OBSOLETE Patch-ID# 141525-10 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** For further information on patching best practices and resources, please see the Big Admin Patching Center: http://www.oracle.com/technetwork/systems/patches *********************************************************************** Keywords: security pkcs-11 engine speed sftp nonzero batch command race pkcs#11 multithreaded openssl audit ssh-keygen sshd arcfour rsa pkcs11_softtoken certificate signing t1/t2 Synopsis: Obsoleted by: 142910-17 SunOS 5.10_x86: ssh and openssl patch Date: Jun/18/2010 Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reconfigure reboot is performed. Unless otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reconfigure reboot is performed. Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions. Solaris Release: 10_x86 SunOS Release: 5.10_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 141524 143140 Topic: SunOS 5.10_x86: ssh and openssl patch Relevant Architectures: i386 BugId's fixed with this patch: 5016936 6177650 6282914 6375348 6411001 6425816 6437677 6439989 6445288 6448031 6540060 6545665 6554248 6558630 6560563 6573196 6588103 6599821 6602801 6603350 6605538 6606384 6607307 6617424 6636169 6636960 6652362 6662112 6666204 6666625 6667128 6667273 6670363 6678135 6678503 6681527 6685012 6697679 6705402 6706562 6706622 6707129 6707274 6707782 6709513 6709966 6718923 6720197 6723504 6725903 6728296 6728871 6730661 6731839 6734620 6739381 6740240 6742474 6747327 6750189 6751377 6755655 6757046 6759291 6761890 6767618 6772392 6781546 6782907 6786120 6796098 6797221 6799218 6810280 6811474 6812446 6812615 6814722 6815120 6823193 6823591 6824175 6828366 6842872 6847226 6850360 6850734 6859220 6862202 6862207 6862268 6868716 6882255 6886656 6894519 6898546 6900477 6905996 Changes incorporated in this version: 6898546 Patches accumulated and obsoleted by this patch: 128254-01 128319-01 138123-01 138863-02 139501-02 139999-01 140119-11 140412-01 140591-01 140775-03 141919-02 142048-06 142243-02 Patches which conflict with this patch: Patches required with this patch: 118855-36 118919-21 120012-14 127128-11 137138-09 139556-08 (or greater) Obsoleted by: Files included with this patch: /etc/ssh/sshd_config /kernel/crypto/aes /kernel/crypto/aes256 /kernel/crypto/amd64/aes /kernel/crypto/amd64/aes256 /kernel/crypto/amd64/arcfour /kernel/crypto/amd64/arcfour2048 /kernel/crypto/amd64/rsa /kernel/crypto/arcfour /kernel/crypto/arcfour2048 /kernel/crypto/rsa /usr/bin/scp /usr/bin/sftp /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/bin/ssh-keygen /usr/bin/ssh-keyscan /usr/include/security/pkcs11t.h /usr/lib/amd64/libcryptoutil.so.1 /usr/lib/amd64/libpkcs11.so.1 /usr/lib/libcryptoutil.so.1 /usr/lib/libelfsign.so.1 /usr/lib/libpkcs11.so.1 /usr/lib/security/amd64/pkcs11_kernel.so.1 /usr/lib/security/amd64/pkcs11_softtoken.so.1 /usr/lib/security/amd64/pkcs11_softtoken_extra.so.1 /usr/lib/security/pkcs11_kernel.so.1 /usr/lib/security/pkcs11_softtoken.so.1 /usr/lib/security/pkcs11_softtoken_extra.so.1 /usr/lib/ssh/sftp-server /usr/lib/ssh/ssh-keysign /usr/lib/ssh/sshd /usr/sfw/bin/openssl /usr/sfw/include/openssl/asn1.h /usr/sfw/include/openssl/opensslv.h /usr/sfw/include/openssl/ssl.h /usr/sfw/include/openssl/ssl3.h /usr/sfw/include/openssl/tls1.h /usr/sfw/lib/amd64/libcrypto.so.0.9.7 /usr/sfw/lib/amd64/libcrypto_extra.so.0.9.7 /usr/sfw/lib/amd64/libssl.so.0.9.7 /usr/sfw/lib/amd64/libssl_extra.so.0.9.7 /usr/sfw/lib/amd64/llib-lssl.ln /usr/sfw/lib/libcrypto.so.0.9.7 /usr/sfw/lib/libcrypto_extra.so.0.9.7 /usr/sfw/lib/libssl.so.0.9.7 /usr/sfw/lib/libssl_extra.so.0.9.7 /usr/sfw/lib/llib-lssl.ln Problem Description: 6898546 fix TLS renegotiation problem in OpenSSL (CVE-2009-3555) (from 141525-09) 6177650 wrong error code returned when key does not allow requested operation 6437677 C_GenerateKey with missing CKA_VALUE_LEN attr should fail with CKR_TEMPLATE_INCOMPLETE 6439989 CKM_CMS_SIG & WTLS missing from pkcs11_mech2str mapping 6606384 SCF consumers crash after mechanisms are disabled using cryptoadm when using libumem 6636169 softtoken is confused by .nfs files 6636960 C_GetOperationState should fail if there is no active digest operation 6681527 meta_SetOperationState() doesn't return a slot session to the idle pool 6739381 memory leak in pkcs11_kernel when n2cp is used for digests 6815120 C_Logout with metaslot can leave metaslot object info in memory 6905996 arcfour should return failure on invalid key (instead of dumping core) (from 141525-08) 6599821 CVE-2007-3108 needs to be fixed (from 141525-07) 6850734 enabled aes192/aes256 support in ssh/sshd does not work on S10U3 or older releases 6882255 sftp connection fails when .bashrc generates output on stderr 6886656 unlimited window size causes problems with limited buffer sizes 6894519 USE_PIPES is not used on Solaris and should be removed (from 141525-06) 6868716 dangling sshd authentication thread after timeout exit of monitor (from 141525-05) This revision accumulates generic Sustaining patch 140119-11 into Solaris S10U8 update. (from 141525-04) This revision accumulates generic Sustaining patch 140119-10 into Solaris S10U8 update. (from 141525-03) This revision accumulates generic Sustaining patch 140119-09 into Solaris S10U8 update. (from 141525-02) This revision accumulates generic Sustaining patch 140119-08 into Solaris S10U8 update. (from 141525-01) This revision accumulates generic Sustaining patch 140119-07 into Solaris S10U8 update. (from 140119-11) 6705402 ssh issue with scp, naming conventions within the command (from 140119-10) 6740240 ssh: password prompt is garbled on ja_JP.PCK/ja_JP.eucJP locale 6781546 CR 6704823 is back when using LogLevel debug in sshd_config 6797221 do_exec_no_pty() function contains file descriptor leak 6812446 x11_create_display_inet does not cleanup resources correctly (from 140119-09) 6718923 BN_bin2bn() should be more robust (from 140119-08) 6757046 sftp/sftp-server don't allow setting of set[ug]id/sticky bits (from 140119-07) 6282914 cannot use strong ciphers when linking to libcrypto 6617424 aes192/aes256 support is missing from ssh/sshd 6824175 OpenSSL needs a fix for CVE-2009-0590 (from 140119-06) This revision accumulates generic Sustaining patch 140775-03 into Solaris S10U7 update. (from 140119-05) 6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true 6723504 more granular locking in PKCS#11 engine 6747327 PKCS#11 engine atfork handlers need to be aware of guys who take it seriously 6796098 SunSSH in s10u7_b2 and greater must enqueue non-kex packets during the key re-exchange (from 140119-04) This revision accumulates generic Sustaining patch 140775-01 into Solaris S10U7 update. (from 140119-03) This revision accumulates generic Sustaining patch 140412-01 into Solaris S10U7 update. (from 140119-02) 6445288 ssh needs to be OpenSSL engine aware 6545665 make CKM_AES_CTR available to non-kernel users 6603350 CK_*_PARAMS definitions should be in 6685012 OpenSSL pkcs#11 engine needs support for new cipher modes 6709513 PKCS#11 engine sets IV length even for ECB modes 6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric ciphers and digests 6728296 buffer length not initialized for C_(En|De)crypt_Final() in the PKCS#11 engine 6728871 PKCS#11 engine must reset global_session in pk11_finish() 6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers and digests 6751377 SunSSH with UseOpenSSLEngine=yes should not fatal() when the PKCS#11 engine is not found 6759291 sshd doesn't generate subject tokens for successful logins/logouts since integration of CR 6445288 (from 140119-01) This revision accumulates generic Sustaining patch 138863-02 into Solaris S10U7 update. (from 140775-03) 6730661 sshd should re-try pam_chauthtok() when it returns PAM_AUTHTOK_ERR (from 140775-02) 6761890 ssh protocol security vulnerability may be used to reveal some plaintext (from 140775-01) 6734620 sshd doesn't audit failed logins correctly. 6750189 sshd doesn't set pam_retval correctly for password-based authentication failures 6772392 sshd auditing could be more accurate for failed logins to invalid accounts (from 128319-01) This revision accumulates generic Sustaining patch 128254-01 into Solaris S10U5 update. (from 128254-01) 6448031 ssh-keygen does not overwrite old key information when told yes (from 140412-01) 6425816 sftp: should exit with non-zero status on batch command errors 6697679 sftp: 'ls -l' must print usernames/groupnames instead of uids/gids (from 139999-01) This revision accumulates generic Sustaining patch 139501-01 into Solaris S10U7 update. (from 139501-02) 6786120 CVE-2008-5077 incorrect checks for malformed signature in OpenSSL (from 139501-01) 6742474 openssl speed will crash if used with -multi and -evp (from 138863-02) 6602801 PK11_SESSION cache has to employ reference counting scheme for asymmetric key operations 6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called atomically 6607307 pkcs#11 engine can't read RSA private keys 6652362 pk11_RSA_finish() is cutting corners 6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in suboptimal way 6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more resilient to destroy failures 6667273 OpenSSL engine should not use free() but OPENSSL_free() 6670363 PKCS#11 engine fails to reuse existing symmetric keys 6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine 6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size of big numbers leading to failures 6706562 pk11_DH_compute_key() returns 0 in case of failure instead of -1 6706622 pk11_load_{pub,priv}key create corrupted RSA key references 6707129 return values from BN_new() in pk11_DH_generate_key() are not checked 6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to structure reuse 6707782 OpenSSL PKCS#11 engine pretends to be aware of OPENSSL_NO_{RSA,DSA,DH} defines but fails miserably 6709966 make check_new_*() to return values to indicate cache hit/miss 6720197 linked list handling in crypto libraries needs to be more robust (from 138863-01) This revision accumulates generic Sustaining patch 138123-01 into Solaris S10U6 update. (from 138123-01) 6375348 pkcs11 as SSLCryptoDevice with Apache/OpenSSL causes significant performance drop 6411001 sparcv9 OpenSSL pkcs11 engine fails C_Sign with RSA and DSA 6540060 race in pkcs#11 engine in multithreaded environment 6554248 OpenSSL pkcs#11 engine doesn't strip leading zeros from computed Diffie-Hellman shared secret 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers 6573196 memory leaked when OpenSSL is used with PKCS#11 engine 6588103 OpenSSL bundled with Solaris 10 fails verifying signature for files >2GB (from 142048-06) 6666204 meta slot opens and closes /dev/urandom needlessly for every read (from 142048-05) 6755655 len is not set in soft_digest_common() 6842872 race condition in fork() and C_Initialize() causes deadlock in pkcs11 6859220 pkcs11_softoken.so crashes in RC4 when doing a Java benchmark 6862202 token_session mutexes are not covered by at_fork handler 6862207 PKCS11 softtoken:C_Initialize() sets softtoken_initialized to TRUE also when it fails 6862268 C_Initialize() does not correctly clean resources when it fails 6900477 libpkcs11 needs to be friendlier (from 142048-04) This revision accumulates generic Sustaining patch 140591-01 into Solaris S10U8 update. (from 142048-03) 6850360 some testcases of the ef testsuite hang when run in 64-bit mode (from 142048-02) 6767618 need an optimized AES leveraging Intel's AES instructions (from 142048-01) 5016936 bignumimpl:big_mul: potential memory leak 6799218 RSA using Solaris Kernel Crypto framework lagging behind OpenSSL 6810280 panic from bignum module: vmem_xalloc(): size == 0 6811474 RSA is slower with Solaris KCF than OpenSSL on amd64 6812615 64-bit RC4 has poor performance on Intel Nehalem 6823193 performance of big_mont_mul() may be improved for better RSA decrypt (from 140591-01) 6814722 C_Digest() does not unlock session mutex which causes deadlock 6823591 pkcs11_kernel and pkcs11_softtoken object session reference counter must to be handled after fork 6828366 pkcs11_kernel/softtoken atfork handler should acquire session objects mutex too 6847226 session reference counter is not thread safe in pkcs11_kernel (from 142243-02) This revision accumulates generic Sustaining patch 141919-02 into Solaris S10U8 update. (from 142243-01) This revision accumulates generic Sustaining patch 141919-01 into Solaris S10U8 update. (from 141919-02) 6560563 libpkcs11.so should handle premature library calls better (from 141919-01) 6782907 certificate signing request (CSR) using certutil fails on T1/T2 based systems Patch Installation Instructions: -------------------------------- Please refer to the man pages for instructions on using 'patchadd' and 'patchrm' commands provided with Solaris. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/123456-07 The following example removes a patch from a standalone system: example# patchrm 123456-07 For additional examples please see the appropriate man pages. Any other special or non-generic installation instructions should be described below as special instructions. Special Install Instructions: ----------------------------- None. README -- Last modified date: Tuesday, September 7, 2010