Patch-ID# 147793-23


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security kdb5 krb5 libss.so.1 krb5.conf autologin rsh rlogin rcp rdist telnet kerberos ktkt_warnd change_kpassword_solaris
Synopsis: SunOS 5.10: Kerberos patch
Date: Apr/09/2019


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 147794

Topic: SunOS 5.10: Kerberos patch
	***********************************************************
	NOTE: This patch may contain one or more OEM-specific platform ports.
	      See the appropriate OEM_NOTES file within the patch for
	      information specific to these platforms.
	      DO NOT INSTALL this patch on an OEM system if a corresponding
	      OEM_NOTES file is not present (or is present, but instructs not
	      to install the patch), unless the OEM vendor directs otherwise.
	***********************************************************


Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
508484915222286
664787415449097
684816915567444
690237815604439
704330515714441
15870828
16448392
16617641
16887464
17617775
17628214
17792428
17917090
17923994
18071497
18673832
19176902
19392488
19624343
19680513
20365797
20418929
20434169
20434175
22612138
24657666
26396360
29319807
504797115211419
506074515214688
637252515306891
637253515306897
657488815406642
659618515418553
668032715467952
668364915469868
668900815473093
682129915551251
683537015559519
683751215560740
689169115596655
692252015619617
695511215645282
695600515645958
696058615649324
699358815676203
699458115677042
699758315679434
702133915698412
704580915716294
705908615724537
706100815725603
712557615763461
713619315769284
714126515769730
719441415812546


Changes incorporated in this version: 29319807

Patches accumulated and obsoleted by this patch: 140148-01 140159-03 143937-03 144891-02 146664-02 147715-04 148069-02 148079-01 148239-01 148394-01 148657-01 148687-01 149500-01 151146-01

Patches which conflict with this patch:

Patches required with this patch: 118833-36 120011-14 127127-11 144500-19 (or greater)

Obsoleted by:

Files included with this patch:

/kernel/misc/kgss/sparcv9/kmech_krb5
/platform/sun4u/kernel/misc/kgss/sparcv9/kmech_krb5
/usr/bin/kdestroy
/usr/bin/kinit
/usr/bin/klist
/usr/bin/kpasswd
/usr/bin/ktutil
/usr/bin/rcp
/usr/bin/rdist
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/telnet
/usr/include/kerberosv5/krb5.h
/usr/lib/gss/mech_krb5.so.1
/usr/lib/krb5/db2.so.1
/usr/lib/krb5/kadmind
/usr/lib/krb5/kldap.so.1
/usr/lib/krb5/kprop
/usr/lib/krb5/kpropd
/usr/lib/krb5/krb5kdc
/usr/lib/krb5/ktkt_warnd
/usr/lib/krb5/libkadm5clnt.so.1
/usr/lib/krb5/libkadm5srv.so.1
/usr/lib/krb5/libkadmin.so.1
/usr/lib/krb5/libkdb.so.1
/usr/lib/krb5/libkdb_ldap.so.1
/usr/lib/krb5/libss.so.1
/usr/lib/krb5/sparcv9/libkadm5clnt.so.1
/usr/lib/sasl/gssapi.so.1
/usr/lib/sasl/sparcv9/gssapi.so.1
/usr/lib/security/pam_krb5.so.1
/usr/lib/security/pam_krb5_migrate.so.1
/usr/lib/security/sparcv9/pam_krb5.so.1
/usr/lib/security/sparcv9/pam_krb5_migrate.so.1
/usr/lib/sparcv9/gss/mech_krb5.so.1
/usr/sbin/in.rlogind
/usr/sbin/in.rshd
/usr/sbin/in.telnetd
/usr/sbin/kadmin
/usr/sbin/kadmin.local
/usr/sbin/kdb5_ldap_util
/usr/sbin/kdb5_util
/usr/sbin/kproplog

Problem Description:

29319807 Problem with utility/network
 
(from 147793-22)
 
26396360 problem with network utility
 
(from 147793-21)
 
24657666 improve kadmin parsing of time intervals
 
(from 147793-20)
 
22612138 problem with Kerberos libraries
 
(from 147793-19)
 
15714441 mech_krb5.so.1`generic_gss_add_buffer_set_member+0x6f  memory leaks
 
(from 147793-18)
 
19176902 RPC timeout too short during kadmin:listprincs while retrieving 150k principles
 
(from 147793-17)
 
20365797 krb5kdc incorrectly  terminates after 2nd kill -HUP
20418929 problem with Kerberos libraries
20434169 uninitialized memory in krb5_ldap_create_password_policy of ldap_pwd_policy.c:125
20434175 uninitialized memory in krb5_ldap_put_password_policy of ldap_pwd_policy.c:191
 
(from 147793-16)
 
18673832 problem with Kerberos utilities
 
(from 147793-15)
 
19624343 problem with GSS library
19680513 Solaris 10 kadmin unable to use kpasswd history more than 10 keys
 
(from 147793-14)
 
17617775 krb5kdc and kadmind cores during LDAP rebind
19392488 problem with krb5kdc
 
(from 147793-13)
 
15604439 add realm option to pam_krb5
18071497 pam_krb5 issues in multi-realm auth when default realm is specified second
 
(from 147793-12)
 
17792428 problem with Kerberos utilities
 
(from 147793-11)
 
15449097 LDAP backend uses 10ms connection timeout
15567444 fix for kdb LDAP plugin timeout incomplete, still using 10ms
17628214 kadmin.local from Solaris 10 dumps core when displaying Solaris 11 principal (missing salt)
 
(from 147793-10)
 
16448392 Solaris krb5 does not support RFC6448 which causes ssh interoperability problem
 
(from 147793-09)
 
16887464 problem with Kerberos utilities
 
(from 147793-08)
 
16617641 sshd core dump due to an uninitialized krb5_cred variable in mech_krb5 library
 
(from 147793-07)
 
15870828 winbindd crashing when trying to get TGT from a KDC (Active Directory)
 
(from 147793-06)
 
        This revision accumulates generic Sustaining patch 146664-02
        into Solaris S10U11 update.
 
(from 147793-05)
 
        This revision accumulates generic Sustaining patch 147715-04
        into Solaris S10U11 update.
 
(from 147793-04)
 
6596185 kadmin negates -allow_tix when adding a principal record
7141265 krb5 is not recognizing a duplicate security token when running "gss_accept_sec_context"
 
(from 147793-03)
 
        This revision accumulates generic Sustaining patches 147715-02
        and 148069-02 into Solaris S10U11 update.
 
(from 147793-02)
 
6835370 Kerberos replay cache should have better granularity
6960586 Kerberos replay cache intermittently reports authentication errors with FTP sessions
6993588 need to implement the k5buf string modules in Solaris in support of replay hashing fix
 
(from 147793-01)
 
        This revision accumulates generic Sustaining patch 144891-02
        into Solaris S10U11 update.
 
(from 148079-01)
 
        This revision accumulates generic Sustaining patch 148069-01
        into Solaris S10U11 update.
 
(from 148069-02)
 
6837512 krb5.h C++ guards are wrong
6956005 "stash" option fails to re-create the stash file if the KDC is set up by kdb5_ldap_util
 
(from 148069-01)
 
6680327 kdb5_util/kdb5_ldap_util core dumps and prints incorrect progname on error paths
 
(from 147715-04)
 
7136193 problem with Kerberos utilities
 
(from 147715-03)
 
7045809 chgpwd.c needs more resyncing to properly support RFC3244
 
(from 147715-02)
 
6372525 problem with library libsasl
6372535 krb5gss_unwrap() doesn't output data when the only error is out-of-sequence or replay detection
 
(from 147715-01)
 
7021339 nscd crashed in krb5int_sendto() when trying to free memory at an invalid address
 
(from 144891-02)
 
6997583 problem with Kerberos kdc
7059086 problem with Kerberos admin
7061008 problem with Kerberos admin
 
(from 144891-01)
 
5047971 kadmin could use libtecla for enhanced command history and editing
 
(from 149500-01)
 
5060745 rdist core dumps when libumem is used
 
(from 146664-02)
 
6574888 principals using delegated credentials are not being registered with ktkt_warnd for auto-renewal
6689008 kwarn_add_warning should not output errors to stderr
7194414 failed to compile when backporting CR 6574888 fix to Solaris 10
 
(from 146664-01)
 
        This revision accumulates generic Sustaining patch 143937-03
        into Solaris S10U10 update.
 
(from 143937-03)
 
6994581 r(cmds) and kcfd take too many CPU cycles after upgrade to Solaris 10 Update 7
 
(from 143937-02)
 
        This revision accumulates generic Sustaining patch 140159-03
        into Solaris S10U9 update.
 
(from 143937-01)
 
        This revision accumulates generic Sustaining patch 140159-02
        into Solaris S10U9 update.
 
(from 140159-03)
 
6922520 rcp data transfer to local system should improve error testing
 
(from 140159-02)
 
6821299 rdist problem with savelink
 
(from 140159-01)
 
        This revision accumulates generic Sustaining patch 140148-01
        into Solaris S10U7 update.
 
(from 140148-01)
 
6683649 krb5.conf autologin setting should be valid for rsh/rlogin/rcp/rdist as well as telnet
 
(from 148239-01)
 
        This revision accumulates generic Sustaining patch 148657-01
        into Solaris S10U11 update.
 
(from 148657-01)
 
7125576 problem with telnet
 
(from 148687-01)
 
        This revision accumulates generic Sustaining patch 148394-01
        into Solaris S10U11 update.
 
(from 148394-01)
 
6891691 if full sync fails leaving(principal~, principal~.ok, principal~.kadm5.lock), kdb5_util exits w/error
6955112 kdb5_util should report error if lock files exist and it can not update database
 
(from 151146-01)
 
15222286 ktkt_warnd coredumping
17917090 double free in change_kpassword_solaris()
17923994 kadmind: verify_pam_pw: pam_authenticate() failed, No account present for user


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  For bug 15604439 (add realm option to pam_krb5):
 
         This patch version provides the option to authenticate users through
         Multiple Realms as First Choice Using Password-based Authentication.
 
         The new option realm=realm_name can be passed to the Kerberos V5
         authentication module where realm_name is the realm name used to
         authenticate the user rather than the system's default_realm as
         defined in krb5.conf(4).
 
         For example: Modify pam.conf(4)file as below to authenticate the user
         who is in EXAMPLE1.COM realm which is different from the default realm
         EXAMPLE.COM using pam_krb5(5).
 
         # Default definitions for Authentication management
         # Used when service name is not explicitly mentioned for authentication
         #
         other   auth requisite          pam_authtok_get.so.1
         other   auth required           pam_dhkeys.so.1
         other   auth required           pam_unix_cred.so.1
         other   auth sufficient         pam_krb5.so.1 debug
         other   auth sufficient         pam_krb5.so.1 realm=EXAMPLE1.COM
         other   auth required           pam_unix_auth.so.1
 
         This will cause an initial authentication attempt for the
         default_realm, as configured in the /etc/krb5/krb5.conf file, realm
         first.  If this fails then an initial authentication attempt for the
         EXAMPLE1.COM is attempted.
 
NOTE 2:  Bug 26396360 (problem with network utility) in this revision
         completes the fix for security bug 26051667 (problem with kernel
         (virtual memory)) included in Kernel Patch revision 150400-53.


README -- Last modified date: Tuesday, April 9, 2019