OBSOLETE Patch-ID# 140119-11
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security international encryption sftp nonzero batch command race pkcs#11 multithreaded openssl audit ssh-keygen sshd
Synopsis: Obsoleted by: 141525-05 SunOS 5.10_x86: sshd patch
Date: Aug/14/2009
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 141742
Topic: SunOS 5.10_x86: sshd patch
EXPORT INFORMATION: This software contains encryption features
and requires export approval from the U.S. Department of State,
prior to exporting from the United States.
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6705402
Patches accumulated and obsoleted by this patch: 128254-01 128319-01 138123-01 138863-02 139501-02 139999-01 140412-01 140775-03
Patches which conflict with this patch:
Patches required with this patch: 118855-36 118919-21 120012-14 127128-11 137138-09 (or greater)
Obsoleted by: 141525-05
Files included with this patch:
/etc/ssh/sshd_config
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/include/security/pkcs11t.h
/usr/lib/amd64/libcryptoutil.so.1
/usr/lib/libcryptoutil.so.1
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/sshd
/usr/sfw/bin/openssl
/usr/sfw/include/openssl/asn1.h
/usr/sfw/include/openssl/opensslv.h
/usr/sfw/lib/amd64/libcrypto.so.0.9.7
/usr/sfw/lib/amd64/libcrypto_extra.so.0.9.7
/usr/sfw/lib/amd64/libssl.so.0.9.7
/usr/sfw/lib/amd64/libssl_extra.so.0.9.7
/usr/sfw/lib/libcrypto.so.0.9.7
/usr/sfw/lib/libcrypto_extra.so.0.9.7
/usr/sfw/lib/libssl.so.0.9.7
/usr/sfw/lib/libssl_extra.so.0.9.7
Problem Description:
6705402 ssh issue with scp, naming conventions within the command
(from 140119-10)
6740240 ssh: password prompt is garbled on ja_JP.PCK/ja_JP.eucJP locale
6781546 CR 6704823 is back when using LogLevel debug in sshd_config
6797221 do_exec_no_pty() function contains file descriptor leak
6812446 x11_create_display_inet does not cleanup resources correctly
(from 140119-09)
6718923 BN_bin2bn() should be more robust
(from 140119-08)
6757046 sftp/sftp-server don't allow setting of set[ug]id/sticky bits
(from 140119-07)
6282914 cannot use strong ciphers when linking to libcrypto
6617424 aes192/aes256 support is missing from ssh/sshd
6824175 OpenSSL needs a fix for CVE-2009-0590
(from 140119-06)
This revision accumulates generic Sustaining patch 140775-03
into Solaris S10U7 update.
(from 140119-05)
6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
6723504 more granular locking in PKCS#11 engine
6747327 PKCS#11 engine atfork handlers need to be aware of guys who take it seriously
6796098 SunSSH in s10u7_b2 and greater must enqueue non-kex packets during the key re-exchange
(from 140119-04)
This revision accumulates generic Sustaining patch 140775-01
into Solaris S10U7 update.
(from 140119-03)
This revision accumulates generic Sustaining patch 140412-01
into Solaris S10U7 update.
(from 140119-02)
6445288 ssh needs to be OpenSSL engine aware
6545665 make CKM_AES_CTR available to non-kernel users
6603350 CK_*_PARAMS definitions should be in <sys/crypto/common.h>
6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
6709513 PKCS#11 engine sets IV length even for ECB modes
6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric ciphers and digests
6728296 buffer length not initialized for C_(En|De)crypt_Final() in the PKCS#11 engine
6728871 PKCS#11 engine must reset global_session in pk11_finish()
6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers and digests
6751377 SunSSH with UseOpenSSLEngine=yes should not fatal() when the PKCS#11 engine is not found
6759291 sshd doesn't generate subject tokens for successful logins/logouts since integration of CR 6445288
(from 140119-01)
This revision accumulates generic Sustaining patch 138863-02
into Solaris S10U7 update.
(from 140775-03)
6730661 sshd should re-try pam_chauthtok() when it returns PAM_AUTHTOK_ERR
(from 140775-02)
6761890 ssh protocol security vulnerability may be used to reveal some plaintext
(from 140775-01)
6734620 sshd doesn't audit failed logins correctly.
6750189 sshd doesn't set pam_retval correctly for password-based authentication failures
6772392 sshd auditing could be more accurate for failed logins to invalid accounts
(from 128319-01)
This revision accumulates generic Sustaining patch 128254-01
into Solaris S10U5 update.
(from 128254-01)
6448031 ssh-keygen does not overwrite old key information when told yes
(from 140412-01)
6425816 sftp: should exit with non-zero status on batch command errors
6697679 sftp: 'ls -l' must print usernames/groupnames instead of uids/gids
(from 139999-01)
This revision accumulates generic Sustaining patch 139501-01
into Solaris S10U7 update.
(from 139501-02)
6786120 CVE-2008-5077 incorrect checks for malformed signature in OpenSSL
(from 139501-01)
6742474 openssl speed will crash if used with -multi and -evp
(from 138863-02)
6602801 PK11_SESSION cache has to employ reference counting scheme for asymmetric key operations
6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called atomically
6607307 pkcs#11 engine can't read RSA private keys
6652362 pk11_RSA_finish() is cutting corners
6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in suboptimal way
6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more resilient to destroy failures
6667273 OpenSSL engine should not use free() but OPENSSL_free()
6670363 PKCS#11 engine fails to reuse existing symmetric keys
6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size of big numbers leading to failures
6706562 pk11_DH_compute_key() returns 0 in case of failure instead of -1
6706622 pk11_load_{pub,priv}key create corrupted RSA key references
6707129 return values from BN_new() in pk11_DH_generate_key() are not checked
6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to structure reuse
6707782 OpenSSL PKCS#11 engine pretends to be aware of OPENSSL_NO_{RSA,DSA,DH} defines but fails miserably
6709966 make check_new_*() to return values to indicate cache hit/miss
6720197 linked list handling in crypto libraries needs to be more robust
(from 138863-01)
This revision accumulates generic Sustaining patch
138123-01 into Solaris S10U6 update.
(from 138123-01)
6375348 pkcs11 as SSLCryptoDevice with Apache/OpenSSL causes significant performance drop
6411001 sparcv9 OpenSSL pkcs11 engine fails C_Sign with RSA and DSA
6540060 race in pkcs#11 engine in multithreaded environment
6554248 OpenSSL pkcs#11 engine doesn't strip leading zeros from computed Diffie-Hellman shared secret
6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
6573196 memory leaked when OpenSSL is used with PKCS#11 engine
6588103 OpenSSL bundled with Solaris 10 fails verifying signature for files >2GB
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Before installing this patch, please be sure to install the latest
patch utilities patches for your OS. This list of patches is defined
at http://sunsolve.sun.com
Please use the pull down list which appears after the text:
"Latest Patch Update: To ensure the correct functioning of the
patching utilities on your system, stay up to date on the
following patches"
NOTE 2: Note for users of Sun Cryptographic Accelerator 6000: if you
use SCA-6000 card you must install all patches in the Sun
Crypto Accelerator 6000 1.1 Update 1 or later before installing
this patch. You can download the latest SCA-6000 update from
http://www.sun.com/products/networking/downloads.html
NOTE 3 : Fix for 6740240 requires to have SUNWuiu8 package installed. For some
charset SUNWiconv-unicode, SUNWiconv-extra2 are also needed. Without these
installed packages following error message appears:
invalid UTF-8 sequence: Cannot convert UTF-8 strings to the local codeset
README -- Last modified date: Saturday, November 10, 2012