoming does not handle multiple i/f with same IP address
(from 119435-16)
4758660 panic in IP forwarding path after unplumb due to stale b_queue
(from 119435-15)
6176096 issues with IP fragment handling
6210681 null pointer in ill_frag_free_pkts
6259467 ill_frag_prune() can be invoked with negative number as second argument
(from 119435-14)
6493627 119435-13 needs to accumulate 119446-02
(from 119435-13)
4157198 ARP cache inconsistency between ARP and IP modules
4978063 SO_DONTROUTE option causes ARP traffic for every frame
6463069 fix for CR 4157198 causes neg_advice_on_R1_{conn_a,conn_p,est} test failure
(from 119435-12)
6301112 Mangled Neighbor Solicitation messages out of Solaris in IPMP configuration with IPv6
6310343 IPMP selects failed interfaces link local address
6395535 IPMP configured system will reply with MAC/Link local address mismatch for ICMP echo reply
(from 119435-11)
4825472 IPMPs in.mpathd causes unnecessary failovers if started without usable routers
5019039 in.mpathd induces icmp hurricanes in single-router environments
(from 119435-10)
4294701 2 same routing entries for loopback interfaces
6241739 reassembly of an ipv6 frag of frag causes fault
(from 119435-09)
This revision addresses patch construction issues.
(from 119435-08)
6257723 source address selection is wrong if IPMP is enabled
(from 119435-07)
4796820 IPMP starts outgoing traffic on failed interface with option FAILBACK=no
5084073 fix for 4796820 is not enough
6220619 IGMP messages are not sent out when interfaces fail over
6332525 when NIC goes down temporarily before accept(), tcp connection is made IDLE
(from 119435-06)
6227733 need improved scalability in ipsec policy engine
4867136 ipsec_find_sel may return holding the HASH_LOCK
(from 119435-05)
4690625 logging doesn't seem to happen anymore
(from 119435-04)
4658177 panic while doing ifconfig addif on a partially configured tunnel
(from 119435-03)
6212756 UDP checksum 0x0000 not substituted with 0xffff for UDP over IPv6 packets
(from 119435-02)
4963675 Multicast Routing does not work over IP-in-IP tunnels (e.g. ip.tunXXX)
(from 119435-01)
6235832 panic in IP module during e1000g bind processing
(from 114925-07)
6229034 in.mpathd will abort on deferred probes with 0ms round-trip times
(from 114925-06)
4691277 IPMP wraps probe sequence numbers incorrectly
(from 114925-05)
5013238 in.mpathd prints "Cannot meet requested failure detection time" frequently
5078640 in.mpathd uses probe_interval as global variable
(from 114925-04)
4837086 CMSG_FIRSTHDR should return NULL when controllen == 0
(from 114925-03)
4803389 in.mpathd's lightweight router target selection logic KO'd by 4673190
4834142 redundant call to phyint_repaired() in initifs() can "lose" a probe
(from 114925-02)
4777295 IP Multipathing Query Interface
4775897 events for IPMP anonymous group should be just like named groups
(from 114925-01)
4685978 IPMP does not detect NIC repair when only one of two targets is up
4808860 mpathd deletes target list of phyints in all groups when link fails in one group
(from 115013-01)
4777295 IP Multipathing Query Interface
4775897 events for the IPMP anonymous group should be just like named groups
(from 115015-01)
4777295 IP Multipathing Query Interface
4775897 events for IPMP anonymous group should be just like named groups
(from 119446-02)
4157198 ARP cache inconsistency between ARP and IP modules
4978063 SO_DONTROUTE option causes ARP traffic for every frame
(from 119446-01)
6214946 publishing an arp entry causes source Ether Addr issue
(from 114859-04)
6313308 Solaris 9 UDP anonymous port assigned used/unavailable ports
(from 114859-03)
4708720 TCP/UDP make unwarranted ICMP M_CTL assumptions
(from 114859-02)
6251862 invalid UDP length and checksum
(from 114859-01)
4727825 local bound port hashing does not work effectively on Intel systems
(from 117470-09)
6521112 data corruption may occur when packet with invalid timestamp value is sent
(from 117470-08)
6395540 system hangs sending one urgent byte beyond zero send window
(from 117470-07)
4708720 TCP/UDP make unwarranted ICMP M_CTL assumptions
5084452 ICMP can snipe away incipient TCP connections
6354773 some changes made by 5084452 do not work with x86
(from 117470-06)
4511681 TCP vulnerable to Denial Of Service via "ACK storm"
(from 117470-05)
6276464 reads on tcp endpoint with synchronous streams can return extents of input buffer unmodified
(from 117470-04)
6259389 race condition between cl_tcp_walk_list() and connection establishment
(from 117470-03)
5094229 driver hangs when accessing tt_open
(from 117470-02)
4846184 slow receiving process causes timer based ACKing
(from 117470-01)
5089150 binding to port which has already been bound may incorrectly succeed
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
Not all patches listed in this section as needed for the completion
of a fix or feature, may be available at the same time as this patch.
This allows the remaining fixes/features to be made available sooner.
NOTE 1: To get the complete fix for 4837086 (CMSG_FIRSTHDR should return
NULL when controllen == 0), please also install the following patches:
114348-05 (or greater) in.routed patch
114442-02 (or greater) ifconfig patch
116018-02 (or greater) in.ndpd patch
116507-02 (or greater) traceroute patch
116775-01 (or greater) ping patch
116777-01 (or greater) mipagent patch
116779-01 (or greater) in.ripngd patch
NOTE 2: Installing this patch will permanently move /sbin/in.mpathd to the
new location /usr/lib/inet/in.mpathd. /sbin/in.mpathd will then be
replaced by a symlink to this new location.
Backing this patch out will restore the original in.mpathd binary,
but the positional change described above will not be undone.
NOTE 3: To get the complete fix for 4796820 (IPMP starts outgoing traffic
on failed interface with option FAILBACK=no), please also install
the following patch:
122674-01 (or greater) sockio.h header patch
NOTE 4: To get the complete fix for 6176096 (issues with IP fragment
handling), please also install the following patch:
122301-04 (or greater) kernel patch
NOTE 5: To get the complete fix for 6402737 (IP spends too much time
identifying bad remote host when under SYN attack), please also
install the following patch:
122301-25 (or greater) Kernel Patch
README -- Last modified date: Saturday, November 10, 2012