OBSOLETE Patch-ID# 138372-06
Download this patch from My Oracle Support
|
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
|
For further information on patching best practices and resources, please
see the following links:
|
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security aes interoperability pam_krb5.so.1
Synopsis: Obsoleted by: 140130-06 SunOS 5.10_x86: mech_krb5.so.1 patch
Date: Mar/24/2009
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 138371
Topic: SunOS 5.10_x86: mech_krb5.so.1 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6799884
Patches accumulated and obsoleted by this patch: 138292-01 139479-01
Patches which conflict with this patch:
Patches required with this patch: 118855-36 120012-14 127128-11 137138-09 (or greater)
Obsoleted by: 140130-06
Files included with this patch:
/kernel/misc/kgss/amd64/kmech_krb5
/kernel/misc/kgss/kmech_krb5
/lib/amd64/libpam.so.1
/lib/libpam.so.1
/lib/svc/method/svc-kdc
/lib/svc/method/svc-kdc.master (deleted)
/usr/include/kerberosv5/krb5.h
/usr/lib/amd64/gss/mech_krb5.so.1
/usr/lib/gss/mech_krb5.so.1
/usr/lib/krb5/amd64/libkadm5clnt.so.1
/usr/lib/krb5/db2.so.1
/usr/lib/krb5/kadmind
/usr/lib/krb5/kldap.so.1
/usr/lib/krb5/kpropd
/usr/lib/krb5/krb5kdc
/usr/lib/krb5/libdb2.so.1
/usr/lib/krb5/libkadm5clnt.so.1
/usr/lib/krb5/libkadm5srv.so.1
/usr/lib/krb5/libkdb.so.1
/usr/lib/krb5/libkdb_ldap.so.1
/usr/lib/security/amd64/pam_krb5.so.1
/usr/lib/security/amd64/pam_krb5_migrate.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so.1
/usr/sbin/kadmin
/usr/sbin/kadmin.local
/usr/sbin/kdb5_ldap_util
/usr/sbin/kdb5_util
/var/svc/manifest/network/security/kadmin.xml
Problem Description:
6799884 pam_krb5 could allow authentication to an attacker's KDC
(from 138372-05)
6746597 kpropd full resync window does not time out
(from 138372-04)
6756312 krb5int_pbkdf2_hmac_sha1() should not call C_DestroyObject() after C_GenerateKey() fails
6756928 kerberos incorrectly displays the error message "krb5 conf file not configured"
(from 138372-03)
6543610 possible memory leak in krb5_acct_mgmt
6607659 despite calling pam_end, pam_krb5 module data not being freed
6736781 memory leak in mech_krb5.so.1 when obtaining FQHN for comparison to host principal
6754169 memory leak in __pam_display_msg() where pam_response structure is not freed
(from 138372-02)
6245750 kadmin "Bad encryption type" error should state the enctype
6604635 kdb ldap integration removed rev/recurse kdb5_util dumps
6612490 kdb5_util should not coredump if krb5.conf is misconfigured
6621129 generic_gss_release_oid() should check for oid == NULL before dereferencing
6621239 adb_policy_init makes the wrong assertion
6641415 kadmind cores when using ldap backend and "sunw_dbprop_enable" is set to true
6647708 cannot create des keys with afs3 salt
6658621 configuration checks for kerberos daemons should be done by daemons themselves
6658624 missing error strings for new kerberos DB error types
6658627 kpropd should use its executable name, not the full path when logging error messages
6658631 error messages in kerberos daemons need cleanup
6664832 various memleaks in krb libs
(from 138372-01)
This revision accumulates generic Sustaining patch 138292-01
into Solaris S10U6 update.
(from 138292-01)
6548599 AES encrypt function in kmech_krb5 broken for 16-byte input, causes NFSsec interop problems
(from 139479-01)
6200894 pam_krb5 shouldn't use setreuid and friends -- that's not MT-safe
6455225 pam_krb5 should overwrite ccache with new credentials when handling pam_setcred (PAM_REFRESH_CRED)
6531864 ktkt_warnd not warning after login
6607813 pam_krb5 setcred coredumps on successful refresh if auth was not previously called
6691206 pam_krb5's store_cred should always store new credentials if previous auth pass successful
6724557 potential for a memory leak in krb5_setcred's krb5_renew_tgt routine
6724959 pam_modules/krb5/utils.h`set_active_user() declaration is adrift
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Before installing this patch, please be sure to install the latest
patch utilities patches for your OS. This list of patches is defined
at http://sunsolve.sun.com
Please use the pull down list which appears after the text:
"Latest Patch Update: To ensure the correct functioning of the
patching utilities on your system, stay up to date on the
following patches"
NOTE 2: Care must be taken when applying this patch to avoid generating an
interoperability issue with un-patched Solaris systems. Please see
SunAlert 239145 for specific information on how to determine if you
are likely to run into interoperability issues, and if so, how to
mitigate these issues.
README -- Last modified date: Saturday, November 10, 2012