OBSOLETE Patch-ID# 127888-11
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security nat ipf leak ipfstat ipfilter
Synopsis: Obsoleted by: 137137-09 SunOS 5.10: ipf patch
Date: Nov/06/2008
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 127889
Topic: SunOS 5.10: ipf patch
Relevant Architectures: sparc
Bugs fixed with this patch:
Changes incorporated in this version: 6726575 6730614
Patches accumulated and obsoleted by this patch: 127886-06 128408-01 128493-01
Patches which conflict with this patch:
Patches required with this patch: 118833-36 120011-14 125503-02 (or greater)
Obsoleted by: 137137-09
Files included with this patch:
/usr/include/netinet/ip_fil.h
/usr/include/netinet/ip_nat.h
/usr/include/netinet/ip_state.h
/usr/include/netinet/ipf_stack.h
/usr/kernel/drv/sparcv9/ipf
/usr/lib/ipf/sparcv9/ipftest
/usr/sbin/sparcv9/ipf
/usr/sbin/sparcv9/ipfs
/usr/sbin/sparcv9/ipfstat
/usr/sbin/sparcv9/ipmon
/usr/sbin/sparcv9/ipnat
/usr/sbin/sparcv9/ippool
/var/svc/manifest/network/ipfilter.xml
Problem Description:
6726575 IPfilter needs to be able to do randomised port mapping
6730614 random port numbers are in the wrong range of numbers
(from 127888-10)
6622346 ipftuneable_alloc doesn't set fr_defnatipage or ipf_loopback
(from 127888-09)
6505685 problems with applying "to" rule in IP Filter
6562635 TCP options are not processed correctly
6562648 IPF may drop connection which chooses to scale window
6562721 IPF should also check SACK when doing stateful inspection
6595876 state timer should be reset when retransmission is seen
6599779 two state entries might be created for single TCP connection
6651775 ipf does not handle half estab. connections well
(connection hangs with connection match result 4/0)
(from 127888-08)
6528779 mdb findleaks reports memory leak in IPfilter
6544673 dynamic network interfaces don't work with IP Filter
6565376 NULL pointer panic in fr_authexpire
6606816 ipf_expiretokens is not called to free up tokens
6629154 IPF NAT checksum evergreen - TCP hdr checksum is broken on ce NICs
6641267 race condition nat_flushtable() and fr_check()
6651114 fragment table size ignored, hardwired limit is used instead
6658611 IPfilter/panic rw_enter: bad rwlock
6675192 fr_timeoutstate stumbles over freed timeout (causing system panic)
if state has age information
6685076 ippool and other IPF utilities have possible race condition
6685092 IPfilter list processing function(s) have unsafe edge case(s)
(from 127888-07)
6500393 IPfilter should detect connection mix-ups as result of redirection
6505444 ipnat doesn't accept multiple rdr rules with same "ipmask dport -> ip"
and different rdrports
(from 127888-06)
This patch revision accumulates generic patch 127886-06
into Solaris Update S10U5 release.
(from 127888-05)
This patch revision accumulates generic patch 127886-05
into Solaris Update S10U5 release.
(from 127888-04)
This patch revision accumulates generic patch 127886-04
into Solaris Update S10U5 release.
(from 127888-03)
This patch revision accumulates generic patch 127886-03
into Solaris Update S10U5 release.
(from 127888-02)
This patch revision accumulates generic patch 127886-02
into Solaris Update S10U5 release.
(from 127888-01)
This patch revision accumulates generic patch 127886-01
into Solaris Update S10U5 release.
(from 127886-06)
6653172 "ifconfig plumb" interferes with IP filter rules
(from 127886-05)
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
(from 127886-04)
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients
can't reconnect
6575084 IPfilter's disguise with self-NAT: the return packets are dropped
(from 127886-03)
6599516 locking in fr_natderef causes lock contention and performance drop
(from 127886-02)
6354418 ??? entries hang around for long time
6552365 setting IPfilter state timeout values is not possible
(from 127886-01)
6528018 for SIOCSTPUT, can grab ipf_nat lock even if specified not to
6528419 IPfilter with nat can leak memory
6528552 IPfilter SIOCSTPUT doesn't initialize filter rule state properly
6532393 IPfilter NAT rules with bad proxy labels will get loaded anyway
6564748 fragments can be mishandled by IPfilter when using a custom NAT proxy
(from 128408-01)
This patch revision accumulates generic patch 128493-01
into Solaris Update S10U5 release.
(from 128493-01)
6231883 IPfilter service lacks refresh method
6561278 'q' to quit ipfstat -t causes underlying bash, tcsh to terminate but not ksh
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd 127888-11
The following example removes a patch from a standalone system:
example# patchrm 127888-11
For additional examples please see the appropriate man pages. Any other
special or non-generic installation instructions should be described
below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Reboot the system after patch installation.
NOTE 2: Before installing this patch, please be sure to install
the latest patch utilities patches for your OS. This list
of patches is defined at - http://sunsolve.sun.com
Please use the pull down list which appears after the text:
"Latest Patch Update: To ensure the correct functioning of
the patching utilities on your system, stay up to date on
the following patches"
README -- Last modified date: Saturday, November 10, 2012