#113451-11: Obsoleted by: 113451-12 SunOS 5.9: IKE patch

Obsoleted by: 113451-12 SunOS 5.9: IKE patch

Disclaimer:

Please note: Although OBSOLETED patches are available on SunSolve, Sun recommends using the most recent patches and the most recent revision of those patches. OBSOLETED patches do not include the latest bug fixes and/or product enhancements, and may require the installation of additional patches as a corrective measure.

Status: OBSOLETE

Patch Id: 113451-11

***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************

Summary: Obsoleted by: 113451-12 SunOS 5.9: IKE patch

Date:  May/01/2006

Installation Requirements:

Reconfigure immediately after patch is installed                      
                      Install in Single User Mode

Solaris Release: 9

Sun OS Release: 5.9

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 114435

Topic:

SunOS 5.9: IKE patch

Relevant Architecture: sparc

BugId's fixed with this patch:

4508547 4628774 4628901 4653051 4666686 4667873 4671563 4673333 4673338 4687237 4704460 4731575 4739746 4741543 4742619 4745493 4745709 4752466 4762219 4804299 4823665 4832562 4840090 4842368 4890236 4919747 4919802 4927429 4930399 4941232 4974853 4976759 4977335 4982429 5016628 6259973 6265403 6268124 6316863 6317027 6326584 6331159 6333693 6340770 6347364 6348585 6367959

Changes incorporated in this version:


6326584 6331159 6333693 6340770 6347364 6348585 6367959

Patches accumulated and obsoleted by this patch:

115260-01

Patches which conflict with this patch:

Required Patches:

Obsoleted by:

Files Included in this Patch:

/etc/security/exec_attr
/usr/lib/abi/abi_libike.so.1
/usr/lib/abi/abi_libikecert.so.1 (deleted)
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libike.so.1
/usr/sbin/ikeadm
/usr/sbin/ikecert

Problem Description:

6347364 SafeNet plugs ASN.1 leaks
6348585 ISAKMP notification sent to peer contains garbage
6367959 Large numbers of certlib entries corrupt active Phase I SA state.
6333693 in.iked needs better handling of port-only selectors
6340770 multiple-personality disorder affects inverse_acquire, too
6331159 If the only pre-shared key is deleted, the IKE daemon can not add new keys from a file
6326584 comedy of mismerges puts a quarter-twist into quick mode identities
 
(from 113451-10)
 
6316863 in.iked stops responding after 8 hours because cookies have been updated
6265403 Short-lived Phase I SAs get bitten by libike's retransmit-driven delayed cleanup
6259973 IKE phase2 exchange fails to occur when phase1 SA near expiry
6268124 ikeadm won't remove expiring phase1 SA's by address
6317027 libike tries to dereference the wrong negotiation
 
(from 113451-09)
 
5016628 ikecert certrldb -e "certspec" does not work
4976759 Callers of ssh_x509_crl_decode() should check for SSH_X509_OK/FAILURE
4977335 ssh_x509_crl_decode() can fail but return SSH_X509_OK
4974853 certrldb will dump core if pem_to_ber() returns NULL
 
(from 113451-08)
 
4982429 patch 113451-06 adds certlocal entry to exec_attr redundantly
 
(from 113451-07)
 
4762219 ikeadm write preshared causes in.iked heartburn
4941232 Deleting P1 SAs by address should delete ALL matching P1 SAs
 
(from 113451-06)
 
4804299 Failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec
4919747 p2_lifetime default value is too high
4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA
4667873 in.iked door protocol handles some key lengths badly
4840090 Why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info?
4890236 in.iked botches PF_KEY identity extensions
4927429 Some deleted Phase Is linger slightly too long.
 
(from 113451-05)
 
4930399 ASN.1 patches from SSH, Inc.
 
(from 113451-04)
 
        This revision accumulates S9U5 feature point patch 115260-01.
 
(from 113451-03)
 
4673333 IKE should support hardware assist for certs and Oakley groups
4666686 Patch libike with 4/8/2002 SSH patches
4687237 ssh_fatal() calls abort()
4704460 ikeadm:  strcpy() should be replaced by strlcpy()
4739746 single-buffer memory leak in start_ike_servers()
4745493 More patches from SSH Inc.
4745709 SSH IKE code leaks hostent structures
 
(from 113451-02)
 
4628774 Upgrade SSH IKE library to 4.2 from 2.1
4653051 ikecert certlocal -kc ... fails without an altname (-A option)
4508547 ikeadm errors are vague
4628901 in.iked should be compiled with _REENTRANT defined
4741543 The patch 113451-01 doesn't replace the abi_libikecert.so.1 properly
 
(from 113451-01)
 
4628774 Upgrade SSH IKE library to 4.2 from 2.1
4653051 ikecert certlocal -kc ... fails without an altname (-A option)
4508547 ikeadm errors are vague
4628901 in.iked should be compiled with _REENTRANT defined
 
(from 115260-01)
 
4671563 RFE: ikecert -lv should list algorithm signature
4673338 IKE should support HW storage of private keys and certificates
4731575 IKE should work with IPv6
4742619 HW-IKE should be more robust when choosing pkcs11 slots
4752466 Race in in.iked causes coredump in add_new_sa().
4823665 in.iked becomes confused about sender and receiver
4832562 certdb malformed cert causes core dump
4842368 Memory leak for rsa_encryption initiator

Revision History:

113451-04 113451-03 113451-10 113451-06 113451-02 113451-08 113451-07 113451-09 113451-05

Patch Installation Instructions:

--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.

Special Install Instructions:

-----------------------------
 
Perform patch installation in single user mode.
Perform a reconfiguration boot, boot -r, after patch installation.
 
NOTE 1:  To get the complete Hardware Acceleration for IKE feature, please
         also install the following patch:
 
         114125-01 (or greater)  config.sample
 
NOTE 2:  To get the complete Hardware Key Storage for IKE and
         Ike for IPV6 feature, please also install the following patch:
 
         112904-10 (or greater)  ipsecah patch

README -- Last modified date:  Thursday, February 8, 2007

Login Required

Login Required