OBSOLETE Patch-ID# 120037-22
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security pam_passwd_auth libperl dynaloader softtoken kdc kpasswd kerberos
Synopsis: Obsoleted by: 120012-14 SunOS 5.10_x86: libc nss ldap PAM zfs patch
Date: Jul/17/2007
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 120473
Topic: SunOS 5.10_x86: libc nss ldap PAM zfs patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6562672
Patches accumulated and obsoleted by this patch: 117464-04 118871-01 118891-03 120053-05 120474-01 121007-02 121279-01 121295-01 122082-01 122411-01 122536-01 123331-01 123349-04 123351-01 123357-03 124205-05 124281-01 125429-02 125796-01
Patches which conflict with this patch:
Patches required with this patch: 118344-14 118855-36 122641-06 123840-01 (or greater)
Obsoleted by: 120012-14
Files included with this patch:
/etc/nsswitch.dns
/etc/nsswitch.files
/etc/nsswitch.ldap
/kernel/drv/amd64/zfs
/kernel/drv/zfs
/kernel/fs/amd64/zfs
/kernel/fs/zfs
/kernel/kmdb/amd64/zfs
/kernel/kmdb/zfs
/lib/amd64/libc.so.1
/lib/amd64/libdevinfo.so.1
/lib/amd64/libnsl.so.1
/lib/amd64/libsecdb.so.1
/lib/amd64/libzfs.so
/lib/amd64/libzfs.so.1
/lib/amd64/libzfs.so.2
/lib/amd64/llib-lc.ln
/lib/amd64/llib-lzfs.ln
/lib/amd64/nss_compat.so.1
/lib/amd64/nss_files.so.1
/lib/libc.so.1
/lib/libdevinfo.so.1
/lib/libnsl.so.1
/lib/libsecdb.so.1
/lib/libzfs.so
/lib/libzfs.so.1
/lib/libzfs.so.2
/lib/llib-ladm.ln
/lib/llib-laio.ln
/lib/llib-lbsm.ln
/lib/llib-lc
/lib/llib-lc.ln
/lib/llib-lcmd.ln
/lib/llib-lcontract.ln
/lib/llib-lcurses.ln
/lib/llib-lgen.ln
/lib/llib-lkstat.ln
/lib/llib-lnsl.ln
/lib/llib-lnvpair.ln
/lib/llib-lpam.ln
/lib/llib-lresolv.ln
/lib/llib-lsec.ln
/lib/llib-lsysevent.ln
/lib/llib-ltsnet.ln
/lib/llib-lzfs
/lib/llib-lzfs.ln
/lib/nss_compat.so.1
/lib/nss_files.so.1
/sbin/zfs
/sbin/zpool
/usr/bin/ldaplist
/usr/include/nss_dbdefs.h
/usr/include/stdio_ext.h
/usr/include/stdio_impl.h
/usr/lib/amd64/gss/mech_krb5.so.1
/usr/lib/amd64/libldap.so.5
/usr/lib/amd64/libproject.so.1
/usr/lib/amd64/libsldap.so.1
/usr/lib/amd64/libzfs.so
/usr/lib/amd64/libzfs.so.2
/usr/lib/amd64/libzfs_jni.so.1
/usr/lib/amd64/libzpool.so.1
/usr/lib/amd64/llib-lkvm.ln
/usr/lib/amd64/llib-lpasswdutil.ln
/usr/lib/amd64/llib-lsldap.ln
/usr/lib/amd64/nss_ldap.so.1
/usr/lib/amd64/passwdutil.so.1
/usr/lib/extendedFILE.so.1
/usr/lib/fm/fmd/plugins/zfs-retire.conf
/usr/lib/fm/fmd/plugins/zfs-retire.so
/usr/lib/fm/fmd/schemes/amd64/zfs.so
/usr/lib/fm/fmd/schemes/zfs.so
/usr/lib/fs/zfs/fstyp
/usr/lib/gss/mech_krb5.so.1
/usr/lib/krb5/amd64/libkadm5clnt.so.1
/usr/lib/krb5/kadmind
/usr/lib/krb5/krb5kdc
/usr/lib/krb5/libkadm5clnt.so.1
/usr/lib/krb5/libkadm5srv.so.1
/usr/lib/krb5/libkadmin.so.1
/usr/lib/krb5/libkdb.so.1
/usr/lib/ldap/idsconfig
/usr/lib/ldap/ldap_cachemgr
/usr/lib/libc/libc_hwcap1.so.1
/usr/lib/libc/libc_hwcap2.so.1
/usr/lib/libldap.so.5
/usr/lib/libproject.so.1
/usr/lib/libsldap.so.1
/usr/lib/libzfs.so
/usr/lib/libzfs.so.2
/usr/lib/libzfs_jni.so.1
/usr/lib/libzpool.so.1
/usr/lib/llib-l300.ln
/usr/lib/llib-l300s.ln
/usr/lib/llib-l450.ln
/usr/lib/llib-ladt_jni.ln
/usr/lib/llib-lc2stubs.ln
/usr/lib/llib-lcrypt.ln
/usr/lib/llib-ldiskmgt.ln
/usr/lib/llib-ldtrace.ln
/usr/lib/llib-lfsmgt.ln
/usr/lib/llib-lipp.ln
/usr/lib/llib-lkvm.ln
/usr/lib/llib-lldap.ln
/usr/lib/llib-lmail.ln
/usr/lib/llib-lmilter.ln
/usr/lib/llib-lmtmalloc.ln
/usr/lib/llib-lpasswdutil.ln
/usr/lib/llib-lplot.ln
/usr/lib/llib-lproject.ln
/usr/lib/llib-lrac.ln
/usr/lib/llib-lrcm.ln
/usr/lib/llib-lsldap.ln
/usr/lib/llib-lsmedia.ln
/usr/lib/llib-ltecla.ln
/usr/lib/llib-lvolmgt.ln
/usr/lib/llib-lvt0.ln
/usr/lib/mdb/kvm/amd64/zfs.so
/usr/lib/mdb/kvm/zfs.so
/usr/lib/mdb/proc/amd64/libzpool.so
/usr/lib/mdb/proc/libzpool.so
/usr/lib/nss_ldap.so.1
/usr/lib/passwdutil.so.1
/usr/lib/security/amd64/pam_authtok_check.so.1
/usr/lib/security/amd64/pam_authtok_get.so.1
/usr/lib/security/amd64/pam_authtok_store.so.1
/usr/lib/security/amd64/pam_dhkeys.so.1
/usr/lib/security/amd64/pam_dial_auth.so.1
/usr/lib/security/amd64/pam_krb5.so.1
/usr/lib/security/amd64/pam_krb5_migrate.so.1
/usr/lib/security/amd64/pam_ldap.so.1
/usr/lib/security/amd64/pam_passwd_auth.so.1
/usr/lib/security/amd64/pam_roles.so.1
/usr/lib/security/amd64/pam_unix_cred.so.1
/usr/lib/security/pam_authtok_check.so.1
/usr/lib/security/pam_authtok_get.so.1
/usr/lib/security/pam_authtok_store.so.1
/usr/lib/security/pam_dhkeys.so.1
/usr/lib/security/pam_dial_auth.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so.1
/usr/lib/security/pam_ldap.so.1
/usr/lib/security/pam_passwd_auth.so.1
/usr/lib/security/pam_roles.so.1
/usr/lib/security/pam_unix_cred.so.1
/usr/lib/zfs/availdevs
/usr/perl5/5.8.4/bin/perlbug
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE/libperl.so.1
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE/opcode.h
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE/patchlevel.h
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/CORE/perl.h
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/auto/DynaLoader/DynaLoader.a
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/auto/MIME/Base64/Base64.so
/usr/perl5/5.8.4/lib/i86pc-solaris-64int/auto/Storable/Storable.so
/usr/sbin/amd64/zdb
/usr/sbin/i86/zdb
/usr/sbin/ldapaddent
/usr/sfw/lib/amd64/llib-lcrypto.ln
/usr/sfw/lib/llib-lcrypto
/usr/sfw/lib/llib-lcrypto.ln
/usr/sfw/lib/llib-lssl.ln
/usr/ucblib/amd64/libucb.so.1
/usr/ucblib/libucb.so.1
/usr/ucblib/llib-lucb.ln
/usr/xpg4/lib/llib-lcurses.ln
Problem Description:
6562672 kadmind vulnerable to buffer overflow [ MITKRB5-SA-2007-005 ]
(from 120037-21)
6457110 pkill -HUP ldap_cachemgr alters NS_LDAP_CACHETTL in ldap_client_file
6500684 memory leak in libsldap:setup_next_search()
6505933 bsearch breaks if the table size is larger than 2GB
(from 120037-20)
6538001 KDC, kadmind stack overflow in krb5_klog_syslog (CVE-2007-0957)
6543658 krb5_set_default_tgs_enctypes: referenced symbol not found
(from 120037-19)
6253934 passwd and pwconv are crashing with wrong entry in /etc/shadow
6355084 Posix compliant open() of a character device is not MT-safe
6497698 krb5kdc(1) should also provide password expiration information
6514446 pam_dhkeys prompts for secure RPC password when neither LOCAL or DES credentials exist
6515653 __getpass function outputs to stderr rather than tty
6518780 deadlock due to fork and suspend thread
6544832 setproject(3PROJECT): recover gracefully if inserting an existing rctl value (lite fix for 6194864)
(from 120037-18)
6418491 Solaris 10 runtime prevents sigbus signal to correctly get passed to the handler
(from 120037-17)
6538049 libdevinfo doesn't convert prom alias to prom device
(from 120037-16)
6521689 closefrom() does not close all file descriptors
(from 120037-15)
1085341 32-bit stdio routines should support file descriptors >255
6369408 fflush(NULL); will corrupt data written on files in multithreaded apps
6376848 fileno unexpectedly needs a lock
6417483 LD_DEBUG fails after putback for 1085341
6512868 message from 1085341 fix does not need to be I18N
(from 120037-14)
(removed) 6418491 Solaris 10 runtime prevents sigbus signal to correctly get passed to the handler
Note: This bugfix was integrated in rev14 but was backed out in rev15
to fix a hang problem after patch installation.
(from 120037-13)
6278068 native ldap client: simple page mode broken in Solaris 9 and 10
(from 120037-12)
6447838 libc needs to reset __threaded in executables
6467539 nscd's keep persistent connections to even wedged LDAP servers
6494750 nscd reuses ports after long idle time causes lookup failures
(from 120037-11)
4667251 groups command returns number, not name for large group
5080012 ldap: roles returns NULL if size of roles exceeds 1022 characters
(from 120037-10)
4768758 ldap_cachemgr doesn't disable cancellation
(from 120037-09)
6289986 ldap backend could be more efficient for netgroup lookups
6362106 ldap netgroup backend does not handle null user information correctly
6455431 improper usage of locale-sensitive functions
6314502 ldapaddent cores when dumping netgroup database
6329240 libsldap: nscd leaks file descriptors, too many opens on ldap_cache_door
6425808 ldaplist does not return 1001 user when 1001 users setup
(from 120037-08)
This revision accumulates S10U3 feature point patch 123349-04.
(from 120037-07)
6384642 libldap/SSL negotiation uses synchronous I/O preventing timeouts on congested server
6453641 bringover usr/src/lib/libsldap is missing a header file
6404337 nscd crashes in libsldap:get_mapped_filter() when using invalid chars in search filter
(from 120037-06)
6380248 ldap clients select incorrect profile on refresh when "cn=" is same but "dn=" is different
(from 120037-05)
6237466 Solaris 10 LDAP Client using multiple authentication methods do not fail to second method listed
(from 120037-04)
4909247 Solaris 8 Client has broken .rhosts authentication with patch 108993-21
(from 120037-03)
6312173 libsldap function __ns_ldap_list() returns invalid DN string when using attributMap
(from 120037-02)
6226776 passwd command will fail if first ldap server in referral list is down
6276525 libldap5 cores when trying to resolve hostname
6274517 libsldap:search_state_machine() falls into recursive loop if ldap_search_ext() returns 91
(from 120037-01)
4626861 if a search times out, libsldap logs the wrong message
6232564 when interrupted (EINTR) while polling, libsldap should retry the poll
6232579 libldap not handling select() failures when issuing a connection
(from 118871-01)
6230927 using multiple netgroups in the nfs_share access list breaks the access list
(from 122411-01)
6294728 ldaplist: a very long filter causes ldaplist to dump core in set_filter
6365882 ldaplist should print error messages to stderr not stdout
(from 123349-04)
Uprev due to the intersection of the generic patch.
(from 123349-03)
Uprev due to the intersection of the generic patch.
(from 123349-02)
Uprev due to the intersection of the generic patch.
(from 123349-01)
6394554 integrate Solaris Trusted Extensions
6403267 address remaining issues raised during TX code reviews
6399963 get_zone_pool() isn't consistent with its return values
(from 120053-05)
6465639 useradd usermod passmgmt need support for Trusted Extensions keywords
1236941 would like usermod -c to not abort if the user is logged in
6357764 monitor manipulation in FEM panics server
6388050 message for successful password update is a PAM_ERROR_MSG
6415535 audit_event TX code review issues
6435911 root can't login via console CLI if label daemon is not running
6457407 fix for CR 6431503 broke printer banners for complex labels
6458668 TX route get changes can cause panic if passed an ioctl with NULL credentials
(from 120053-04)
This revision accumulates S10U3 feature point patch 123357-03.
(from 120053-03)
6193468 *passwd* some words fail dictionary check
(from 120053-02)
6346529 login should not fail when unknown privileges are requested
6395043 having extra privileges prevents logins in zones
(from 120053-01)
6281689 rstchown=0 has no effect on chown(1)
(from 123357-03)
6429769 after upgrading, nsswitch.conf is modified incorrectly with tnrhdb and tnrhtp entries
(from 123357-02)
Uprev due to the intersection with the generic patch.
(from 123357-01)
6394554 integrate Solaris Trusted Extensions
6241740 implement PSARC/2005/162 remote roles
6356419 establishing audit context for system processes may fail in edge conditions
6403267 address remaining issues raised during TX code reviews
6399963 get_zone_pool() isn't consistent with its return values
(from 120474-01)
5097644 compat syntax generates duplicate lookups and degrades performance
(from 117464-04)
4974005 Purify/dbx reports memory leaks in PAM [Solaris 8/9/10]
6434595 memory leak in passwdutil.so.1 using Payflex cards
(from 117464-03)
6295037 passwdutil.so.1 init function has race in MT application when used with dlopen
6386770 pam_authenticate can fail if open files are >= 255 and soft fd limit greater than 256
(from 117464-02)
4996426 passwd -x still misbehaves
(from 117464-01)
5007891 passwd(1) command may SEGV on NIS+ master servers
5096736 pwd change in NIS+ fails with "Permission denied" if new pwd is longer than 11 b
(from 123331-01)
6311010 pam_passwd_auth can't deal with old SunOS aging
(from 118891-03)
This revision accumulatesS10U3 feature point patch 123351-01.
(from 118891-02)
This revision accumulates S10U2 feature point patch 121279-01.
(from 118891-01)
4954703 userland atomic.h port should include cas primitives
(from 121279-01)
5004247 Sun's JVM would benefit from access to per-LWP schedctl fields
(from 123351-01)
6394554 integrate Solaris Trusted Extensions
5049028 Makefiles that hacked around libpool errors now need cleanup
6403267 address remaining issues raised during TX code reviews
6399963 get_zone_pool() isn't consistent with its return values
(from 122082-01)
6368763 Perl format string integer wrap vulnerability
(from 122536-01)
This revision accumulates S10U2 feature point patch 121295-01.
(from 121295-01)
6285539 E_NAME_USED_NOT_DEF2 lint error for ENGINE_load_builtin_engines
6287497 openssl cpp flags need to be adjusted for export builds
(from 124205-05)
6471359 zfs_fillpage() when faulting aligns on range size within file, getting wrong large page
(from 124205-04)
6479556 124205-03 is missing FMA dependency
(from 124205-03)
6420204 root filesystem's delete queue is not running
6433208 should not be able to offline/online a spare
6436514 zfs share on /var/mail needs to be run explicitly after system boots
6443585 zpool create of poolname > 250 and < 256 characters panics in debug printout
6448999 panic: used == ds->ds_phys->ds_unique_bytes
6449033 PIT nightly fails due to the fix for 6436514
6458781 random spurious ENOSPC failures
(from 124205-02)
6473749 patch 124205-01 has dependency on sparc KU instead of i386 KU
(from 124205-01)
6405966 Hot Spare support in ZFS
6276916 support for "clone swap"
6288488 du reports misleading size on RAID-Z
6366301 CREATE with owner_group attribute is not set correctly with NFSv4/ZFS
6373978 want to take lots of snapshots quickly ('zfs snapshot -r')
6385436 zfs set <property> returns an error but still sets property value
6393490 libzfs should be a real library
6397148 fbufs debug code should be removed from buf_hash_insert()
6401400 zfs(1) usage output is excessively long
4034947 anon_swap_adjust(), anon_resvmem() should call kmem_reap() if availrmem is low
6409228 typo in aclutils.h
6409302 passing a non-root vdev via zpool_create() panics system
6415739 assertion failed: !(zio->io_flags & 0x00040)
6416482 filebench oltp workload hangs in zfs
6416759 ::dbufs does not find bonus buffers anymore
6416794 zfs panics in dnode_reallocate during incremental zfs restore
6417978 double parity RAID-Z a.k.a. RAID6
6424554 full block re-writes need not read data in
6425111 detaching an offline device can result in import confusion
6425740 assertion failed: new_state != old_state
6430121 3-way deadlock involving tc_lock within zfs
6433264 crash when adding spare: nvlist_lookup_string(cnv, "path", &path) == 0
6433406 zfs_open() can leak memory on failure
6433408 namespace_reload() can leak memory on allocation failure
6433679 zpool_refresh_stats() has poor error semantics
6433680 changelist_gather() ignores libuutil errors
6433717 offline devices should not be marked persistently unavailable
6435779 6433679 broke zpool import
6436524 importing a bogus pool config can panic system
6436800 ztest failure: spa_vdev_attach() returns EBUSY instead of ENOTSUP
6439102 assertion failed: dmu_buf_refcount(dd->dd_dbuf) == 2 in dsl_dir_destroy_check()
6439370 assertion failures possible in dsl_dataset_destroy_sync()
6440499 zil should avoid txg_wait_synced() and use dmu_sync() to issue parallel IOs when fsyncing
6447377 ZFS prefetch is inconsistent
6436526 delete_queue thread reporting drained when it may not be true
6446569 deferred list is hooked on flintstone vitamins
6447452 re-creating zfs files can lead to failure to unmount
6444346 zfs promote fails in zone
6448371 'zfs promote' of a volume clone fails with EBUSY
6450292 unmount original file system, 'zfs promote' causes system panic
6451124 assertion failed: rc->rc_count >= number
6451412 renaming snapshot with 'mv' makes unmounting snapshot impossible
6447381 dnode_free_range() does not handle non-power-of-two blocksizes correctly
6451860 'zfs rename' a filesystem|clone to its direct child will cause internal error
6452372 assertion failed: dnp->dn_nlevels == 1
6452420 zfs_get_data() of page data panics when blocksize is less than pagesize
6452923 really out of space panic even though ms_map.sm_space > 0
6453304 integration for CR 6405966 breaks build
(from 121007-02)
6471429 clients using SET_CHANGE do not log the change to kadmin.log
6474547 after setting SET_CHANGE kpasswd returns false positives
(from 121007-01)
6265737 decrypt integrity failure with kpasswd and AD
6227969 smf(5) introduces race condition between connection tear down and port bind on kadmin svc restart
6278018 setting kpasswd_protocol affects more than change password
6215066 kadm apps can not bind to kadmind if admin_server specifies port #
(from 124281-01)
6211662 kpropd can core if it receives an update created by kadmin's -keepold argument
(from 125429-02)
6496178 krb5 mech resends AS-REQ to the same KDC (master) after user enters a bad password
(from 125429-01)
6353492 regression of 4786126: Kerberos Delegation Credentials not working
(from 125796-01)
6395124 pam_krb5 tries to validate twice when given a bad password
6430941 pam_krb5 pam_sm_setcred can cause /tmp/krb5cc_<PAM_USER> to be owned by euid rather than PAM_USER
6478028 pam_krb5's password management should not be prompting for old or for new passwords
6499804 pam_krb5 account management should not return success if user is not defined in kerberos realm
6527403 pam_krb5 acct mgmt does not respect the account authority in certain configurations
Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
example# patchadd /var/spool/patch/104945-02
The following example removes a patch from a standalone system:
example# patchrm 104945-02
For additional examples please see the appropriate man pages.
Special Install Instructions:
NOTE 1: If you're planning to set up Zones on this system, please make
sure to install the following patch which fixes bugid 6216195
(zone installation confused by UPDATE=yes in pkginfo(4) file):
119016-01 (or greater) Install and Patch Utilities Patch
(Note that 119255 has superseded 119016; installation of the
current version is recommended to be preferred, due to its
central role in the installation and removal of patches.)
NOTE 2: To get the complete fix for 4909247 (Solaris 8 Client has broken
.rhosts authentication with patch 108993-21), the LDAP server must
be Sun Java System Directory server 5.2 patch 4 or newer, and
pam_ldap(5) must be used for account management. Then, in cases
where there is no user authentication token (PAM_AUTHTOK) available,
the pam_sm_acct_mgmt(3PAM) function from pam_ldap(5) tries to
retrieve the user's account status without authenticating to the
LDAP server as the user logging in.
NOTE 3: To get the complete Solaris Trusted Extensions functionality
support, please also install the following patches:
120846-02 (or greater) auditd patch
122663-06 (or greater) libzonecfg patch
122659-06 (or greater) zonecfg patch
122661-03 (or greater) zoneadm patch
123913-01 (or greater) ppriv patch
NOTE 4: To get the complete fix for BugID 4954703 (userland atomic.h port
should include cas primitives), please also install the following
patch:
118885-01 (or greater) atomic.h patch
NOTE 5: Due to BugId 7151425 (can not start Apache2 by SMF due
to "enable_extended_FILE_stdio(3C): Bad file number"),
please ensure the following patch is also installed:
125101-04 (or greater) Kernel Update patch
README -- Last modified date: Saturday, November 10, 2012