OBSOLETE Patch-ID# 127753-02
Download this patch from My Oracle Support
|
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
|
For further information on patching best practices and resources, please
see the following links:
|
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: n2cp ipsec panic security
Synopsis: Obsoleted by: 127111-05 SunOS 5.10: n2cp & SUNWcry patch
Date: Oct/25/2007
******************************************************************
The items made available through this website are subject to
United States export laws and may be subject to export and
import laws of other countries. You agree to strictly comply
with all such laws and obtain licenses to export, re-export,
or import as may be required.
Unless expressly authorized by the United States Government
to do so you will not, directly or indirectly, export or
re-export the items made available through this website, nor
direct the items therefrom, to any embargoed or restricted
country identified in the United States export laws, including
but not limited to the Export Administration Regulations
(15 C.F.R. Parts 730-774).
IMPORT INFORMATION: This software contains encryption features
with symmetric key lengths greater than 128-bit, that may be
restricted for import into some countries.
******************************************************************
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product:
Unbundled Release:
Xref:
Topic: SunOS 5.10: n2cp & SUNWcry patch
*********************************************************************
NOTE: This patch may contain one or more OEM-specific platform ports.
See the appropriate OEM_NOTES file within the patch for
information specific to these platforms.
DO NOT INSTALL this patch on an OEM system if a corresponding
OEM_NOTES file is not present (or is present, but instructs not
to install the patch), unless the OEM vendor directs otherwise.
*********************************************************************
Relevant Architectures: sparc sparc.sun4u sparc.sun4v
Bugs fixed with this patch:
Changes incorporated in this version: 6452822 6473274 6494834 6534615 6542759 6578997 6564800 6564804 6564806
Patches accumulated and obsoleted by this patch: 118562-14 121290-03 123564-01 125196-05 127745-01
Patches which conflict with this patch:
Patches required with this patch: 118833-36 118918-24 120011-14 (or greater)
Obsoleted by: 127111-05
Files included with this patch:
/kernel/crypto/sparcv9/aes256
/kernel/crypto/sparcv9/arcfour
/kernel/crypto/sparcv9/arcfour2048
/kernel/crypto/sparcv9/blowfish448
/kernel/crypto/sparcv9/sha2
/kernel/drv/sparcv9/crypto
/kernel/drv/sparcv9/kssl
/kernel/kmdb/sparcv9/crypto
/kernel/misc/sparcv9/kcf
/kernel/misc/sparcv9/sha2
/platform/SUNW,A70/kernel/crypto/sparcv9/aes256
/platform/SUNW,SPARC-Enterprise/kernel/crypto/sparcv9/aes256
/platform/SUNW,Sun-Fire-V215/kernel/crypto/sparcv9/aes256
/platform/SUNW,Sun-Fire-V445/kernel/crypto/sparcv9/aes256
/platform/sun4u-us3/kernel/crypto/sparcv9/aes256
/platform/sun4u/kernel/crypto/sparcv9/arcfour
/platform/sun4u/kernel/crypto/sparcv9/arcfour2048
/platform/sun4v/kernel/crypto/sparcv9/arcfour
/platform/sun4v/kernel/crypto/sparcv9/arcfour2048
/platform/sun4v/kernel/drv/sparcv9/n2cp
/usr/lib/libelfsign.so.1
/usr/lib/mdb/kvm/sparcv9/crypto.so
/usr/lib/security/pkcs11_kernel.so.1
/usr/lib/security/pkcs11_softtoken.so.1
/usr/lib/security/pkcs11_softtoken_extra.so.1
/usr/lib/security/sparcv9/pkcs11_kernel.so.1
/usr/lib/security/sparcv9/pkcs11_softtoken.so.1
/usr/lib/security/sparcv9/pkcs11_softtoken_extra.so.1
/usr/sfw/lib/libcrypto_extra.so.0.9.7
/usr/sfw/lib/libssl_extra.so.0.9.7
/usr/sfw/lib/sparcv9/libcrypto_extra.so.0.9.7
/usr/sfw/lib/sparcv9/libssl_extra.so.0.9.7
Problem Description:
6452822 C_GenerateKeyPair failed to support CKM_RSA_PKCS_KEY_PAIR_GEN mechanism in dprov mode
6473274 pkcs11_kernel should support multipart ops even for hardware that has only single part
6494834 support check for threshold when using hardware providers even for multi-part requests
6534615 for extra credit, dprov could make HMAC mechanisms work for PKCS #11 clients
6542759 HMAC mechanisms broken in sha2 kernel module
6578997 KSSL should use hardware acceleration for ssl3 macs when available
6564800 n2cp needs to force in-order wakeup
6564804 n2cp should take advantage of hardware's inplace capabilities
6564806 n2cp should load balance across cwq's when under heavy load
(from 127753-01)
6590132 system panics (n2cp alignment error) in IPsec test
(from 125196-05)
6458639 kernel aes always advertises CRYPTO_UNLIMITED
(from 125196-04)
6466370 security vulnerabilities in OpenSSL may lead to DoS or code execution
(CVE-2006-3738,CVE-2006-4343)
6467218 fix RSA signature forgery (CVE-2006-4339)
6476279 multiple vulnerabilities in OpenSSL (CVE-2006-2937, CVE-2006-2940)
6476772 update OpenSSL version string with information about security patches included
6483054 OpenSSL lacks Thread Support
(from 125196-03)
6188861 provide libmd - message digest library
(from 125196-02)
6286167 SSLException thrown when using Solaris PKCS provider
(from 125196-01)
6242993 crypto operations on zero byte input data should set output len correctly
6292874 memory leak in asn1_to_*_pri()
6464106 contexts and key schedules might not be cleared all the time
(from 121290-03)
6372133 Seattle/Boston platform NUMA/MPO support non-functional
6373525 Boston platmod does not return correct cpu unum in plat_get_cpu_unum
6358078 Boston/Seattle property usage incorrect for power/pmugpio/mi2cv
6372587 pkcs11_softtoken should use getpwuid_r(3C) to avoid overwriting thread-specific data
6372169 blowfish can read past mblk and panic in cbc mode
6368332 libpkcs11 should report that it is v2.20 not v2.11
(from 121290-02)
4721729 Support AES Counter mode for encryption
(from 121290-01)
6331488 OID with NO parameter for RSA sigs using SHA-1 missing from softtoken
(from 123564-01)
6449294 OPL aes256 should be delivered in separate FPP
(from 118562-14)
6458639 kernel aes always advertises CRYPTO_UNLIMITED
(from 118562-13)
6466370 Security vulnerabilities in OpenSSL may lead to DoS or code execution
(CVE-2006-3738,CVE-2006-4343)
6467218 fix RSA signature forgery (CVE-2006-4339)
6476279 multiple vulnerabilities in OpenSSL (CVE-2006-2937, CVE-2006-2940)
6476772 update OpenSSL version string with information about security patches included
6483054 OpenSSL lacks Thread Support
(from 118562-12)
6286167 SSLException thrown when using Solaris PKCS provider
(from 118562-11)
6271754 pkcs11_softtoken too aggresive in looking for token data files
(from 118562-10)
This revision accumulates/obsoletes Solaris Update S10U3
feature point patch 123564-01
6379529 Solaris for OPL Project
6427002 Connect(cfgadm) fails after hotplug into empty slots 2,3 and 4.
6427559 Oberon hotplug requires updates from Oberon Spec v1.01
6449294 OPL aes256 should be delivered in separate FPP
(from 118562-09)
This patch revision accumulates/obsoletes Solaris Update S10U2
feature point patch 121290-03.
6331488 OID with NO parameter for RSA sigs using SHA-1 missing from softtoken
6372133 Seattle/Boston platform NUMA/MPO support non-functional
6373525 Boston platmod does not return correct cpu unum in plat_get_cpu_unum
6358078 Boston/Seattle property usage incorrect for power/pmugpio/mi2cv
6372587 pkcs11_softtoken should use getpwuid_r(3C) to avoid overwriting thread-specific data
6372169 blowfish can read past mblk and panic in cbc mode
6368332 libpkcs11 should report that it is v2.20 not v2.11
(from 118562-08)
6276483 libpkcs11 pthread_atfork() code can cause child process to hang
6345493 fork(2) handling fixes from 6276483 needs further work in pkcs11_softtoken
(from 118562-07)
5039273 failure in crypto_verify() when using a bignum with value 0 for CKM_RSA_X_509
5062050 kernel bignum (thus rsa) should use the sparc optimized version
6264344 remove gratuitous bzero() calls from SHA1Final() and MD5Final()
6278572 %asi registers based MD5 implementation for Niagara in Solaris
6278578 reduce store stalls by in-register coalescing for a faster RC4 on Niagara
6286372 kernel SHA1Update uses global variable making it non-reentrant
4925453 further optimization can be done for RC4 on SPARC
(from 118562-06)
6249979 sha1 slow on Niagara
(from 118562-05)
6256312 ON support for Chicago platform
6226862 Ontario and Chicago systems panic (mpt) during sunvts bringup
6245378 mpt needs to create property for SATA disks to enable sd in creating pm-components
6230146 sd should export pm-components property for sata drives
6253744 mpt: assertion failed: Tgt(cmd) != target
5067964 bge assertion failed: srp->tx_flow == 0
6262344 Metaslot crashes in call to C_UnwrapKey during generation
6252894 BER routines in LDAP library don't work for 64 bit
(from 118562-04)
6222467 system calls from C_Initialize() get interrupted
6195428 "Slot Info is NULL for vca0" error when running SUNvts vcatest on E15K
6211857 driver panics when kcf_free_context() is called
(from 118562-03)
This patch revision fixes the hard dependency requirement from
118918-03 to 118918-05.
(from 118562-02)
4926742 CKM_DH_PKCS_DERIVE fails if derived secret is shorter than prime
6215816 C_FindObjectsInit fails when token isn't present
6220814 C_DigestKey failure causes C_DestroyObject being hung
(from 118562-01)
4691624 libpkcs11: uCF meta slot management
6199119 pk11object test program core dump with metaslot+pkcs11_kernel+Deimos configured
6215509 fix for 4691624 introduced a lock violation
(from 127745-01)
6568352 IPsec performance does not scale using hardware crypto providers
6594889 Hardware provider flow control broken by CR 6568352
Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
example# patchadd /var/spool/patch/104945-02
The following example removes a patch from a standalone system:
example# patchrm 104945-02
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: Before installing this patch, please be sure to install the
latest patch utilities patches for your OS. This list of patches
is defined at - http://sunsolve.sun.com
Please use the pull down list which appears after the text:
"Latest Patch Update: To ensure the correct functioning of the
patching utilities on your system, stay up to date on the
following patches"
NOTE 2: Reboot system after patch installation is complete.
NOTE 3: This patch only applies to systems with the Solaris Data
Encryption Kit (SUNWcry/SUNWcryr) packages installed.
NOTE 4: To get the complete fix for bugid 4926742 (CKM_DH_PKCS_DERIVE fails
if derived secret is shorter than prime), please also install the
following patch:
118918-06 (or greater) Solaris Crypto Framework patch
NOTE 5: To get the complete fix for bugids:
6256312 ON support for Chicago platform
6226862 Ontario and Chicago systems panic (mpt) during sunvts bringup
6245378 mpt needs to create property for SATA disks to enable sd in
creating pm-components
6230146 sd should export pm-components property for sata drives
6253744 mpt: assertion failed: Tgt(cmd) != target
5067964 bge assertion failed: srp->tx_flow == 0
please also install the following patches:
118822-15 (or greater) kernel patch
119374-04 (or greater) sd and ssd patch
119850-04 (or greater) mpt patch
120197-02 (or greater) uata patch
120304-02 (or greater) bge patch
119981-01 (or greater) libc_psr patch
NOTE 6: To obtain the complete support for algorithm optimization
for crypto and kernel modules for restricted and non-restricted key
lengths version please install the following patches:
118918-11 (or greater) Solaris Crypto Framework patch
NOTE 7: To get the complete fix for bugids 6276483 (libpkcs11 pthread_atfork()
code can cause child process to hang) and 6345493 (fork(2) handling
fixes from 6276483 needs further work in pkcs11_softtoken), please
also install the following patch:
118918-12 (or greater) Solaris Crypto Framework patch
NOTE 8: To get the complete Crypto Accelerator 6000 (ie, MARS) RFE, please
also install the following patch:
118833-04 (or greater) kernel patch
NOTE 9: To get the complete support for SPARC(R) Enterprise Mx000 servers,
(ie, OPL) please also install the following patches:
118833-25 (or greater) Kernel Patch
123839-01 (or greater) FMA Patch
123914-01 (or greater) Header Files Patch
NOTE 10: To get the complete fix for BugID 6286167 (SSLException thrown when
using Solaris PKCS provider) on sun4v platform, please also install
the following patch:
125432-01 (or greater) ncp Patch
README -- Last modified date: Saturday, November 10, 2012