SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
security patches support
.
.
.
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping
.
photo of jumper
.
.
.
. .

DCE DCEECO1021 DCE V2.1 for DIGITAL UNIX ECO Summary

TITLE: DCE DCEECO1021 DCE V2.1 for DIGITAL UNIX ECO Summary Modification Date: 20-NOV-98 Modification Type: New Kit Copyright (c) Compaq Computer Corporation 1998. All rights reserved. PRODUCT: Distributed Computing Environment (DCE) for DIGITAL UNIX COMPONENTS: RPC Security Kerberos 5 Support SIA Distributed Time Service (DTS) CDS DCED DFS OP/SYS: DIGITAL UNIX [R] SOURCE: Compaq Computer Corporation ECO INFORMATION: ECO Kit Name: DCEECO1021 ECO Kits Superseded by This ECO Kit: None ECO Kit Approximate Size: 67340 Blocks 34478080 Bytes Kit Applies To: DCE V2.1 on DIGITAL UNIX V4.0 - V4.0E System/Cluster Reboot Necessary: No Rolling Re-boot Supported: Information Not Available Installation Rating: INSTALL_UNKNOWN Kit Dependencies: The following remedial kit(s) must be installed BEFORE installation of this kit: None In order to receive all the corrections listed in this kit, the following remedial kits should also be installed: None ECO KIT SUMMARY: An ECO kit exists for DCE V2.1 on DIGITAL UNIX V4.0 through V4.0E. This kit addresses the following problems: Corrections to RPC: o Previously, the timer event was being placed on the queue with a stale timestamp. The problem was fixed by making a call to rpc__clock_update() in rpc__timer_set_int() to get an accurate timestamp for the event trigger. In addition, a test was removed that determined whether to signal the timer loop in rpc__timer_set_int() when the timer queue was empty. o A correction was incorporated to allow the use of cluster service addresses. o This release adds a check_unsupported_ifs() function to check for interfaces in RPC_UNSUPPORTED_NETIFS that should be avoided when initializing DLI. The ifs are stored in the static variable unsupported_if_list, and the number of unsupported ifs is stored in the static variable int num_unsupported_ifs. A correction was incorporated to allow the use of cluster service addresses. o An array indexing problem in rpc_object_reference::fast_client_ping() has been fixed. Under certain circumstances, the problem caused memory corruptions in seemingly unrelated areas. Zeroing was also added to enhance rpc_object_reference::init_client_ping_list(). o RPC runtime corrections made in this release allow an RPC application to reject an unsupported authentication service. Prior to this fix, a request for an unsupported authentication service caused a core dump of the server. Corrections to Security: o A leak that affected secd was fixed by changes to dce_aud_commit. o The component of the security server that handles invalid logins was built using the assumption that pointers are 4 bytes long, which is not true for Alpha systems. As a result, secd crashed on Alpha systems when invalid login handling was enabled for a principal. This problem was corrected. o The secd lock manager was enhanced to ensure fair access for both readers and writers on a heavily used system. The changes ensure that a succession of readers does not indefinitely delay writers. o Several memory leaks were fixed in the processing of DCE third-party preauthentication data by a DCE security server. Prior to this fix, secd leaked memory with every successful authentication. Corrections to Kerberos 5 Support: o A problem was fixed that was causing credentials acquisition during an intercell dfs operation to take too long. Previously, in the function krb5_get_cred_from_kdc, a pointer array was not initialized correctly. o A problem was fixed that had blocked the acquisition of a valid ticket from the KDC if an expired matching ticket was present in the cache. On the client, the DCE Kerberos ticket acquisition code checks a cache of previously acquired tickets before requesting a ticket from the KDC. If a matching ticket is found in the cache, it is reused, and the KDC is not contacted. The matching process previously failed to check whether a matching ticket in the cache had expired. The presence of an expired matching ticket in the cache could thus prevent the client from consulting the KDC for a valid, non-expired ticket. Corrections to SIA: o A problem was corrected that caused the file matrix.conf to become corrupted upon DCE reboot. In matrix.conf, the path was not specified for the libsecurity.so entry. The full path is now specified as: /usr/shlib/libsecurity.so. o When a DCE group contains many members, a call to the getgrent routine no longer results in a core dump of the calling program (for example, ls -l). o When DCE SIA is enabled, mailx no longer dumps core. o Users will no longer experience inordinate delays at login when DCE SIA is enabled. Previously, such delays occurred whenever the DCE Registry contained many groups. The delays were caused by making one remote procedure call per group to the security server to compute a user's group memberships. The same information is now obtained by a single remote procedure call to the security server. o When DCE SIA is enabled, the login program performs a DCE authentication. If the authentication succeeds, the environment variable KRB5CCNAME should be set so that programs running within the login environment can inherit the authenticated user's DCE credentials. Previously, the value of KRB5CCNAME was not preserved in the login environment. A fix in this release ensures that KRB5CCNAME is preserved. o Previously, when DCE SIA was enabled, a user with an entry in the passwd_override file was incorrectly prevented from logging in to the local system (in addition to being correctly denied DCE credentials). This problem has been fixed. o The DCE SIA group information server (proxied by dced) now employs the group override facility to localize group information obtained from the DCE registry. Prior to this fix, group overrides were not considered when a user's group memberships were returned from the registry. As a result of this change, the group override facility can be used to constrain or modify a user's DCE group memberships to satisfy local machine security policy. Group override processing by the DCE SIA group information server had been inadvertently disabled as the result of a patch distributed to speed up integrated logins where the registry contains many groups. The fix in this ECO preserves the performance improvements provided by the patch while restoring and improving group processing. Group password and gid overrides are now handled correctly. Corrections to Distributed Time Service: o Minor changes were applied to the following files to improve memory cleanup: time/service/mgtrpc.c time/service/time_request.c time/service/transport_rpc.c time/service/dtss_service_main.c time/service_dtss_service_global_set.c time/service/dtss_service_state.c o Previously, a few DTS functions handled NULL parameters incorrectly. The problem was corrected. o Several changes were made to ParseTime to comply with Year 2000 requirements and to allow for correct leap year calculation in the Year 2000. Corrections to CDS: o A problem was corrected in the dcecp directory synchronize command that was causing directory synchronization to fail. An error was found in the syntax used by dcecp when it employed the cdscp set dir to new epoch command in the directory synchronization process. o A change made to CDS allows it to handle arbitrarily large output results. The maximum size of the output buffer passed to readentry is now reduced by the size of the area reserved for the progress record. This change eliminates problems such as limitations on the number of member names an nsi group could contain. o The dcecp clearinghouse repair command was fixed. The command no longer returns the error, "Clearinghouse exists but it not available," after a successful clearinghouse repair. Corrections to DCED: o A change was incorporated to prevent the loss of diagnostic information when DCE is restarted. Previously, whenever dced was restarted, it recreated the log file used to record its error messages. Dced now creates a log file only if one does not exist. When a log file exists, dced appends all new output to the existing file. o The dced concurrent lock manager was modified so that it is no longer vulnerable to thread cancellation. Previously, if a dced thread was canceled while in the process of acquiring or releasing a lock, the lock manager would deadlock on any subsequent lock operations, resulting in a hang of the calling thread, and ultimately of the dced process. The use of concurrent locks by dced to serialize reading of the password and override files was made cancel and exception-safe. Prior to this fix, a thread that was canceled or that encountered an exception while holding an override lock would neglect to free the lock for use by other threads. Once an override lock was lost, requests by clients for override service from dced would hang at the server (dced), waiting for a lock. This was especially problematic with the DCE SIA mechanism configured for integrated login, as it could result in an inability to log in to the machine or perform a certified DCE authentication. Corrections to DFS: o This ECO1 release includes a fix for a dfsbind core dump. NOTE: All of the following DFS corrections require rebuilding a kernel and rebooting. o A fix was completed that restricts the range of UDP ports used by DFS. Part one of the implementation was included in the Version 2.1 release: dfsbind reads an environment variable, RPC_RESTRICTED_PORTS, and passes the restriction down to the kernel. This ECO1 release includes part two of the fix: the kernel allocates ports in accordance with the restriction. This fix affects dcedfs.mod. o This release includes a fix for the premature umask application to the mode bits before they are passed to the server. This fix works in conjunction with changes incorporated into DIGITAL UNIX V4.0D. It affects dcedfs.mod. If you are running a version of DIGITAL UNIX earlier than 4.0D, do not attempt to apply this fix. An appropriate patch for versions earlier than 4.0D is under development. If you do not need the umask fix, no action is required. If you are running V4.0D of DIGITAL UNIX or higher and need the umask fix, apply it using the following procedure: 1. Enter: dbx -k /vmunix patch dfs_umask_rawmode_fix_present = 1 quit 2. Verify that the change has been made: dbx -k /vmunix print dfs_umask_rawmode_fix_present {THIS SHOULD PRINT 1} quit 3. Reboot. o The Cache Manager now passes through the setuid/setgid mode bits of directories without changing the bits. These bits still get turned off on regular files unless the client explicitly enables the capability to leave the bits unchanged. This capability can be set on a fileset with the cm setsetuid command. This change affects dcedfs.mod. o This release includes a change to the token expiration time of freely given tokens. The change was made in response to a problem that caused clients to hang occasionally for approximately 4 minutes, and then return a communications failure. The change affects dcedfs.mod. o Because of insufficient locking, it was previously possible for requests from the kernel to the dfsbind process to be lost. Eventually the kernel would run out of request space and hang. Two fixes were made: 1. Sufficient locking was added to prevent the loss of requests. 2. The request queue is periodically pruned of old requests. This enables the administrator to restart dfsbind only, instead of all of DFS, in the event of a problem, and to reclaim the resources that the kernel was using. INSTALLATION NOTES: Follow these steps to install the DCE for DIGITAL UNIX V2.1 ECO1 kit. 1. Verify a successful installation of DCE for DIGITAL UNIX V2.1 before installing the ECO1 kit. 2. Untar the ECO1 kit into a local directory, using the following command: % tar xvf /DCEECO1021.tar 3. Use the setld procedure to start the installation procedure: % setld -l ./output 4. Select the subsets to install from the following choices: DCERTSECO1021 DCEADKECO1021 DCEDFSECO1021 DCESECECO1021 DCECDSECO1021 DCEDFSBINECO1021 To install multiple subsets, enter the number of each subset followed by a space. Use a hyphen between numbers to indicate a range of subsets. An example of the installation screen is in the ECO kit Cover Letter. 5. After the installation completes successfully, restart DCE by entering the following command: % /usr/sbin/dcesetup restart [R] UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd. All other trademarks are the property of their respective owners.



This patch can be found at any of these sites:

Colorado Site
Georgia Site
European Site



Files on this server are as follows:

dceeco1021.README
dceeco1021.CHKSUM
dceeco1021.CVRLET_TXT
dceeco1021.tar
.
1.800.AT.COMPAQ .

privacy and legal statement