Patch Name: PHNE_15733 Patch Description: s700 10.24 (VVOS) ARPA Transport cumulative patch Creation Date: 98/06/26 Post Date: 98/06/30 Hardware Platforms - OS Releases: s700: 10.24 Products: N/A Filesets: OS-Core.CORE-KRN VirtualVaultOS.VVOS-KRN Networking.NET-KRN Networking.NET-RUN Automatic Reboot?: Yes Status: General Superseded Critical: Yes PHNE_15733: HANG PHNE_14735: PANIC Based on a portion of HP-UX PHNE_14504: PANIC Based on a portion of HP-UX PHNE_13469: PANIC Based on a portion of HP-UX PHNE_13289: PANIC Based on a portion of HP-UX PHNE_13245: PANIC Based on a portion of HP-UX PHNE_12407: PANIC Based on a portion of HP-UX PHNE_11530: PANIC Based on a portion of HP-UX PHNE_9106: PANIC Based on a portion of HP-UX PHNE_9098: PANIC Based on a portion of HP-UX PHNE_9036: PANIC Path Name: /hp-ux_patches/s700/10.X/PHNE_15733 Symptoms: PHNE_15733: Network may hang when an application forks off multiple children that call accept() on the same socket. PHNE_14735: Socket send(2) returning ENOLINK. Transient TCP error conditions are reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: This patch replaces PHNE_13289. See Defect Description PHKL_12391: symlink system call audit records incorrectly contain the link name as the target name. unlink and execve system call audit records contain incorrect object sensitivity labels. PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Allows multilevelserver tcp endpoints to be accessed from the outside interface, when there is no filtering router present. Excessive audit records generated as a result of using non-blocking system calls. TCP does not use random sequence numbers by default. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. Defect Description: PHNE_15733: Repackaged part of HP-UX patch PHNE_9098 to fix a race condition in a socket function, sodequeue(). This race condition could result in a hung network when an application forks multiple children that call accept() on the same socket. PHNE_14735: Transient TCP error conditions had been reported to the application. Because TCP retransmission logic does ultimately correct a transient condition, transient errors are no longer sent to the application. Fatal and permanent TCP errors are still reported to the application. PHNE_13888: Repackaged part of HP-UX patch PHNE_13469 for VVOS. Based on a portion of HP-UX patch PHNE_13469: If the system is a single processor machine they may see it hang. It will still respond to "ping" but the console and all other activity will stop. If the system is a multiprocessor machine the customer may see that one processor is 100% busy running netisr. The rest of the system will be working OK with the exception of the one processor being out of the picture. Networking may be slow or not working at all. Netstat will show one of this systems IP addresses connected to itsself along with the local and remote port being the same. The state of the socket will be SYN_RCVD. PHKL_12391: Incorrect placement of audit stub hooks, results in incorrect information in audit records for system calls symlink(2) and unlink(2). PHNE_11306: Provides a mechanism that causes accept() to filter connection requests based on the attributes of the process issuing the connect() request. The filtering is transparent to both the processes involved. This mechanism is extended to udp, and the filtering is performed when a packet is received. PHNE_11096: Force TCP SYN Attack protection to be the default configuration setting. PHNE_10476: Introduces a mechanism for further restricting traffic from/to certain interfaces, to/from multilevel servers. During system initialization the ifconfig command, based on information in the Device Assignment database, marks interfaces from which traffic is to be restricted. The ifconfig command also reports this information, when displaying other characteristics of the interface. Applications using non-blocking interfaces to network and file/record locking APIS cause excessive audit records to be generated. These interfaces include accept(), read(), recv() lockf(), and fcntl(). TCP should use random sequence numbers. PHNE_10325: VVOS MP system panics when certain trusted programs are executed. PHNE_10161: Based on a portion of HP-UX patch PHKL_9098: A syn attack can result in Denial Of Service (DOS) to legitimate users. SR: 4701356741 4701354597 4701349761 4701349399 4701347532 4701335596 4701348631 4701348623 4701348656 4701366252 1653239764 5003327973 4701387333 4701339044 5003424002 Patch Files: /usr/conf/lib/libsec.a(audit_stub.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) /usr/conf/lib/libuipc.a(uipc_syscall.o) /usr/conf/lib/libuipc.a(uipc_usrreq.o) /usr/conf/lib/libhp-ux.a(vfs_scalls.o) /usr/conf/lib/libhp-ux.a(vfs_lockf.o) /usr/conf/lib/libhp-ux.a(kern_dscrp.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libsec.a(sec_vvosnet.o) /usr/conf/lib/libsec.a(sec_subrs.o) /usr/conf/lib/libsec.a(spd_mac.o) /usr/conf/lib/libuipc.a(uipc_compat.o) /usr/conf/lib/libnet.a(raw_usrreq.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(ip_output.o) /usr/conf/lib/libinet.a(ip_input.o) /usr/conf/lib/libinet.a(udp_usrreq.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libnet.a(if.o) /usr/sbin/ifconfig /usr/lib/nls/msg/C/ifconfig.cat what(1) Output: /usr/conf/lib/libsec.a(audit_stub.o): kern/sec/audit_stub.c, sysaudit, vvos_davis, davis10 4 $Date: 98/06/25 15:10:57 $ $Revision: 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libuipc.a(uipc_socket.o): $Source: kern/sys/uipc_socket.c, hpuxsysuipc, vvos_d avis, davis109 $Date: 98/06/25 15:16:20 $ $R evision: 1.49.1.2 PATCH_10.24 (PHNE_15733) $ /usr/conf/lib/libuipc.a(uipc_socket2.o): kern/sys/uipc_socket2.c, hpuxsysuipc, vvos_davis, da vis104 $Date: 98/06/25 15:10:17 $ $Revision: 1.4 PATCH_10.24 (PHNE_11096) $ /usr/conf/lib/libuipc.a(uipc_syscall.o): $Source: kern/sys/uipc_syscall.c, hpuxsysuipc, vvos_ davis, davis109 $Date: 98/06/26 13:38:17 $ $ Revision: 1.39 PATCH_10.24 (PHNE_15733) $ /usr/conf/lib/libuipc.a(uipc_usrreq.o): kern/sys/uipc_usrreq.c, hpuxsysuipc, vvos_davis, dav is104 $Date: 98/06/25 15:10:17 $ $Revision: 1.26 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libhp-ux.a(vfs_scalls.o): kern/sys/vfs_scalls.c, hpuxsysvfs, vvos_davis, davis 104 $Date: 98/06/25 15:10:28 $ $Revision: 1. 27.1.2 PATCH_10.24 (PHKL_12391) $ /usr/conf/lib/libhp-ux.a(vfs_lockf.o): kern/sys/vfs_lockf.c, hpuxsysvfs, vvos_davis, davis1 04 $Date: 98/06/25 15:14:02 $ $Revision: 1.3 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(kern_dscrp.o): kern/sys/kern_dscrp.c, hpuxsysmisc, vvos_davis, davi s104 $Date: 98/06/25 15:10:29 $ $Revision: 1 .24 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libhp-ux.a(nm_tune.o): kern/netinet/nm_tune.c, hpuxsysinet, vvos_davis, dav is104 $Date: 98/06/25 15:10:19 $ $Revision: 1.13 PATCH_10.24 (PHNE_10161) $ /usr/conf/lib/libsec.a(sec_vvosnet.o): kern/sec/sec_vvosnet.c, sysmisc, vvos_davis, davis10 4 $Date: 98/06/25 15:13:49 $ $Revision: 1.19 .2.6 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(sec_subrs.o): kern/sec/sec_subrs.c, sysmisc, vvos_davis, davis104 $Date: 98/06/25 15:10:40 $ $Revision: 1.13.3 .4 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libsec.a(spd_mac.o): kern/sec/spd_mac.c, sysmacilb, vvos_davis, davis104 $Date: 98/06/25 15:10:38 $ $Revision: 1.31 P ATCH_10.24 (PHKL_12391) $ /usr/conf/lib/libuipc.a(uipc_compat.o): kern/sys/uipc_compat.c, hpuxsysuipc, vvos_davis, dav is104 $Date: 98/06/25 15:13:51 $ $Revision: 1.4 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(raw_usrreq.o): kern/net/raw_usrreq.c, hpuxsysnet, vvos_davis, davis 104 $Date: 98/06/25 15:10:11 $ $Revision: 1. 20 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(tcp_input.o): kern/netinet/tcp_input.c, hpuxsysinet, vvos_davis, d avis104 $Date: 98/06/25 15:10:13 $ $Revision : 1.41.1.7 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(tcp_usrreq.o): kern/netinet/tcp_usrreq.c, hpuxsysinet, vvos_davis, davis104 $Date: 98/06/25 15:10:27 $ $Revisio n: 1.5 PATCH_10.24 (PHNE_14735) $ /usr/conf/lib/libinet.a(ip_output.o): kern/netinet/ip_output.c, hpuxsysinet, vvos_davis, d avis104 $Date: 98/06/25 15:10:12 $ $Revision : 1.22 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(ip_input.o): kern/netinet/ip_input.c, hpuxsysinet, vvos_davis, da vis104 $Date: 98/06/25 15:10:12 $ $Revision: 1.33 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libinet.a(udp_usrreq.o): kern/netinet/udp_usrreq.c, hpuxsysinet, vvos_davis, davis104 $Date: 98/06/25 15:10:14 $ $Revisio n: 1.40 PATCH_10.24 (PHNE_11306) $ /usr/conf/lib/libinet.a(tcp_subr.o): kern/netinet/tcp_subr.c, hpuxsysinet, vvos_davis, da vis104 $Date: 98/06/25 15:10:13 $ $Revision: 1.27 PATCH_10.24 (PHNE_10476) $ /usr/conf/lib/libnet.a(if.o): kern/net/if.c, hpuxsysnet, vvos_davis, davis104 $Dat e: 98/06/25 15:10:10 $ $Revision: 1.32 PATCH _10.24 (PHNE_10476) $ /usr/sbin/ifconfig: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Thu Jun 25 15:18:08 EDT 1998 $ lanlink/NET/commands/ifconfig/ifconfig.c, hpuxcmdnet , vvos_davis, davis104 $Date: 98/06/25 15:11 :34 $ $Revision: 1.10 PATCH_10.24 (PHNE_1047 5) $ NET: Version: B.10.10 $Date: 96/05/09 11:26:18 $ /usr/lib/nls/msg/C/ifconfig.cat: None cksum(1) Output: 833791755 8536 /usr/conf/lib/libsec.a(audit_stub.o) 2075472136 21720 /usr/conf/lib/libuipc.a(uipc_socket.o) 208176681 21048 /usr/conf/lib/libuipc.a(uipc_socket2.o) 629901201 17564 /usr/conf/lib/libuipc.a(uipc_syscall.o) 177897523 13900 /usr/conf/lib/libuipc.a(uipc_usrreq.o) 2398203671 29804 /usr/conf/lib/libhp-ux.a(vfs_scalls.o) 421773240 14724 /usr/conf/lib/libhp-ux.a(vfs_lockf.o) 1065112658 15856 /usr/conf/lib/libhp-ux.a(kern_dscrp.o) 1983495514 10452 /usr/conf/lib/libhp-ux.a(nm_tune.o) 79238479 9608 /usr/conf/lib/libsec.a(sec_vvosnet.o) 2428977652 9632 /usr/conf/lib/libsec.a(sec_subrs.o) 1686166708 13280 /usr/conf/lib/libsec.a(spd_mac.o) 1804976137 9388 /usr/conf/lib/libuipc.a(uipc_compat.o) 2742181502 5760 /usr/conf/lib/libnet.a(raw_usrreq.o) 474287645 21740 /usr/conf/lib/libinet.a(tcp_input.o) 888847245 12152 /usr/conf/lib/libinet.a(tcp_usrreq.o) 802918298 12648 /usr/conf/lib/libinet.a(ip_output.o) 891935754 18580 /usr/conf/lib/libinet.a(ip_input.o) 3075705659 16260 /usr/conf/lib/libinet.a(udp_usrreq.o) 341034648 10728 /usr/conf/lib/libinet.a(tcp_subr.o) 1592275717 8672 /usr/conf/lib/libnet.a(if.o) 3688392350 24576 /usr/sbin/ifconfig 808123659 1886 /usr/lib/nls/msg/C/ifconfig.cat Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_10161 PHNE_10325 PHNE_10476 PHNE_11096 PHNE_11306 PHKL_12391 PHNE_13888 PHNE_14735 Equivalent Patches: PHNE_15734: s800: 10.24 Patch Package Size: 410 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_15733 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_15733.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_15733.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_15733. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_15733.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_15733.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None