OBSOLETE Patch-ID# 138061-04


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security ssh sshd kerberos libpam
Synopsis: Obsoleted by: 137138-09 SunOS 5.10_x86: libldap patch
Date: Sep/05/2008


Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 138060

Topic: SunOS 5.10_x86: libldap patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
495086515184445
509625015225817
509629915225836
620320615239122
621641015243952
622178315246175
622380815247075
623013115249725
623374115251204
631957815285387
638207615311228
643208315333058
646012815345613
647333315351739
649568315362308
650479815367145
650908915369477
651661215373983
652706415379925
652889915380991
653951615386877
655296615394203
656982415403863
658318915411289
661766315431278
664950015450026
665398615452694
666260315457621
667455315464539
668400315470145
670482315481793


Changes incorporated in this version: 6704823

Patches accumulated and obsoleted by this patch: 126134-04 127715-03 138067-01

Patches which conflict with this patch:

Patches required with this patch: 120012-14 127128-11 (or greater)

Obsoleted by: 137138-09

Files included with this patch:

/lib/amd64/libpam.so.1
/lib/libpam.so.1
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-keyscan
/usr/include/security/pam_appl.h
/usr/lib/amd64/libldap.so.5
/usr/lib/amd64/libsldap.so.1
/usr/lib/amd64/nss_ldap.so.1
/usr/lib/amd64/passwdutil.so.1
/usr/lib/ldap/ldap_cachemgr
/usr/lib/libldap.so.5
/usr/lib/libprint.so.2
/usr/lib/libsldap.so.1
/usr/lib/nss_ldap.so.1
/usr/lib/passwdutil.so.1
/usr/lib/security/amd64/pam_authtok_check.so.1
/usr/lib/security/amd64/pam_dhkeys.so.1
/usr/lib/security/amd64/pam_ldap.so.1
/usr/lib/security/amd64/pam_passwd_auth.so.1
/usr/lib/security/amd64/pam_roles.so.1
/usr/lib/security/amd64/pam_unix_account.so.1
/usr/lib/security/amd64/pam_unix_auth.so.1
/usr/lib/security/amd64/pam_unix_cred.so.1
/usr/lib/security/pam_authtok_check.so.1
/usr/lib/security/pam_dhkeys.so.1
/usr/lib/security/pam_ldap.so.1
/usr/lib/security/pam_passwd_auth.so.1
/usr/lib/security/pam_roles.so.1
/usr/lib/security/pam_unix_account.so.1
/usr/lib/security/pam_unix_auth.so.1
/usr/lib/security/pam_unix_cred.so.1
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-http-proxy-connect
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/ssh-socks5-proxy-connect
/usr/lib/ssh/sshd

Problem Description:

6704823 Bugfix 6684003 prevents ssh from X forwarding on IPv4-only system
 
(from 138061-03)
 
6216410 pam unix modules use inconsistent criteria to determine supported repositories
6223808 passwdutil (name_to_int) returns bogus result instead of REP_ERANGE for unknown repositories
6233741 passwdutil(nis) doesn't properly initialize account expiry attributes
 
(from 138061-02)
 
6674553 getpwuid slow with bugfix CR6540209 - native LDAP client config wth compat and use of netgroups
 
(from 138061-01)
 
6495683 LDAP client files & cred files are deleted when /var is full
6528899 misleading native LDAP client error message during reusing closed connection
6539516 applications compiled with -lldap on Solaris 8 core dump on Solaris 9 or later releases
6617663 for non-nscd processes, libsldap should not automatically keep connections open
6649500 fix for CR 6617663 incomplete
6653986 libsldap not able to detect nscd in Native LDAP peruser mode
6662603 libsldap can leak file descriptor 0
 
(from 126134-04)
 
4950865 pam_unix_cred audit code could be cleaner
5096250 pam_unix_account(5) should syslog locked accounts
5096299 application can mask libpam syslog output
6203206 sshd should set PAM_AUSER for host-based userauth for audited logins to roles
6221783 pam_start changes syslog logmask
6230131 pam_setcred needs to capture major/minor device ID for local terminals
6319578 pam_unix_cred.so.1 dumps core due to incorrect buffer length
6382076 gss comment in cmd/ssh/sshd/auth-pam.c is bogus
6473333 implement PSARC/2006/534 remote user audit attribution update
6516612 pam_roles module needs to know about PAM_AUSER
 
(from 126134-03)
 
6504798 ssh fails for users when ngroups_max=32
6684003 fix CVE-2008-1483 in SunSSH
 
(from 126134-02)
 
        This revision accumulates generic Sustaining patch 127715-03
        into Solaris S10U5 Update.
 
(from 126134-01)
 
        This revision accumulates generic Sustaining patch 127715-02
        into Solaris S10U5 Update.
 
(from 127715-03)
 
6527064 sshd uses LC_CTIME instead of LC_TIME
6552966 ssh should issue warning message for expired passwords again
 
(from 127715-02)
 
6460128 sshd changes locale from ISO8859-1 to UTF-8
 
(from 127715-01)
 
6432083 sshd dumps core if /usr/bin/locale missing or gives empty output
6509089 sshd not logging kerberos principals with syslog
 
(from 138067-01)
 
6569824 password reset loops for password changes when owner not allowed to change password aging policy
6583189 pam_get_user(3PAM) can leak memory


Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.


Special Install Instructions:
-----------------------------
 
NOTE 1:  Before installing this patch, please be sure to install the
         latest patch utilities patches for your OS. This list of
         patches is defined at - http://sunsolve.sun.com
 
         Please use the pull down list which appears after the text:
         "Latest Patch Update: To ensure the correct functioning of
         the patching utilities on your system, stay up to date on
         the following patches"
 
NOTE 2:  If the patch is being applied to a live system, please stop
         and start SunSSH daemon by doing the following:
 
         # svcadm disable ssh
         # svcadm enable ssh
 
         This way the changes to the SunSSH daemon delivered by this
         patch will take effect immediately. Already established
         connections will not be affected during the restart.


README -- Last modified date: Saturday, November 10, 2012