AlphaServer SC patch kit: ========================== AlphaServer SC Version : SCv2.5 UK1 Kit Name: t64v51ab21-c0126900-19156-es-20030702 Release Date:09192003 PTR:153-1-4145 IPMT Number: None Abstract: Release of SSRT3507 for Sierra version SCv2.5 UK1 Please NOTE that this kit is already available from ITRC as a Tru-64 patch. It comes with its own (non Sierra specific) instructions. ITRC will not allow duplicate versions of the same patch to be held under both Tru-64 and Sierra, so we have created this Sierra version (renaming the original with prefix "sc") in order to allow us to hold our own set of Sierra specific instructions. Description of Patch: ===================== A potential security vulnerability has been reported in the HP Tru64 UNIX terminal emulator code that may result in a Denial of Service (DoS). The potential vulnerability may be in the form of local and remote security domain risks. The following potential security vulnerability has been corrected: SSRT3507 - dtterm (Severity - High) Prerequisites: ============== Before installing this Patch kit, you should ensure the following: 1) You have all mandatory patches for this release installed Kit checksum: ============= cksum t64v51ab21-c0126900-19156-es-20030702.tar 974848695 2785280 t64v51ab21-c0126900-19156-es-20030702.tar Updated files: ============== A list of the files included in this patch is given below along with the cksum values for each file. cksum /usr/dt/bin/dtterm 2858148185 529168 /usr/dt/bin/dtterm Instructions: ============= This patch is provided as an sc_dupatch installable kit. Unpack it into a directory that is NFS mounted on all domains e.g. /usr/cspkit and follow the following steps to install it: Patch required on Management Server (if used) : YES Patch required on Domains : YES Note: Installing this patch does not require you to re-buuild new Kernels. It does however require you to reboot your nodes. 1) Verify that you have the correct version of sc_dupatch (patch installation tool) as follows: # ident /usr/sbin/sc_dupatch $RCSfile: sc_dupatch,v $ $Revision: 1.2.4.11 $ $Date: 2003/03/13 10:58:04 $ The version number should be at least 1.2.4.11. If not, replace it with the copy of sc_dupatch specified in Appendix A.2 2) Verify that it is possible to install the patches as follows: On the Management Server (if used) #/usr/sbin/sc_dupatch -install -kit /usr/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -precheck_only -patch all On Domains: # sra command -domains all -member 1 -command '/usr/sbin/sc_dupatch -install -kit /tmp/CSPkit/patch_kit -name -note -noroll -nolevel2 -noauto -precheck_only -patch all' Note: ====== if you encounter a message similiar to the following : ./sys/BINARY/nfs.mod: its origin can not be identified. then, you will need to run the actual installation (Step 3) with the " -deps_only " flag. For Example: # /usr/sbin/sc_dupatch -install -kit /tmp/CSPkit/patch_kit -name -note -noroll -nolevel2 -noauto -deps_only -patch all A full description of -deps_only is provided in Appendix A.1 below: 3) Now Run the Patch Installation as follows: On the Management Server (if Used): ----------------------------------- Install the patch using the following commands: #/usr/sbin/sc_dupatch -install -kit /usr/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch all Reboot the machine # shutdown -r now On Domains: ----------- Install the patch using the following commands: # sra command -domains all -member 1 -command '/usr/sbin/sc_dupatch -install -kit /tmp/CSPkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch all' Shutdown the Domains: # sra command -domains all -member 1 -command 'shutdown -ch now' Now boot All nodes: # sra boot -domains all ******************************************************************************* Appendices: =========== A.1 Details of -deps_only option -------------------------------- Patches from UNIX support have previously been supplied to AlphaServer SC customers in a manual install format. That is, patches were installed by the customer running a script to copy the patch to the correct location. The standard UNIX support patches for non-SC customers have always been supplied using the CSP (Customer Specific Patch) format and are installed using the dupatch tool. Patches for SC customers are now also being provided in CSP format and these patches need to be installed using the sc_dupatch tool. sc_dupatch does some dependency checking to ensure the patches already on the machine are correct. It does this by comparing the chksums of files on the system with its own dependency list. If you have manually installed a patch that is on the dependency list for this new patch, then sc_dupatch will report an error and not install the patch. That is because sc_dupatch is not aware of patches installed manually. If sc_dupatch reports an error indicating a failure to install one or more patches, check whether this error message was generated by sc_dupatch detecting a mismatch caused by the existence of a manually installed patch. If you're satisfied that the conflict does arise from a manually-installed patch which you want to override, then a simple workaround is available in the form of the new deps_only switch. This has been introduced to cater specifically for such situations. It turns off the inventory-checking mechanism so that the pre-install checking is restricted to dependency-checking only. Simply re-run the install command with the deps_only flag to skip this inventory check and allow the installation to proceed. A.2 Location of sc_dupatch -------------------------- The latest version of sc_dupatch is available from: ftp://ftp.ilo.cpqcorp.net/pub/sierra/patches/V2.5/