Patch-ID# 139548-07
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: sun ray update patch security
Synopsis: Sun Ray Core Services version 4.1 Patch Update
Date: Sep/16/2010
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product: Sun Ray Core Services
Unbundled Release: 4.1
Xref: This patch available for 5.10_x86 as 139549-07 and for Linux as 139550-07
Topic:
Relevant Architectures: sparc
Bugs fixed with this patch:
Changes incorporated in this version: 6913406 6971894 6973466 6976865
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/opt/SUNWut/hdlogin.start
/etc/opt/SUNWut/loginGUI.start
/etc/opt/SUNWut/noentry.start
/etc/opt/SUNWut/smartcard/GD-STARCOS.cfg
/etc/opt/SUNWut/smartcard/OpenPlatform.cfg
/opt/SUNWut/bin/utselect
/opt/SUNWut/lib/Xnewt
/opt/SUNWut/lib/admin.jar
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP10
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/firmware/CoronaP8
/opt/SUNWut/lib/firmware/CoronaP9
/opt/SUNWut/lib/firmware_gui/CoronaP1
/opt/SUNWut/lib/firmware_gui/CoronaP10
/opt/SUNWut/lib/firmware_gui/CoronaP2
/opt/SUNWut/lib/firmware_gui/CoronaP3
/opt/SUNWut/lib/firmware_gui/CoronaP4
/opt/SUNWut/lib/firmware_gui/CoronaP5
/opt/SUNWut/lib/firmware_gui/CoronaP6
/opt/SUNWut/lib/firmware_gui/CoronaP7
/opt/SUNWut/lib/firmware_gui/CoronaP8
/opt/SUNWut/lib/firmware_gui/CoronaP9
/opt/SUNWut/lib/ifdh_scbus.so.1
/opt/SUNWut/lib/libsimpleRun.so
/opt/SUNWut/lib/libusbut.so.1
/opt/SUNWut/lib/libutadmin.so.1
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/libutjadmin.so
/opt/SUNWut/lib/loginGUI
/opt/SUNWut/lib/modules/Authxlation.jar
/opt/SUNWut/lib/pam_sunray.so.1
/opt/SUNWut/lib/pam_sunray_amgh.so.1
/opt/SUNWut/lib/protocol.jar
/opt/SUNWut/lib/prototype/Xreset.SUNWut.prototype
/opt/SUNWut/lib/sdk.jar
/opt/SUNWut/lib/settings.jar
/opt/SUNWut/lib/usb/ttykeyspan.so.1
/opt/SUNWut/lib/utaddfontpath
/opt/SUNWut/lib/utati
/opt/SUNWut/lib/utatilu
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utgenpam
/opt/SUNWut/lib/utkeyvet
/opt/SUNWut/lib/utpamcfg
/opt/SUNWut/lib/utparalleld
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/utstoraged
/opt/SUNWut/lib/xmgr/gdm/remove-dpy
/opt/SUNWut/sbin/utatiscrub
/opt/SUNWut/sbin/utuser
/opt/SUNWut/share/man/man1m/utatiscrub.1m
/opt/SUNWut/share/man/man1m/utfwadm.1m
/opt/SUNWut/share/man/man1m/utuser.1m
/opt/SUNWut/share/man/man3/ut_amgh_script_interface.3
/opt/SUNWut/share/man/man3/ut_ati_script_interface.3
/opt/SUNWutref/ati/utatiref_script
/usr/kernel/misc/sparcv9/utio
/usr/kernel/misc/utio
/usr/openwin/server/modules/ddxSUNWsunray.so.1
Problem Description:
6913406 Recorded audio is distorted on Sun Ray 3 Plus units
6971894 Regression in 4.2 patch -03 firmware prevents Code M2 Modems and Scanners from working correctly
6973466 Sun Ray 3 Plus DTU reboots unexpectedly while recording and playing audio clips
6976865 Integrate SR3i support
(from 139548-06)
6742304 utio causes kernel panic when destroying mutex
6777864 application can be blocked without good reason in read() call against Sun Ray serial device
6896659 User GUI application randomly displays some characters in Bold
6897156 Inbound audio from Sun Ray 2 (P8) units is distorted
6900212 RFE: option could be added in PUI for enabling/disabling the OSD flow(1->21->22->26->44)
6901836 SRSS 4.2 FCS, SR2 devices reboot during VPN authentication
6904684 Sun Ray VPN fails on the 2nd IKE rekey, and reboots
6904989 When a VPN gateway closes a connection, the Sun Ray sends the previously entered password repeatedly
6908144 VPN connection expiration can leave Sun Ray in state that requires power off
6910599 Sound setup of DTU changes to speaker and headphone on when playing music
6911654 Hangul and Hanja keys on Korean PC 105 keyboard are not recognized by Xnewt
6926114 MS Wireless Mouse no longer working with SRSS firmware 4.2_77_2009.10.19.17.01
6940958 Some late IPv6 changes were missed in 4.2
6945668 Login screen is off-center on pan&scan after smartcard eject
6945679 port memory corruption fix in libfb to Xnewt [CVE-2010-1166]
6948665 Adding IPv6 DNS servers to CONFIG_DNS_SERVERS configuration record is backward/forward incompatible.
6948678 keepAliveExpiry is being sent unexpectedly
6952119 DO NOT POWER OFF warning does not appear with DHCP6/DNS6
6952216 Add support for Macronix MX29LV640E flash for SR3+
6953216 Opnext 100-FX SFP TRF5326ANLB400 sometimes hangs during SR3+ boot
6955640 Fix Get response for G&D smartcafe cards in SR3
6958479 SRCS patches must deliver firmware images for Sun Ray 3 Plus (P9) and Sun Ray 3 (P10) units
(from 139548-05)
6951337 SRCS patches must deliver firmware images for Sun Ray 3 Plus units
(from 139548-04)
6780548 xrandr fails to switch resolution without explanation.
6811761 on SRSS 4.1 with Japanese language login, characters in lock window are garbled
6889535 loginGUI displays incorrect msg "Unable to authenticate - Internal PAM Error" when user is locked
6902328 memory problems in the Sun Ray Session Server
(from 139548-03)
6497875 Device nodes are not getting created for Edgeport/1
6688127 Printers connected directly to DTU's USB port stop working after a while
6744049 DM needs to be able to force use of "callme" protocol even when DTU is not behind a NAT gateway
6765081 pam_ldap error in xscreensaver account management when NSCM/RHA is in use
6794261 Multiple NSCM logins with different capitalisation
6803522 AMGH (to target FOGs running older SRSS) and Token Reader functionality in FOGs broken by bestip fix
6805880 Pen data transfer doesn't happen for the second time in same session
6808340 AMGH doesn't redirect DTUs away from servers in some circumstances
6809619 Add 1280x800 screen resolution support
6814576 Need server-side support for 1280x800@60d timing
6817401 Some fonts are not displaying correctly with Xnewt server
6818226 Xnewt's DTrace provider request-start needs to be updated
6824230 shift+props doesn't invoke utsettings GUI
6828831 poor initial loadbalancing when using kiosk mode
6830214 need to disable the source button on the Sun Ray 270
6838464 utauthd remote denial of service attack
6847290 Add GUI option to set videoindisable switch for Sun Ray 270
6849054 DHCP vendor option with invalid content length should be ignored
6852457 Client DSA private keys are not unique
6853222 logout immediately logs back in under certain circumstances on Solaris 10
6854647 Sun Ray keyboard becomes unresponsive while mouse events are OK
6856022 Sun Rays can come up at 10 Mbps if switch port is not up when Sun Ray boots
6856191 Retrieving data using Pc/ScLite 1.1 from Siemens CardOS4.01a smartcard fails with FW 4.1_139548
6860821 utfwadm man page needs to be updated with new videoindisable key
6874418 In a slow network a new socket connection fails frequently when polling for tcp connection
6887939 Update admin.version version number property on smartcard config files to track code changes
(from 139548-02)
6578775 Safesign app + PCSC Lite + JCOP-XX smart card + correct PIN = keypair/keyset not found error
6638939 "Choose host from list" option doesn't work for XDMCP sessions with Xnewt
6706607 utsession -k can cause 26 D icons
6715426 [lowbandwidth] Video appears as green when the bandwidth is lowered for chicken.mpg clip
6727792 utseriald denies access to device after server switch
6739397 Add callme device allocation back into Sun Ray smart card IFD handler.
6744675 chicken.mpg does not play after disconnecting/relaunching windows session with low MTU value
6745120 Sun Ray 2FS hangs at 26D (Xsun) or is black (Xnewt) when the resolution is set to 640x480
6773304 PIX gateways no longer work for VPN with Sun Ray because of ID type change
6775532 Xnewt dumping core due to a divide by zero error.
6778272 Enhance PCSC Support for French Health Smart Cards with Internal reader
6781604 AMGH fails on Sun Rays when server's Primary IP address is unreachable (sim. to CR#6747622)
6783751 Timings forced by 'utresadm' should be overridable by subsequent 'utresadm' invocations
6785797 Sun Ray firmware needs expanded network definition options
6786835 Need support for Siemens CardOS API 2.5 middleware added to PC/SC-Lite
6788938 4.1 utauthd has a crash and redirect issue.
6792954 XVideo XvPutImage parameters not working and some boundary conditions not working
6800187 utauthd in SRSS 4.0 on S10/TX appears to leave a number of defunct processes and open ports
6801398 Xsun fails to work with 8bit PseudoColor Visual enabled as default
6801496 OpenPlatform.cfg and JavaBadgeCAC smartcard config files need to support G&D JavaCard card
6805507 Xorg server uses bad locking algorithm which affects SRSS
6807885 Xnewt + XKB can erroneously autorepeat when key reports are dropped or delayed
6808910 Netscreen VPN connections don't come up if the gateway's version ID is not recognized.
6812067 Sun Ray VPN doesn't support AES 192 and 256 bit key sizes.
6813315 Slow repeat key after "utxconfig -k off" when using Xnewt
(from 139548-01)
6699511 Xsun hangs with OSD 26 on Sun Ray DTU with large time on poll() if under VMware and high speed net
6706040 Xnewt can send autorepeated keystrokes into a detached session
6709953 Sessions gets killed with ctrl+alt+backspace when XKB is enabled.
6730822 utauthd does not notice that sessions have been disconnected in certain circumstances
6747622 LAN-connected Sun Rays can't redirect to a server when its primary IP address is not reachable
6749640 Desire a way to use token data external to SRSS to control FOG session access
6754108 Xnewt utilizes 40% CPU for an existing server on switching to another server on Linux
6754138 utuser deprecated "-k" (and -xdisplay and -tokenid) options should be eliminated
6756504 Sun Ray doesn't know how to handle a request for 2 consecutive tokens from an ASA with RSA back end.
6758164 Left-handed mouse orientation functionality is not working as expected with Xnewt
6760323 Entering any prompting dialog causes locks to be reset
Detailed Installation Steps
---------------------------
1. Suppress firmware downloads
If the server being patched is not a member of a Sun Ray
failover group you should skip this step.
If the server being patched is a member of a Sun Ray failover
group then this step is optional but is strongly recommended.
At Patch Installation
---------------------
Before adding this patch to servers configured into a Sun
Ray failover group we advise that you disable Sun Ray
firmware delivery from all unpatched hosts in the failover
group. On each host in the group:
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
Do this only one time, before adding this patch to any
server in the group.
The purpose of this step is to prevent unpatched servers
from offering old firmware to Sun Ray appliances.
At Patch Removal
----------------
Before removing this patch from servers configured into a
Sun Ray failover group we advise that you disable firmware
delivery from any hosts in the failover group that have
this patch installed. On each already-patched host in the
group:
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
Do this only one time, before removing this patch from any
of the already-patched servers in the group.
The purpose of this step is to prevent already-patched
servers from offering new firmware to Sun Ray appliances.
If this patch is being removed from a Sun Ray failover group
then omitting this step may result in increased restart
times for your Sun Ray appliances. (A mixture of patched
and unpatched servers advertising conflicting firmware
versions may cause the appliance to download new firmware
each time it restarts. The appliance automatically
restarts itself after downloading fresh firmware so its
overall restart cycle is longer in that case. The
appliance may restart itself several times before
establishing or reconnecting to a session.) The Sun Ray
restart time will return to normal once the patch has been
removed from all servers in the failover group.
2. Stopping Sun Ray services and login sessions
Before the addition or removal of this patch to a Sun Ray server
all users should be logged out of their Sun Ray sessions.
Stop the Sun Ray services using the following commands:
$ /etc/init.d/utstorage stop
$ /etc/init.d/utsvc stop
These commands will terminate any Sun Ray sessions that were not
already logged out.
Next, use the instructions outlined below in the section
"Patch Installation Instructions" for the addition or removal
of this patch.
3. Rebooting the Sun Ray server
The Sun Ray server must be rebooted after the addition or removal
of the patch.
4. Enable firmware downloads
After the addition or removal of this patch on all Sun Ray
servers in a failover group, enable firmware downloads
using one of the following methods:
1) If all Sun Ray servers in the failover group provide default
(non GUI) firmware downloads run this command on one of the servers:
$ /opt/SUNWut/sbin/utfwsync
After which the Sun Ray DTU's will reboot themselves and load
the new firmware.
2) If only some of the Sun Ray servers in the failover group provide
firmware downloads to the DTU's, run the following command
on the servers that do provide firmware:
For default (non GUI) firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all
For GUI firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all -f \
/opt/SUNWut/lib/firmware_gui
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all -f \
/opt/SUNWut/lib/firmware_gui
3) Upgrading firmware via the config parameter (.parms) file
For default (non GUI) firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V
For GUI firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V -f \
/opt/SUNWut/lib/firmware_gui
Then restart services on all servers in the failover group by
executing the following command on a server in the group:
$ /opt/SUNWut/sbin/utfwsync -d
Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Solaris. Any other special or non-generic installation
instructions should be described below as special instructions. The following
example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/<patchid-rev>
The following example removes a patch from a standalone system:
example# patchrm <patchid-rev>
patchadd may give some messages while installing on a system
with zones. To suppress these messages "-G" option can be used.
example# patchadd -G /var/spool/patch/<patchid-rev>
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: This patch is for the Sun Ray Core Services 4.1 component
that is part of Sun Ray Server Software 4.1.
NOTE 2: This SRSS patch does not support Live Upgrade. Please do not
install this patch via live upgrade.
NOTE 3: The DTU firmware delivered in this patch has an increased
downgrade "barrier" of '422' to prevent accidental downgrades to
firmware from earlier releases. If you wish to revert a unit back to an
earlier release of firmware after upgrading to this version of firmware,
please see the Sun Ray Information Center for information on overriding the
barrier/barrierLevel mechanism.
NOTE 4: The DTU firmware delivered in this patch has the following version
identification string
4.2_140993-05_2010.08.25.23.16
GUI4.2_140993-05_2010.08.25.23.16
Required Patches
----------------
Warnings & Errors
-----------------
** WARNING: This patch should only be applied to systems which have
Sun Ray Server Software 4.1 fully installed.
Do not attempt to add this patch to the UFS image to be
applied as part of the install process.
** WARNING: As part of this patch installation, it will update
the Sun Ray PAM entries in the pam.conf file. This means
that your existing Sun Ray configuration in the pam.conf file
will be overwritten. However a backup of existing pam.conf file
will be copied to /etc/pam.conf.SUNWut.bak file during patch install
and same will be removed after patch removal. You may want to manually
merge your changes back into the pam.conf file.
Post-Patch Installation Notes:
------------------------------
Automated Token Importation (ATI)
A feature has been added in this patch which allows
controlling session access based on information stored in
customer data sources. In addition to man pages delivered
with this patch, a description has been added to the
Sun Ray Server Software 4.1 Release Notes available at:
Solaris: http://docs.sun.com/app/docs/doc/820-3774
Linux: http://docs.sun.com/app/docs/doc/820-3775
Regression fix for Cisco PIX gateways
The addition of support for the Netscreen family of VPN
gateways in the SRSS 4.1 release caused the Cisco PIX family of
VPN gateways to stop working, though ASA and 3000 series
continue to function correctly. Unfortunately, the fix for this
requires that the VPN configuration now include an item to
specify what type of VPN gateway the Sun Ray will be connecting
to. This configuration can be done using the local GUI tool
available on the Sun Ray, or through the download of a
configuration file, using the "Download Configuration" option
of the GUI tool. A couple of other useful options have been
added to the VPN configuration, including the PFS group to use,
the IPsec phase 2 lifetime, and a switch to enable Dead Peer
Detection. (Dead Peer Detection was also introduced in SRSS 4.1,
and was on by default. Unfortunately, having it enabled also
causes the PIX gateways to fail, so it must be disabled for PIX.)
The new values in the configuration file use these keywords and
value types:
vpn.peertype integer/string (0 or "cisco" = Cisco,
1 or "netscreen" = Netscreen)
vpn.pfsgroup integer Diffie-Hellman group for Perfect
Forward Secrecy
vpn.ipsectime integer IPsec SA lifetime for phase 2 proposals
in seconds
vpn.dpdswitch integer non-zero -> enable DPD
Other than the peertype, these values may also be set using the
"Advanced" submenu of the VPN configuration menu.
Keyboard Autorepeat Limitations
In SRSS 4.1, the Xnewt server could accidentally start autorepeating
a key under certain circumstances. This patch contains a fix for that,
but part of that fix includes code that forces the autorepeat "delay"
parameter to be at least 600ms. Any request to set it lower is ignored.
README -- Last modified date: Saturday, November 10, 2012