OBSOLETE Patch-ID# 141500-08


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security gssd core searchmechlist aes interoperability pam_krb5.so.1
Synopsis: Obsoleted by: 143561-05 SunOS 5.10: kinit patch
Date: Jun/21/2010


Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 141501

Topic: SunOS 5.10: kinit patch
	*********************************************************************
	NOTE: This patch may contain one or more OEM-specific platform ports.
	      See the appropriate OEM_NOTES file within the patch for
	      information specific to these platforms.
	      DO NOT INSTALL this patch on an OEM system if a corresponding
	      OEM_NOTES file is not present (or is present, but instructs not
	      to install the patch), unless the OEM vendor directs otherwise.
	*********************************************************************


Relevant Architectures: sparc sparc.sun4u

Bugs fixed with this patch:

Sun CR # Bug #
620089415238410
624575015256331
625362215259566
630184415278192
645522515343252
651656815373944
653186415382508
654361015389069
654859915391929
660463515423260
660765915425130
660781315425240
661249015428047
662112915433446
662123915433523
664141515445589
664770815448964
665862115455479
665862415455480
665862715455481
665863115455483
666483215458820
669120615474353
672455715493571
672495915493834
673678115501167
674659715507222
674930215508942
675416915511866
675631215513277
675692815513647
675862515514661
678735415531364
679988415538855
680293115540508
680785315543379
682206215551698
682206615551699
683538415559528
685762715573910
688621915592720
688623515592736
690811415608619
694068815634159
694519615637520


Changes incorporated in this version: 6807853 6835384 6886219 6886235 6940688

Patches accumulated and obsoleted by this patch: 125167-01 138291-01 138371-06 139478-01 140074-09

Patches which conflict with this patch:

Patches required with this patch: 119042-09 120011-14 121901-01 127127-11 137137-09 (or greater)

Obsoleted by: 143561-05

Files included with this patch:

/kernel/misc/kgss/sparcv9/kmech_krb5
/lib/libpam.so.1
/lib/sparcv9/libpam.so.1
/lib/svc/method/svc-kdc
/lib/svc/method/svc-kdc.master (deleted)
/platform/sun4u/kernel/misc/kgss/sparcv9/kmech_krb5
/usr/bin/kdestroy
/usr/bin/kinit
/usr/include/kerberosv5/krb5.h
/usr/lib/gss/gssd
/usr/lib/gss/mech_krb5.so.1
/usr/lib/gss/mech_spnego.so.1
/usr/lib/krb5/db2.so.1
/usr/lib/krb5/kadmind
/usr/lib/krb5/kldap.so.1
/usr/lib/krb5/kprop
/usr/lib/krb5/kpropd
/usr/lib/krb5/krb5kdc
/usr/lib/krb5/libdb2.so.1
/usr/lib/krb5/libkadm5clnt.so.1
/usr/lib/krb5/libkadm5srv.so.1
/usr/lib/krb5/libkdb.so.1
/usr/lib/krb5/libkdb_ldap.so.1
/usr/lib/krb5/sparcv9/libkadm5clnt.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so.1
/usr/lib/security/sparcv9/pam_krb5.so.1
/usr/lib/security/sparcv9/pam_krb5_migrate.so.1
/usr/lib/sparcv9/gss/mech_krb5.so.1
/usr/lib/sparcv9/gss/mech_spnego.so.1
/usr/sbin/gsscred
/usr/sbin/kadmin
/usr/sbin/kadmin.local
/usr/sbin/kdb5_ldap_util
/usr/sbin/kdb5_util
/var/svc/manifest/network/rpc/gss.xml
/var/svc/manifest/network/security/kadmin.xml

Problem Description:

6807853 cannot unset min/max pw life from a password policy once they are set in a KDC database
6835384 KDC doesn't rebind after rebooted LDAP server
6886219 kadmind code should be utilizing sigaction() rather than signal()
6886235 kadmind will not rebind with LDAP server if LDAP server is restarted
6940688 need to remove date in past check from kadmin_parse_princ_args()
 
(from 141500-07)
 
6945196 CVE-2010-1321 GSS-API library null pointer dereference
 
(from 141500-06)
 
6516568 warning messages still being displayed on krb ccache ownership
6908114 Kerberos integer underflow bugs in AES and RC4 decryption [MITKRB5-SA-2009-004]
 
(from 141500-05)
 
6787354 kpropd cored when converting incremental update to kdb entry for a particular principal
 
(from 141500-04)
 
6857627 slave KDC dumping cores, error path snprintf using db_lf_file instead of db_lf_name
 
(from 141500-03)
 
	This revision accumulates generic Sustaining patch 140074-09
	into Solaris S10U8 update.
 
(from 141500-02)
 
	This revision accumulates generic Sustaining patch 140074-08
	into Solaris S10U8 update.
 
(from 141500-01)
 
	This revision accumulates generic Sustaining patch 140074-07
	into Solaris S10U8 update.
 
(from 140074-09)
 
6301844 mech_krb5 has problem working on 64 bit systems
 
(from 140074-08)
 
6822062 multiple vulnerabilities in SPNEGO, ASN.1 decoder (CVE-2009-0847, CVE-2009-0845, CVE-2009-0844)
6822066 ASN.1 decoder frees uninitialized pointer (CVE-2009-0846)
 
(from 140074-07)
 
6749302 pam_krb5 auth fails with key table entry not found
 
(from 140074-06)
 
6758625 pam_krb5 is unable to communicate with ktkt_warnd; 50-second delays to login/screen unlock
 
(from 140074-05)
 
6802931 krb5 NFS issues
 
(from 140074-04)
 
        This revision accumulates generic Sustaining patch 138371-05
        into Solaris S10U7 update.
 
(from 140074-03)
 
        This revision accumulates generic Sustaining patch 138371-04
        into Solaris S10U7 update.
 
(from 140074-02)
 
        This revision accumulates generic Sustaining patch 138371-03
        into Solaris S10U7 update.
 
(from 140074-01)
 
        This revision accumulates generic Sustaining patch 139478-01
        into Solaris S10U7 update.
 
(from 138371-06)
 
6799884 pam_krb5 could allow authentication to an attacker's KDC
 
(from 138371-05)
 
6746597 kpropd full resync window does not time out
 
(from 138371-04)
 
6756312 krb5int_pbkdf2_hmac_sha1() should not call C_DestroyObject() after C_GenerateKey() fails
6756928 kerberos incorrectly displays the error message "krb5 conf file not configured"
 
(from 138371-03)
 
6543610 possible memory leak in krb5_acct_mgmt
6607659 despite calling pam_end, pam_krb5 module data not being freed
6736781 memory leak in mech_krb5.so.1 when obtaining FQHN for comparison to host principal
6754169 memory leak in __pam_display_msg() where pam_response structure is not freed
 
(from 138371-02)
 
6245750 kadmin "Bad encryption type" error should state the enctype
6604635 kdb ldap integration removed rev/recurse kdb5_util dumps
6612490 kdb5_util should not coredump if krb5.conf is misconfigured
6621129 generic_gss_release_oid() should check for oid == NULL before dereferencing
6621239 adb_policy_init makes the wrong assertion
6641415 kadmind cores when using ldap backend and "sunw_dbprop_enable" is set to true
6647708 cannot create des keys with afs3 salt
6658621 configuration checks for kerberos daemons should be done by daemons themselves
6658624 missing error strings for new kerberos DB error types
6658627 kpropd should use its executable name, not the full path when logging error messages
6658631 error messages in kerberos daemons need cleanup
6664832 various memleaks in krb libs
 
(from 138371-01)
 
        This revision accumulates generic Sustaining patch 138291-01
        into Solaris S10U6 update.
 
(from 138291-01)
 
6548599 AES encrypt function in kmech_krb5 broken for 16-byte input, causes NFSsec interop problems
 
(from 139478-01)
 
6200894 pam_krb5 shouldn't use setreuid and friends -- that's not MT-safe
6455225 pam_krb5 should overwrite ccache with new credentials when handling pam_setcred (PAM_REFRESH_CRED)
6531864 ktkt_warnd not warning after login
6607813 pam_krb5 setcred coredumps on successful refresh if auth was not previously called
6691206 pam_krb5's store_cred should always store new credentials if previous auth pass successful
6724557 potential for a memory leak in krb5_setcred's krb5_renew_tgt routine
6724959 pam_modules/krb5/utils.h`set_active_user() declaration is adrift
 
(from 125167-01)
 
6253622 gssd core dumping in searchMechList


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
--------------------------------
 
NOTE 1:  Care must be taken when applying this patch to avoid generating an
	 interoperability issue with un-patched Solaris systems.  Please see
	 SunAlert 239145 for specific information on how to determine if you
	 are likely to run into interoperability issues, and if so, how to
	 mitigate these issues.


README -- Last modified date: Saturday, November 10, 2012