AlphaServer SC patch kit: ========================== AlphaServer SC Version : SC V2.6 UK1 Kit Name: T64KIT1000111-V51BB25-S-20051117:C1363.04 Release Date: 21 November 2005 QuIX: QXCM1000294567 WFM Case: 3212502707-321 Abstract: Backport of SSRT4743, SSRT4884 to SC V2.6 UK1 Description of Patch: ===================== This kit contains a port of the fix for SSRT4743, SSRT4884 rev.0 HP Tru64 UNIX TCP/IP remote Denial of Service (DoS) to SC V2.6 UK1. This is a backport of the fixes in the standard Tru64 Unix patch T64KIT0026436-V51BB25-ES-20050914. For a full description of SSRT4743 and SSRT4884 see the Tru64 Unix Internet security software downloads web site at http://h30097.www3.hp.com/unix/security-download.html This patch also includes the following fixes from earlier patches: From T64KIT0026611-V51BB25-20051006: Fixes a problem where a system running with login auditing enabled can panic with a kmf because an audit operation writes into memory beyond the end of the allocated audit buffer. From T64KIT0026606-V51BB25-20051005: Fixes a problem in the alt driver that caused hwmgr to display an incorrect value for mtu on these cards. From T64KIT0026381-V51BB25-20050908: Fixes a problem where the mtu was not being set on startup on fibre channel gigE cards with R15 installed. From T64KIT0025283-V51BB25-20050405 aka R15: Allows IPv6 MTU to be set beyond 1500 bytes on ethernet and also enables JUMBOFRAMES by default on gigabit cards. From T64KIT0025273-V51BB25-20050404 aka R01: Fix for a node hang with "alt0:null mbuf" message on the console. From T64KIT0025018-V51BB25-S-20050227: Fix for the problems described in security bulletin SSRT4696 Full details of SSRT4696 can be found on the SSRT web site at http://h30097.www3.hp.com/unix/security-download.html Fix for a problem that can cause socket data transfers to be very slow when using the MSG_WAITALL flag in a recv() call. From T64KIT0024453-V51BB25-E-20041212: A backport of the Tru64 Unix early release patch (ERP) BU041102_EW01. This is effectively a backport of the Alteon (alt) gigE driver V2.0.22 to SC V2.6 UK1 and fixes a problem that causes an "invalid link address" kernel panic. Stack traces for the problem vary, but the panic string is always "invalid link address" and the stack trace always contains the routine alt_recv_complete(). A full description of BU041102_EW01 can be found on the Tru64 Unix web site at http://h30097.www3.hp.com/unix/erp/BU041102_EW01.html Kit location: ============= The patch kit is T64KIT1000111-V51BB25-S-20051117.tar and it can be downloaded from ITRC. Prerequisites: ============== Before installing this Patch kit, you should ensure the following: 1) You have all mandatory patches for this release installed Kit checksum: ============= # cksum T64KIT1000111-V51BB25-S-20051117.tar 3777285849 5345280 T64KIT1000111-V51BB25-S-20051117.tar Updated files: ============== A list of the files included in this patch is given below along with the cksum values for each file: 1559486750 334178 /sys/BINARY/alt.mod 1138331358 428830 /sys/BINARY/bcm.mod 2854915980 243755 /sys/BINARY/dec_audit.mod 2872470555 581538 /sys/BINARY/inet.mod 780289464 437873 /sys/BINARY/ipv6.mod 2416562660 344480 /sys/BINARY/net.mod 817267716 12386 /sys/BINARY/sec.mod 2805855409 669515 /sys/BINARY/vfs.mod 1231591142 7316 /usr/lib/nls/msg/en_US.ISO8859-1/audit_tool.cat 962401210 6509 /usr/lib/nls/msg/en_US.ISO8859-1/auditd.cat 2897529993 252784 /usr/sbin/audit_tool 3090129766 109616 /usr/sbin/auditd Instructions: ============= This patch is provided as an sc_dupatch installable kit. Unpack it into a directory that is NFS mounted on all domains e.g. /nfs/cspkit and follow the following steps to install it: Patch required on Management Server (if used) : YES Patch required on Domains : YES 1) Verify that it is possible to install the patches as follows: On the Management Server (if used) #/usr/sbin/sc_dupatch -install -kit /nfs/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -precheck_only -patch C1363.04 On Domains: # scrun -d all -m 1 '/usr/sbin/sc_dupatch -install -kit /nfs/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -precheck_only -patch C1363.04' Note: ====== if you encounter a message similiar to the following : ./sys/BINARY/nfs.mod: its origin can not be identified. then, you will need to run the actual installation (Step 3) with the " -deps_only " flag. For Example: # /usr/sbin/sc_dupatch -install -kit /nfs/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -deps_only -patch C1363.04 A full description of -deps_only is provided in Appendix A.1 below: 2) Now Run the Patch Installation as follows: On the Management Server (if Used): ----------------------------------- Install the patch using the following commands: #/usr/sbin/sc_dupatch -install -kit /nfs/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch C1363.04 Rebuild your kernel # doconfig -c HOSTNAME Copy the new kernel to /vmunix Reboot the machine # shutdown -r now On Domains: ----------- Install the patch using the following commands: # scrun -d all -m 1 '/usr/sbin/sc_dupatch -install -kit /nfs/cspkit/patch_kit -name -note -noroll -nolevel2 -noauto -patch C1363.04' Now Build and Deploy the Kernels: Make sure all nodes are up so that kernels will be built on all nodes # scrun -d all BuildKernels # scrun -d all DeployKernels Reboot the domains: # sra shutdown -domains all # sra boot -domains all Installation is complete at this point. Once the patch is installed and you are satisfied that it is working correctly the GENERIC kernels should also be updated, using the following command: # scrun -d all DeployKernels -g ******************************************************************************* Appendices: =========== A.1 Details of -deps_only option -------------------------------- Patches from UNIX support have previously been supplied to AlphaServer SC customers in a manual install format. That is, patches were installed by the customer running a script to copy the patch to the correct location. The standard UNIX support patches for non-SC customers have always been supplied using the CSP (Customer Specific Patch) format and are installed using the dupatch tool. Patches for SC customers are now also being provided in CSP format and these patches need to be installed using the sc_dupatch tool. sc_dupatch does some dependency checking to ensure the patches already on the machine are correct. It does this by comparing the chksums of files on the system with its own dependency list. If you have manually installed a patch that is on the dependency list for this new patch, then sc_dupatch will report an error and not install the patch. That is because sc_dupatch is not aware of patches installed manually. If sc_dupatch reports an error indicating a failure to install one or more patches, check whether this error message was generated by sc_dupatch detecting a mismatch caused by the existence of a manually installed patch. If you're satisfied that the conflict does arise from a manually-installed patch which you want to override, then a simple workaround is available in the form of the new deps_only switch. This has been introduced to cater specifically for such situations. It turns off the inventory-checking mechanism so that the pre-install checking is restricted to dependency-checking only. Simply re-run the install command with the deps_only flag to skip this inventory check and allow the installation to proceed.