OBSOLETE Patch-ID# 141525-10
Download this patch from My Oracle Support
|
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
|
For further information on patching best practices and resources, please
see the following links:
|
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security pkcs-11 engine speed sftp nonzero batch command race pkcs#11 multithreaded openssl audit ssh-keygen sshd arcfour rsa pkcs11_softtoken certificate signing t1/t2
Synopsis: Obsoleted by: 142910-17 SunOS 5.10_x86: ssh and openssl patch
Date: Jun/18/2010
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 141524 143140
Topic: SunOS 5.10_x86: ssh and openssl patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6898546
Patches accumulated and obsoleted by this patch: 128254-01 128319-01 138123-01 138863-02 139501-02 139999-01 140119-11 140412-01 140591-01 140775-03 141919-02 142048-06 142243-02
Patches which conflict with this patch:
Patches required with this patch: 118855-36 118919-21 120012-14 127128-11 137138-09 139556-08 (or greater)
Obsoleted by: 142910-17
Files included with this patch:
/etc/ssh/sshd_config
/kernel/crypto/aes
/kernel/crypto/aes256
/kernel/crypto/amd64/aes
/kernel/crypto/amd64/aes256
/kernel/crypto/amd64/arcfour
/kernel/crypto/amd64/arcfour2048
/kernel/crypto/amd64/rsa
/kernel/crypto/arcfour
/kernel/crypto/arcfour2048
/kernel/crypto/rsa
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/include/security/pkcs11t.h
/usr/lib/amd64/libcryptoutil.so.1
/usr/lib/amd64/libpkcs11.so.1
/usr/lib/libcryptoutil.so.1
/usr/lib/libelfsign.so.1
/usr/lib/libpkcs11.so.1
/usr/lib/security/amd64/pkcs11_kernel.so.1
/usr/lib/security/amd64/pkcs11_softtoken.so.1
/usr/lib/security/amd64/pkcs11_softtoken_extra.so.1
/usr/lib/security/pkcs11_kernel.so.1
/usr/lib/security/pkcs11_softtoken.so.1
/usr/lib/security/pkcs11_softtoken_extra.so.1
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/sshd
/usr/sfw/bin/openssl
/usr/sfw/include/openssl/asn1.h
/usr/sfw/include/openssl/opensslv.h
/usr/sfw/include/openssl/ssl.h
/usr/sfw/include/openssl/ssl3.h
/usr/sfw/include/openssl/tls1.h
/usr/sfw/lib/amd64/libcrypto.so.0.9.7
/usr/sfw/lib/amd64/libcrypto_extra.so.0.9.7
/usr/sfw/lib/amd64/libssl.so.0.9.7
/usr/sfw/lib/amd64/libssl_extra.so.0.9.7
/usr/sfw/lib/amd64/llib-lssl.ln
/usr/sfw/lib/libcrypto.so.0.9.7
/usr/sfw/lib/libcrypto_extra.so.0.9.7
/usr/sfw/lib/libssl.so.0.9.7
/usr/sfw/lib/libssl_extra.so.0.9.7
/usr/sfw/lib/llib-lssl.ln
Problem Description:
6898546 fix TLS renegotiation problem in OpenSSL (CVE-2009-3555)
(from 141525-09)
6177650 wrong error code returned when key does not allow requested operation
6437677 C_GenerateKey with missing CKA_VALUE_LEN attr should fail with CKR_TEMPLATE_INCOMPLETE
6439989 CKM_CMS_SIG & WTLS missing from pkcs11_mech2str mapping
6606384 SCF consumers crash after mechanisms are disabled using cryptoadm when using libumem
6636169 softtoken is confused by .nfs files
6636960 C_GetOperationState should fail if there is no active digest operation
6681527 meta_SetOperationState() doesn't return a slot session to the idle pool
6739381 memory leak in pkcs11_kernel when n2cp is used for digests
6815120 C_Logout with metaslot can leave metaslot object info in memory
6905996 arcfour should return failure on invalid key (instead of dumping core)
(from 141525-08)
6599821 CVE-2007-3108 needs to be fixed
(from 141525-07)
6850734 enabled aes192/aes256 support in ssh/sshd does not work on S10U3 or older releases
6882255 sftp connection fails when .bashrc generates output on stderr
6886656 unlimited window size causes problems with limited buffer sizes
6894519 USE_PIPES is not used on Solaris and should be removed
(from 141525-06)
6868716 dangling sshd authentication thread after timeout exit of monitor
(from 141525-05)
This revision accumulates generic Sustaining patch 140119-11
into Solaris S10U8 update.
(from 141525-04)
This revision accumulates generic Sustaining patch 140119-10
into Solaris S10U8 update.
(from 141525-03)
This revision accumulates generic Sustaining patch 140119-09
into Solaris S10U8 update.
(from 141525-02)
This revision accumulates generic Sustaining patch 140119-08
into Solaris S10U8 update.
(from 141525-01)
This revision accumulates generic Sustaining patch 140119-07
into Solaris S10U8 update.
(from 140119-11)
6705402 ssh issue with scp, naming conventions within the command
(from 140119-10)
6740240 ssh: password prompt is garbled on ja_JP.PCK/ja_JP.eucJP locale
6781546 CR 6704823 is back when using LogLevel debug in sshd_config
6797221 do_exec_no_pty() function contains file descriptor leak
6812446 x11_create_display_inet does not cleanup resources correctly
(from 140119-09)
6718923 BN_bin2bn() should be more robust
(from 140119-08)
6757046 sftp/sftp-server don't allow setting of set[ug]id/sticky bits
(from 140119-07)
6282914 cannot use strong ciphers when linking to libcrypto
6617424 aes192/aes256 support is missing from ssh/sshd
6824175 OpenSSL needs a fix for CVE-2009-0590
(from 140119-06)
This revision accumulates generic Sustaining patch 140775-03
into Solaris S10U7 update.
(from 140119-05)
6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
6723504 more granular locking in PKCS#11 engine
6747327 PKCS#11 engine atfork handlers need to be aware of guys who take it seriously
6796098 SunSSH in s10u7_b2 and greater must enqueue non-kex packets during the key re-exchange
(from 140119-04)
This revision accumulates generic Sustaining patch 140775-01
into Solaris S10U7 update.
(from 140119-03)
This revision accumulates generic Sustaining patch 140412-01
into Solaris S10U7 update.
(from 140119-02)
6445288 ssh needs to be OpenSSL engine aware
6545665 make CKM_AES_CTR available to non-kernel users
6603350 CK_*_PARAMS definitions should be in <sys/crypto/common.h>
6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
6709513 PKCS#11 engine sets IV length even for ECB modes
6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric ciphers and digests
6728296 buffer length not initialized for C_(En|De)crypt_Final() in the PKCS#11 engine
6728871 PKCS#11 engine must reset global_session in pk11_finish()
6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers and digests
6751377 SunSSH with UseOpenSSLEngine=yes should not fatal() when the PKCS#11 engine is not found
6759291 sshd doesn't generate subject tokens for successful logins/logouts since integration of CR 6445288
(from 140119-01)
This revision accumulates generic Sustaining patch 138863-02
into Solaris S10U7 update.
(from 140775-03)
6730661 sshd should re-try pam_chauthtok() when it returns PAM_AUTHTOK_ERR
(from 140775-02)
6761890 ssh protocol security vulnerability may be used to reveal some plaintext
(from 140775-01)
6734620 sshd doesn't audit failed logins correctly.
6750189 sshd doesn't set pam_retval correctly for password-based authentication failures
6772392 sshd auditing could be more accurate for failed logins to invalid accounts
(from 128319-01)
This revision accumulates generic Sustaining patch 128254-01
into Solaris S10U5 update.
(from 128254-01)
6448031 ssh-keygen does not overwrite old key information when told yes
(from 140412-01)
6425816 sftp: should exit with non-zero status on batch command errors
6697679 sftp: 'ls -l' must print usernames/groupnames instead of uids/gids
(from 139999-01)
This revision accumulates generic Sustaining patch 139501-01
into Solaris S10U7 update.
(from 139501-02)
6786120 CVE-2008-5077 incorrect checks for malformed signature in OpenSSL
(from 139501-01)
6742474 openssl speed will crash if used with -multi and -evp
(from 138863-02)
6602801 PK11_SESSION cache has to employ reference counting scheme for asymmetric key operations
6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called atomically
6607307 pkcs#11 engine can't read RSA private keys
6652362 pk11_RSA_finish() is cutting corners
6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in suboptimal way
6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more resilient to destroy failures
6667273 OpenSSL engine should not use free() but OPENSSL_free()
6670363 PKCS#11 engine fails to reuse existing symmetric keys
6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size of big numbers leading to failures
6706562 pk11_DH_compute_key() returns 0 in case of failure instead of -1
6706622 pk11_load_{pub,priv}key create corrupted RSA key references
6707129 return values from BN_new() in pk11_DH_generate_key() are not checked
6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to structure reuse
6707782 OpenSSL PKCS#11 engine pretends to be aware of OPENSSL_NO_{RSA,DSA,DH} defines but fails miserably
6709966 make check_new_*() to return values to indicate cache hit/miss
6720197 linked list handling in crypto libraries needs to be more robust
(from 138863-01)
This revision accumulates generic Sustaining patch
138123-01 into Solaris S10U6 update.
(from 138123-01)
6375348 pkcs11 as SSLCryptoDevice with Apache/OpenSSL causes significant performance drop
6411001 sparcv9 OpenSSL pkcs11 engine fails C_Sign with RSA and DSA
6540060 race in pkcs#11 engine in multithreaded environment
6554248 OpenSSL pkcs#11 engine doesn't strip leading zeros from computed Diffie-Hellman shared secret
6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
6573196 memory leaked when OpenSSL is used with PKCS#11 engine
6588103 OpenSSL bundled with Solaris 10 fails verifying signature for files >2GB
(from 142048-06)
6666204 meta slot opens and closes /dev/urandom needlessly for every read
(from 142048-05)
6755655 len is not set in soft_digest_common()
6842872 race condition in fork() and C_Initialize() causes deadlock in pkcs11
6859220 pkcs11_softoken.so crashes in RC4 when doing a Java benchmark
6862202 token_session mutexes are not covered by at_fork handler
6862207 PKCS11 softtoken:C_Initialize() sets softtoken_initialized to TRUE also when it fails
6862268 C_Initialize() does not correctly clean resources when it fails
6900477 libpkcs11 needs to be friendlier
(from 142048-04)
This revision accumulates generic Sustaining patch 140591-01
into Solaris S10U8 update.
(from 142048-03)
6850360 some testcases of the ef testsuite hang when run in 64-bit mode
(from 142048-02)
6767618 need an optimized AES leveraging Intel's AES instructions
(from 142048-01)
5016936 bignumimpl:big_mul: potential memory leak
6799218 RSA using Solaris Kernel Crypto framework lagging behind OpenSSL
6810280 panic from bignum module: vmem_xalloc(): size == 0
6811474 RSA is slower with Solaris KCF than OpenSSL on amd64
6812615 64-bit RC4 has poor performance on Intel Nehalem
6823193 performance of big_mont_mul() may be improved for better RSA decrypt
(from 140591-01)
6814722 C_Digest() does not unlock session mutex which causes deadlock
6823591 pkcs11_kernel and pkcs11_softtoken object session reference counter must to be handled after fork
6828366 pkcs11_kernel/softtoken atfork handler should acquire session objects mutex too
6847226 session reference counter is not thread safe in pkcs11_kernel
(from 142243-02)
This revision accumulates generic Sustaining patch 141919-02
into Solaris S10U8 update.
(from 142243-01)
This revision accumulates generic Sustaining patch 141919-01
into Solaris S10U8 update.
(from 141919-02)
6560563 libpkcs11.so should handle premature library calls better
(from 141919-01)
6782907 certificate signing request (CSR) using certutil fails on T1/T2 based systems
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
None.
README -- Last modified date: Saturday, November 10, 2012