AlphaServer SC patch kit: ========================== AlphaServer SC Version : SCv2.5 UK1 Kit Name(s): Tru64 CSP 1129.00 Tru64 CSP 1084.00 Release Date: April 8th 2003 PTR: 153-1-3728 IPMT Number: N/A Abstract: Security: SSRT3531(sendmail), and SSRT2322, 2341, 2384, 2412, 2439 (libc) You will need to build and deploy kernels and reboot all nodes to install this patch. This patch can and should be installed on the management station. Please note that this README is for patches SCT64V51AB21-C0112900-17770-ES-20030402 SCT64V51AB21-C0108400-17361-ES-20030313 These are the Sierra specific versions of the following Tru64 patches. T64V51AB21-C0112900-17770-ES-20030402 T64V51AB21-C0108400-17361-ES-20030313 These patches have been renamed (prefixed by SC) for distribution from the ITRC. Description of Patch: ===================== This patch contains two kits that need to be installed: 1) SCT64V51AB21-C0112900-17770-ES-20030402.tar This contains the fix for the following problem: SSRT3531 - HP Tru64 UNIX, HP-UX sendmail buffer overflow Potential Security Vulnerability Note: this supercedes the SSRT3469 - sendmail vulnerability fixes. 2) SCT64V51AB21-C0108400-17361-ES-20030313.tar This contains the fix for the following problems: SSRT2322 Potential Bind resolver exploit SSRT2341 calloc() potential overflow SSRT2384 TCP exploit denies all RPC service SSRT2412 portmapper hang after port scan with C2 enabled SSRT2439 xdrmem_getbytes() potential overflow Kit checksum: ============= # cksum SCT64V51AB21-C0112900-17770-ES-20030402.tar 1652398128 2867200 T64V51AB21-C0112900-17770-ES-20030402.tar # cksum SCT64V51AB21-C0108400-17361-ES-20030313.tar 3514974777 6041600 T64V51AB21-C0108400-17361-ES-20030313.tar Updated files: ============== A list of the files included in this patch is given below along with the cksum values for each file. Tru64 CSP 1129.00: 1354695326 627232 /usr/sbin/mailq /usr/sbin/newaliases (a symbolic link) /usr/sbin/sendmail (a symbolic link) /usr/sbin/sendmail.v8.9.3 (a symbolic link) /usr/sbin/smtpd (a symbolic link) Tru64 CSP 1084.00: 2713308210 2284576 /shlib/.upd..libc.so /shlib/.upd..libc_r.so (a symbolic link) 1535640422 2682432 /usr/ccs/lib/libc.a /usr/ccs/lib/libc_r.a (a symbolic link) 3144634253 635296 /usr/sbin/ypbind Prerequisites: ============== This patch requires AlphaServer SC V2.5 UK1. It will not work on V2.5 SSB. Instructions: ============= These patches are provided as sc_dupatch installable kits. Unpack each one seperately into a directory that is NFS mounted on all domains e.g. /nfs0/cspkit and install them one by one as follows: (Note: You only need to reboot after the second patch is installed): On the Management Station (if Used): ----------------------------------- Install each patch using the following commands: # /usr/sbin/sc_dupatch -install -kit /nfs0/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch all Rebuild your kernel # doconfig -c HOSTNAME Copy the new kernel to /vmunix Reboot the machine after both patches have been installed. # shutdown -r now On Domains: ----------- Install each patch using the following commands: # sra command -domains all -member 1 -command '/usr/sbin/sc_dupatch -install -kit /nfs0/CSPkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch all' Now Build and Deploy the Kernels: Make sure all nodes are up so that kernels will be built on all nodes # sra command -domains all -member 1 -command 'BuildKernels' # sra command -domains all -member 1 -command 'DeployKernels' Reboot the domain nodes after both patches have been installed. # sra command -domains all -member 1 -command 'shutdown -ch now' # sra boot -domains all Installation is complete at this point. Note: ====== if you encounter a message similiar to the following : ./sys/BINARY/nfs.mod: its origin can not be identified. then rerun sc_dupatch with the -deps_only flag as follows: # /usr/sbin/sc_dupatch -install -kit /tmp/CSPkit/patch_kit -name -note -noroll -nolevel2 -noauto -deps_only -patch all A full description of -deps_only is provided below: *********************************************************** ----- Details of -deps_only option ----------------- Patches from UNIX support have previously been supplied to AlphaServer SC customers in a manual install format. That is, patches were installed by the customer running a script to copy the patch to the correct location. The standard UNIX support patches for non-SC customers have always been supplied using the CSP (Customer Specific Patch) format and are installed using the dupatch tool. Patches for SC customers are now also being provided in CSP format and these patches need to be installed using the sc_dupatch tool. sc_dupatch does some dependency checking to ensure the patches already on the machine are correct. It does this by comparing the chksums of files on the system with its own dependency list. If you have manually installed a patch that is on the dependency list for this new patch, then sc_dupatch will report an error and not install the patch. That is because sc_dupatch is not aware of patches installed manually. If sc_dupatch reports an error indicating a failure to install one or more patches, check whether this error message was generated by sc_dupatch detecting a mismatch caused by the existence of a manually installed patch. If youre satisfied that the conflict does arise from a manually-installed patch which you want to override, then a simple workaround is available in the form of the new deps_only switch. This has been introduced to cater specifically for such situations. It turns off the inventory-checking mechanism so that the pre-install checking is restricted to dependency-checking only. Simply re-run the install command with the deps_only flag to skip this inventory check and allow the installation to proceed.