UnixWare 7.1.4 Maintenance Pack 1 Release Notes July 2004 Dear SCO Customer, This CD contains UnixWare 7.1.4 Maintenance Pack 1. This Maintenance Pack contains important fixes to your UnixWare system and should be applied at your next maintenance period. ------------------------------------------------------------------------ Contents I. Software Notes and Recommendations II. Installation Instructions III. Removal Instructions IV. Comprehensive List of Problems Fixed V. File Contents VI. Escalation Fixes in this Maintenance Pack ------------------------------------------------------------------------ I. Software Notes and Recommendations 1. The UnixWare 7.1.4 Maintenance Pack 1 should only be installed on: UnixWare 7.1.4 2. If you are performing an in place upgrade to UnixWare 7.1.4 from UnixWare 7.1.1, UnixWare 7.1.2 (Open UNIX 8.0.0), or UnixWare 7.1.3, you must reboot the system after upgrading and before installing this maintenance pack. 3. This maintenance pack consists of several sets and packages. An install.sh script is provided to simplify installation, as described in the Installation Instructions, below. Use of this script is highly recommended. The install.sh script installs the following: o The required uw714mp1 maintenance pack set. o Newer versions of 11 other packages (cups, foomatic, hpijs, nics, openssh, openssl, openssld, samba, xcontrib, xserver, and uccs), provided earlier versions of those packages were already installed on your system. o Updated documentation via the uw7mpdoc package. 4. Alternatively, with care you can install the packages individually. However, you should note the following: A. The uw714mp1 (UnixWare 7.1.4 Maintenance Pack 1) set is required for all systems. B. The following packages are required to be updated, that is you need to install them if you have an earlier version installed on the system. + cups (Common Unix Printing System), version 1.1.19-02 + openssh (Open Secure Shell), version 3.8.1p1 + samba (SMB based file/printer sharing), version 3.0.4 + xcontrib (X11R6 Contributed X Clients), version 8.0.2a C. The following packages are strongly recommended: + nics (Netdriver Infrastructure and Configuration Subsystem), version 8.0.2a + openssl (OpenSSL - Secure Sockets Layer / TLS Cryptography Toolkit), version 0.9.7d + xserver (X11R6 X Server), version 8.0.2a D. The following packages are optional: + foomatic (Foomatic Filters and PPDs), version 3.0.0-02 + hpijs (HP Inkjet Printer Driver), version 1.5-01 + modjk1 (Additional Modules for Perl), version 2.0.4 Note: By default, the install.sh script does not install this package. + openssld (OpenSSL Documentation - Secure Sockets Layer / TLS Cryptography Toolkit), version 0.9.7d + uccs (OUDK Optimizing C Compilation System), version 8.0.2a + uw7mpdoc (Updated Base System Guides), version 7.1.4a 5. If you did not install some of the above packages when initially installing UnixWare 7.1.4, and you want to do so now, you can use the install.sh script to install these packages. You do not need to first install the original UnixWare 7.1.4 version. Please refer to the Installation Instructions, below. 6. uw714mp1 is a set and contains the following packages: uw714m1 UnixWare 7.1.4 Maintenance Pack 1 package libc Runtime C Library package, version 8.0.2a libthread Runtime Thread Library package, version 8.0.2a pam Pluggable Authentication Modules, version 0.77 Installing uw714mp1 will update the libc and libthread runtime libraries as well as installing the uw714m1 and pam packages. The runtime libraries, once installed, are not removable. 7. After Installing UnixWare 7.1.4 Maintenance Pack 1, or on a later pkgadd, you may see this warning message: Please reinstall the package. Failure to do so may leave your system in an inconsistent state. This means that one or more core packages updated by this maintenance pack were installed after installing the pack. So the uw714m1 package needs to be reinstalled to update your system. To do this mount the maintenance pack CD and type: pkgadd -d /mount_point/images/uw714mp1.image uw714m1 Then reboot your system: shutdown -i6 -g0 -y 8. If you are installing UnixWare 7.1.4 Maintenance Pack 1 on a system that was previously upgraded from UnixWare 7.1.1, you may see messages like the following after the installation of the libc, libthread and pam packages: collect: Cannot write ./dfhAI1k7rZ007231 (bfcommit, uid=0, gid=3): Permission denied. These messages can be safely ignored. 9. This maintenance pack contains security enhancements, including changes to numerous file and directory permissions. To obtain the full advantage of these enhancements on systems that contain the obsolete scohelp package, it is recommended that you remove the scohelp package prior to installing this maintenance pack. The SCOhelp documentation server has been replaced by DocView since UnixWare 7.1.3. If you have upgraded from a prior release, you can check for the existence of the scohelp package on your system with the command: pkginfo scohelp To remove the package, type the following command as root: /etc/scohelphttp stop Followed by: pkgrm scohelp 10. This version of the maintenance pack supercedes the following supplements which may have been withdrawn from the download site: o ptf9050, the UnixWare 7.1.4 Licensing Supplement 11. For a list of issues that this Maintenance Pack addresses, please see the Comprehensive List of Problems Fixed, below. 12. If you have questions regarding this supplement, or the product on which it is installed, please contact your software supplier or support representative. ------------------------------------------------------------------------ II. Installation Instructions 1. Log in as root. 2. If you are installing the maintenance pack from CD, insert the maintenance pack CD into the primary CD drive and type: mount /dev/cdrom/cdrom1 /install If you are installing this maintenance pack from the web or ftp site, download the uw714mp1.iso file to your server. In the directory where you downloaded the uw714mp1.iso file, type: mount `marry -a uw714mp1.iso` /install 3. Change directory to /install: cd /install 4. To install the required uw714mp1 set and update the supplemental packages on your system with the newer UnixWare 7.1.4 Maintenance Pack 1 versions, type: ./install.sh or ./install.sh -v The optional -v flag provides more status information during the installation. Note the modjk1 package is not installed by default; you will need to install this package separately if you require it. If you instead want to individually install packages, run the following command: ./install.sh [packages] where packages is one or more of the following: cups required openssh required samba required xcontrib required nics strongly recommended openssl strongly recommended xserver strongly recommended foomatic optional hpijs optional modjk1 optional openssld optional uccs optional uw7mpdoc optional 5. After all desired packages are installed, reboot the system by typing: shutdown -i6 -g0 -y ------------------------------------------------------------------------ III. Removal Instructions 1. Log in as root. 2. To remove the maintenance pack set (except for its library packages, which are not removable), type: pkgrm uw714mp1 Note that removal of the uw714mp1 set is not recommended. 3. To remove the supplemental packages for this maintenance pack (i.e., the packages listed in Software Notes and Recommendations, except for the uw714mp1 set) and restore your system to its prior state: A. Remove the supplemental package. Note that you may first need to remove any packages that depend on the supplemental package. B. Reinstall the UnixWare 7.1.4 media kit version of the supplemental package. C. Reinstall any other packages that you removed in A, above, that depend on the supplemental package you restored in B. To avoid having to perform all these steps, we recommend that the supplemental packages, once installed, should not be removed. 4. After all the packages are removed, reboot the system by typing: shutdown -i6 -g0 -y ------------------------------------------------------------------------ IV. Comprehensive List of Problems Fixed A. The UnixWare 7.1.4 Maintenance Pack 1 set, uw714mp1, contains the following fixes: Feature and usability enhancements: 1. The following UnixWare 7.1.4 functionality is now provided: + Pluggable authentication modules (PAM) support + Encrypted file system support These features are described in the online documentation that is provided with the uw7mpdoc package that accompanies this maintenance pack. See the "New Features and Notes" section of the online documentation. fz528611 fz529097 2. Intel microcode updates. erg712621/ptf9050/fz529619 3. kcrash macros updates. fz529663 4. Additional source files for DBA usage with MySQL provided by the SCOx enablement package. Modified Makefile, eelsdba_mysql.c, initdb.mysql and README are provided for use with latest MySQL Package. fz529851 5. Enabled large file support in compress. fz529876 Security improvements: 6. SECURITY: Some files and directories were created incorrectly allowing write permission to arbitrary users. Some system daemons were running with a file creation mask (umask) set to 0. fz528862 7. SECURITY: Security vulnerability issues in TCP are fixed according to this IETF draft: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt. erg712598/fz529384 8. SECURITY: Two new inconfig tunables have been introduced to address the TCP Rose Attack: + ip_maxfragpackets This is the maximum number of fragmented packets that IP will accept. The default is 800. + ip_maxfragsperpacket This is the maximum number of fragments per packet that IP will accept. The default is 16. erg712605/fz529414 Reliability improvements: 9. Fixed panic on errant umem_free() in [g|s]etgroups_sco. fz528775 10. Fixed a memory corruption bug caused by not stopping netbios when the system was brought to init state 1. ptf9050b/fz529565 11. Fixed process hangs due to race between exiting children and SIGCLD processing in the parent. erg712596/fz529361 Networking improvements: 12. Changed use of types u_[short,int,long] to u[short,int,long]_t in since the former are not always defined. fz529581 13. The SHUT_RD, SHUT_WR, and SHUT_RDRW macros in are defined only when at least one XOPEN-ish feature test macro is defined. This is counter to our "everything visible by default" model for headers. The TOG SUS says that SHUT_* macros can be defined in general, so there's no reason not to define these with no conditional inclusion coverage. fz529698 14. Under some circumstances, ppp can go into an infinite loop of read calls in the libnsl ics_read_data() routine. erg712620/fz529611 Installation tools improvements: 15. By the time pkgadd executes the preinstall script of a package, it has already updated the contents file with the information from the package's pkgmap file. Hence if the preinstall script is terminated for some reason, the contents file is left in a bad state - the files are not installed on the system but they are present in the contents file. This has been fixed so that the contents file is not updated until the files are installed. fz519105 16. Fixed a problem where pkginstall, pkgremove and installf can destroy the software contents file if it is already locked by another process. fz198541 Licensing improvements: 17. The license policy daemon ignores custom licenses from earlier releases. For example, if your system license had previously included extra users, not separately licensed but included in your original, those users would be ignored. This has been fixed. ptf9050a/fz529560 Runtime C Library (libc) fixes: 18. Bad parsing of some special strings in string-to-floating code. (provided in libc version 8.0.2a) fz529765 Runtime Thread Library (libthread) fixes: 19. Oracle may hang while starting by going into an infinite loop in libthread's thr_keycreate(). (provided in libthread version 8.0.2a) erg712658/fz529884 B. Additional bug fixes and enhancements are provided with the supplemental packages that are distributed with UnixWare 7.1.4 Maintenance Pack 1, as described below. Documentation: 1. The Updated Base System Guides (uw7mpdoc) package, version 7.1.4a, provides documentation for the PAM, encrypted file system, modjk1, and Samba features delivered with uw714mp1 and its supplemental packages. PAM: 2. The following supplemental packages have been updated to enable support for PAM. They can only be installed if the pam package (contained in uw714mp1 set) is installed: + The Common Unix Printing System (cups) package, version 1.1.19-02 + The Open Secure Shell (openssh) package, version 3.8.1p1 + The SMB based file/printer sharing (samba) package, version 3.0.4 + The X11R6 Contributed X Clients (xcontrib) packge, version 8.0.2a The Open Secure Shell (openssh) package, version 3.8.1p1, contains these fixes: 3. OpenSSH has been updated to version 3.8.1p1 to enable PAM. fz528611 4. SECURITY: OpenSSH only gives significance to the first 8 characters of a password. This was fixed by enabling PAM in OpenSSH 3.8.1p1. erg712648/fz529827 The SMB based file/printer sharing (samba) package, version 3.0.4, contains these fixes: 5. Samba has been updated from version 3.0.0 to 3.0.4 to enable PAM and to provide multibyte support. fz529665 6. Swat server status page shows smbd "not running" even when it is. fz528969 The Netdriver Infrastructure and Configuration Subsystem (nics) package, version 8.0.2a, contains these fixes: 7. A time delay of 1 sec in dlpiclose() was causing some applications, e.g. getmany (accessing mib-2 table) to consume large amounts of CPU time. This time-delay ensured that all in-transit packets were processed before closing the SAP. This delay is removed and the code reworked to use message based synchronization during closedown. dlpiclose() now constructs a M_CTL packet containing a message of type dl_ctlmsg_t. This message contains DLPI primitive set as DL_CLOSESAP and a pointer to the SAP structure. This message is enqueued at the DLPI lower read queue so that dlpilrsrv will handle it. It then goes to sleep. When dlpilrsrv receives this message, it is assured that all messages before it have been sent upstream, i.e. there are no in-transit packets. dlpilrsrv signals dlpiclose to close the SAP. erg712282/fz526486 The OpenSSL - Secure Sockets Layer / TLS Cryptography Toolkit (openssl) and OpenSSL Documentation (openssld) packages, version 0.9.7d, contains these fixes: 8. SECURITY: OpenSSL (openssl) has been updated to version 0.9.7d to fix security issues with earlier versions. erg712602/fz529411 9. The OpenSSL Documentation - Secure Sockets Layer / TLS Cryptography Toolkit (openssld) package, version 0.9.7d, provides the updated documentation for the openssl version 0.9.7d package. The X11R6 X Server (xserver) package, version 8.0.2a, contains these fixes: 10. SECURITY: Some files and directories were created incorrectly allowing write permission to arbitrary users. Some system daemons were running with a file creation mask (umask) set to 0. fz528862 The Foomatic Filters and PPDs (foomatic) package, version 3.0.0-02, and the HP Inkjet Printer Driver (hpijs) package, version 1.5-01, contain this fix: 11. Fixed obscure corruption of a few data files. fz529615 The Additional Modules for Perl (modjk1) package, version 2.0.4, contains this fix: 12. Provides the modjk connector for Apache 1 and Tomcat. Apache 2 users do not need this package. Note: This package is not installed by default. Customers requiring this functionality should install the modjk1 package from the UnixWare 7.1.4 Maintenance Pack CD by running: cd mount_point ./install.sh modjk1 This package will not conflict with modjk for Apache 2 & Tomcat as the library is installed in a different location. fz529629 The OUDK Optimizing C Compilation System (uccs) package, version 8.0.2a, contains these fixes: 13. With the introduction of NSS, SCO has changed some existing APIs and added some new APIs to support NSS. Customers building binaries that use these APIs will find that their compile will fail with undefined symbol references similar to the following: Undefined first referenced symbol in file getspnam_r libperl.so getpwent_r libperl.so getgrent_r libperl.so Note: This problem is only seen in systems upgraded from earlier UnixWare releases to UnixWare 7.1.4. 14. C compiler bug fixed. In -Xt mode, the compiler may incorrectly attempt to combine two typedef's that are not numeric types. erg712635/fz529721 15. Make command bug fixed. $(XD:str=rep) broken, where X is any of the @*<%? special characters. erg712665/fz529930 ------------------------------------------------------------------------ V. File Contents The following files are updated or installed by the uw714m1 package: /etc/conf/pack.d/inet/Driver_atup.o /etc/conf/pack.d/inet/Driver_mp.o /etc/conf/pack.d/inet/space.c /etc/conf/pack.d/nb/Driver_atup.o /etc/conf/pack.d/nb/Driver_mp.o /etc/conf/pack.d/nbclts/Driver_atup.o /etc/conf/pack.d/nbclts/Driver_mp.o /etc/conf/pack.d/nbcots/Driver_atup.o /etc/conf/pack.d/nbcots/Driver_mp.o /etc/conf/pack.d/proc/Driver_atup.o /etc/conf/pack.d/proc/Driver_mp.o /etc/conf/pack.d/svc/Driver_atup.o /etc/conf/pack.d/svc/Driver_mp.o /etc/crash /etc/dcopy /etc/dinit.d/S80lp /etc/docview /etc/eels/src/eelsdba/Makefile-scox /etc/eels/src/eelsdba/README /etc/eels/src/eelsdba/eelsdba_mysql_scox.c /etc/eels/src/eelsdba/initdb.mysql-scox /etc/ff /etc/fsck /etc/imapd /etc/init.d/eelsrc /etc/init.d/license /etc/init.d/lp /etc/init.d/snmp /etc/init.d/z35SysInfo /etc/mail/slocal /etc/mkfs /etc/mount /etc/ncheck /etc/p6updata /etc/pam.d/dtlogin.build /etc/pam.d/dtsession.build /etc/pam.d/ftp.build /etc/pam.d/login.build /etc/pam.d/mail.build /etc/pam.d/passwd.build /etc/pam.d/rexec.build /etc/pam.d/rlogin.build /etc/pam.d/rsh.build /etc/pam.d/su.build /etc/pam.d/telnet.build /etc/popper /etc/rc0.d/K20lp /etc/rc0.d/K70eels /etc/rc1.d/K20lp /etc/rc1.d/K67snmp /etc/rc1.d/R10license /etc/rc1.d/S70eels /etc/rc2.d/S70eels /etc/rc2.d/S73snmp /etc/rc2.d/S95docview /etc/scsi/pdi_hot /etc/scsi/pdimkdev /etc/scsi/pdimkdtab /etc/scsi/sdighost /etc/scsi/sdipath /etc/volcopy /sbin/devnm /sbin/df /sbin/fsck /sbin/fsdb /sbin/mkfs /sbin/mount /sbin/putdev /sbin/sdimkdev /sbin/sdipath /sbin/su /usr/bin/compress /usr/bin/ddbconv /usr/bin/devattr /usr/bin/devfree /usr/bin/devreserv /usr/bin/df /usr/bin/getdev /usr/bin/getdgrp /usr/bin/getvol /usr/bin/login /usr/bin/mailcheck /usr/bin/mailx /usr/bin/passwd /usr/bin/pkginfo /usr/bin/pkglist /usr/bin/pkgmk /usr/bin/pkgparam /usr/bin/pkgtrans /usr/bin/putdev /usr/bin/su /usr/bin/uncompress /usr/bin/zcat /usr/dt/bin/dtfile /usr/dt/bin/dtsession /usr/dt/lib/libpam.so.1 /usr/include/netinet/ip_var.h /usr/include/netinet/tcp.h /usr/include/netmgt/snmp.h /usr/include/sys/socket.h /usr/lib/crash/libkcrash.so /usr/lib/crash/macros/buf.k /usr/lib/crash/macros/e1008g.k /usr/lib/crash/macros/eeE8.k /usr/lib/crash/macros/file.k /usr/lib/crash/macros/info.k /usr/lib/crash/macros/inode.k /usr/lib/crash/macros/ipc.k /usr/lib/crash/macros/loadmacs /usr/lib/crash/macros/net.k /usr/lib/crash/macros/page.k /usr/lib/crash/macros/pm.k /usr/lib/crash/macros/proc.k /usr/lib/crash/macros/sertty.k /usr/lib/crash/macros/stack.k /usr/lib/crash/macros/stat.k /usr/lib/crash/macros/stream.k /usr/lib/crash/macros/trace.k /usr/lib/crash/macros/ufs.k /usr/lib/crash/macros/vm.k /usr/lib/crash/macros/vnode.k /usr/lib/crash/macros/vxfs.k /usr/lib/iaf/in.login/scheme /usr/lib/iaf/login/scheme /usr/lib/libadm.a /usr/lib/libnsl.so /usr/lib/libnsl.so.1 /usr/lib/libxti.so /usr/lib/scoadmin/filesystem/filesystemOsa /usr/sadm/install/bin/pkginstall /usr/sadm/install/bin/pkgremove /usr/sadm/sysadm/bin/mkdtab /usr/sbin/crash /usr/sbin/cs /usr/sbin/dcopy /usr/sbin/df /usr/sbin/disksetup /usr/sbin/edquota /usr/sbin/fdisk /usr/sbin/ff /usr/sbin/fsck /usr/sbin/hostmibd /usr/sbin/in.ftpd /usr/sbin/in.inetinst /usr/sbin/in.rexecd /usr/sbin/in.rshd /usr/sbin/in.snmpd /usr/sbin/installf /usr/sbin/labelit /usr/sbin/mkfs /usr/sbin/mount /usr/sbin/ncheck /usr/sbin/partsize /usr/sbin/pkgadd /usr/sbin/pkgask /usr/sbin/pkgcat /usr/sbin/pkgchk /usr/sbin/pkgcopy /usr/sbin/pkginstall /usr/sbin/pkgrm /usr/sbin/prtconf /usr/sbin/quot /usr/sbin/quota /usr/sbin/quotacheck /usr/sbin/quotaoff /usr/sbin/quotaon /usr/sbin/removef /usr/sbin/repquota /usr/sbin/sco_pmd /usr/sbin/switchout /usr/sbin/volcopy ------------------------------------------------------------------------ VI. Escalation Fixes in this Maintenance Pack These are the Escalation tracking numbers for the fixes included in this maintenance pack: erg712596/fz529361 erg712598/fz529384 erg712605/fz529414 erg712620/fz529611 erg712621/ptf9050/fz529619 erg712635/fz529721 erg712658/fz529884 ptf9050a/fz529560 ptf9050b/fz529565 fz198541 fz519105 fz528611 fz528775 fz529097 fz529581 fz529663 fz529698 fz529765 fz529851 fz528862 fz529876 erg712282/fz526486 (fix provided in the nics package) erg712602/fz529411 (fix provided in the openssl package) erg712635/fz529721 (fix provided in the uccs package) erg712648/fz529827 (fix provided in the openssh package erg712665/fz529930 (fix provided in the uccs package) fz528862 (fix provided in the xserver package) fz528969 (fix provided in the samba package) fz529615 (fix provided in the foomatic and hpijs packages) fz529629 (fix provided in the modjk1 package) fz529665 (fix provided in the samba package) ------------------------------------------------------------------------ (c) Copyright 2004 The SCO Group, Inc. All rights rese