OBSOLETE Patch-ID# 120469-07


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security heap corruption kdc buffer overflow krb5_recvauth
Synopsis: Obsoleted by: 120473-09 SunOS 5.10: kerberos patch
Date: Apr/10/2007


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for X86 as patch 120470

Topic: SunOS 5.10: kerberos patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
620383315239369
620863815241138
624712615256946
626168515262375
628486415271398
632087115285928
635349215299046
649617815362548


Changes incorporated in this version: 6496178

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 120473-09

Files included with this patch:

/usr/lib/gss/mech_krb5.so.1
/usr/lib/krb5/krb5kdc
/usr/lib/sparcv9/gss/mech_krb5.so.1

Problem Description:

6496178 krb5 mech resends AS-REQ to the same KDC (master) after user enters a bad password
 
(from 120469-06)
 
6353492 Regression of 4786126: Kerberos Delegation Credentials not working on S10 and Nevada
 
(from 120469-05)
 
6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required
 
(from 120469-04)
 
6247126 krb5_verify_init_creds returns ERR if def keytab is missing, even though
        verify_ap_req_nofail=false
 
(from 120469-03)
 
6203833 GSSAPI needs method to acquire initial creds with a password
6208638 krb5_gss_release_cred() can leak
 
(from 120469-02)
 
6284864 krb5_recvauth() may free memory twice under certain conditions
 
(from 120469-01)
 
6261685 Security: buffer overflow, heap corruption in KDC


Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.


Special Install Instructions:
----------------------------
 
NOTE 1:  Install the patch at single user mode.  Reboot system after
	 patch installation is complete.
 
NOTE 2:  If you're planning to set up Zones on this system, please make
         sure to install the following patch which fixes bugid 6216195
         (zone installation confused by UPDATE=yes in pkginfo(4) file.)
 
         119254-06 (or greater)  Install and Patch Utilities Patch
 
NOTE 3:  To get the complete fix of bug 6203833 "GSSAPI needs method to
	 acquire initial creds with a password" please install the following
	 patch:
 
         121239-01 (or greater)  libgss patch


README -- Last modified date: Saturday, November 10, 2012