Patch Name: PHNE_24820 Patch Description: s700_800 10.01-10 telnetd(1M) cumulative patch Creation Date: 01/09/14 Post Date: 01/09/26 Hardware Platforms - OS Releases: s700: 10.01 10.10 s800: 10.01 10.10 Products: N/A Filesets: InternetSrvcs.INETSVCS-RUN InternetSrvcs.INET-ENG-A-MAN Automatic Reboot?: No Status: General Release Critical: No (superseded patches were critical) PHNE_10424: HANG The telnetd(1M) daemon can hang on startup. PHNE_7553: HANG The telnetd(1M) daemon can hang on startup. PHNE_5946: ABORT The telnetd(1M) daemon can abort (core dump) under certain conditions. Path Name: /hp-ux_patches/s700_800/10.X/PHNE_24820 Symptoms: PHNE_24820: SR 8606212875 / CR JAGad82062 1. Buffer handling in telnetd needs to be enhanced. SR 8606212874 / CR JAGad82061 2. The telnetd has a service issue. PHNE_10424: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_10424: 1. The telnetd(1M) daemon hangs if the initial environment option negotiation reply from the Telnet client is split across multiple TCP packets. 2. The telnetd(1M) daemon sends SIGINT to its corresponding application upon receipt of a Telnet IP from the Telnet client regardless of the VINTR character setting on its pty. PHNE_7553: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_7553: 1. The telnetd(1M) daemon does not invoke login(1) with the correct address of the client host when the name of that client host is not known to the server. 2. The telnetd(1M) daemon does not allow use of the port identification feature apart from connections originating on a DTC and, in particular, it does not allow connections from IP addresses only (specifically, PCs logging in via Telnet). 3. The telnetd(1M) daemon hangs if more than 512 characters are received before the initial environment option negotiation is completed. 4. The telnetd(1M) daemon terminates with a log message of: select: Invalid argument PHNE_6067: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_6067: 1. The telnetd(1M) daemon puts out log messages concerning the remote flow control option of Telnet and the TAC user identification option of Telnet. The log messages are: flow = *number* will TELOPT_TUID inside will TELOPT_TUID wont TELOPT_TUID sub TELOPT_TUID 2. The telnetd(1M) daemon sends out remote flow control subnegotiations to the Telnet client even though the remote flow control option of Telnet has not been negotiated or flow control has not been changed on the Telnet server. PHNE_5946: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_5946: 1. The telnetd(1M) daemon will abort with a core dump and an error message of: Child died due to: segmentation violation Note that this message can only be viewed when using a debugger (such as xdb) with the core file dumped. 2. A terminating telnetd(1M) daemon puts out a log message of: ioctl(SIOCJNVS): Bad file number Defect Description: PHNE_24820: SR 8606212875 / CR JAGad82062 1. Buffer handling in telnetd needs to be enhanced. Resolution: Code changes have been made to fix it. SR 8606212874 / CR JAGad82061 2. Telnetd has a service issue. Resolution: Code changes have been made to fix it. PHNE_10424: The following defect descriptions are for PHNE_10424: 1. The problem is that the telnetd(1M) daemon does not handle an initial environment option negotiation reply split across multiple TCP packets as one stream of bytes to be processed. Thus, that reply is not processed and the telnetd(1M) daemon hangs waiting for another such reply (which will never come). 2. The problem is that the telnetd(1M) daemon does not handle a Telnet IP correctly. PHNE_7553: The following defect descriptions are for PHNE_7553: 1. The problem is that the telnetd(1M) daemon does not save the result of any call made to gethostbyaddr(3N) or inet_ntoa(3N). Thus, subsequent calls to these functions (made by other library functions called within the telnetd(1M) daemon) change values obtained previously to produce the undesired consequence. 2. The problem is that allowing the use of the port identification feature apart from connections originating on a DTC is simply not implemented within the telnetd(1M) daemon. 3. The problem is that the telnetd(1M) daemon drops all subsequent characters received after the first 512 characters. Thus, any environment option negotiation received after that point is not processed and the telnetd(1M) daemon waits forever. This condition will be handled by terminating the telnetd(1M) daemon whenever more than 512 characters are received before the completion of the initial environment option negotiation. 4. The problem is that the telnetd(1M) daemon does not initialize the timeout value for certain select(2) function calls. PHNE_6067: The following defect descriptions are for PHNE_6067: 1. The problem is that the telnetd(1M) daemon puts out unnecessary log messages. 2. The problem is that the telnetd(1M) daemon does not handle situations in which the remote flow control option has not been negotiated or in which flow control has not been changed on the Telnet server but other events have triggered the execution of the user space Telnet code (and thus the remote flow control subnegotiation code). PHNE_5946: The following defect descriptions are for PHNE_5946: 1. The problem is that the telnetd(1M) daemon does not handle an IAC WILL TELOPT_ENV sequence followed by a delayed IAC WONT TELOPT_ENV sequence. 2. The problem is that the telnetd(1M) daemon does not handle a situation in which the pty has been closed before the daemon has been terminated. SR: 8606212875 8606212874 5003361626 1653197392 1653159020 5003306308 5003281998 4701293548 5003264630 Patch Files: /usr/lbin/telnetd /usr/share/man/man1m.Z/telnetd.1m what(1) Output: /usr/lbin/telnetd: Copyright (c) 1983, 1986 Regents of the University o f California. telnetd.c $Revision: 1.24.112.15 $ $Date: 2001/09/03 07:38:39 $ PHNE_24820 telnetd.c 5.31 (Berkeley) 2/23/89 /usr/share/man/man1m.Z/telnetd.1m: None cksum(1) Output: 1061027314 45056 /usr/lbin/telnetd 3543582011 4175 /usr/share/man/man1m.Z/telnetd.1m Patch Conflicts: PHNE_6174 Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_5946 PHNE_6067 PHNE_7553 PHNE_10424 Equivalent Patches: PHNE_24821: s700: 10.20 s800: 10.20 PHNE_24762: s700: 11.00 s800: 11.00 PHNE_24829: s700: 11.11 s800: 11.11 Patch Package Size: 110 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_24820 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_24820.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_24820. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_24820.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_24820.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: 1. Ensure that all telnet sessions are closed before the installation/removal of the patch. PHNE_24820: 1. To enable the -n option for telnetd after installing this patch: 1. modify /etc/inetd.conf file by adding the option, "-n