Patch Name: PHNE_25894 Patch Description: s700_800 10.24 (VVOS) telnetd, ftp, ftpd, login cumulative Creation Date: 01/12/11 Post Date: 01/12/17 Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: N/A Filesets: OS-Core.UX-CORE OS-Core.CORE-ENG-A-MAN VirtualVaultOS.VVOS-AUX-IA InternetSrvcs.INETSVCS-INETD InternetSrvcs.INET-ENG-A-MAN InternetSrvcs.INETSVCS-RUN Automatic Reboot?: Yes Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHNE_25894 Symptoms: PHNE_25894: Port HP-UX patch PHCO_25591 to VVOS Based on HP-UX patch PHCO_25591: ( SR:8606224513 CR:JAGad93601 ) Login may behave unexpectedly on large terminal inputs. PHNE_25217: Port HP-UX patch PHNE_24821 to VVOS Based on HP-UX patch PHNE_24821: SR 8606212875 / CR JAGad82062 1. Buffer handling in telnetd needs to be enhanced. SR 8606212874 / CR JAGad82061 2. Telnetd has a service issue. Based on HP-UX patch PHNE_13414: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_13414: 1. Slow throughput downloading continuous large amounts of data over telnet connection. Based on HP-UX patch PHNE_10425: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_10425: 1. The telnetd(1M) daemon hangs if the initial environment option negotiation reply from the Telnet client is split across multiple TCP packets. 2. The telnetd(1M) daemon sends SIGINT to its corresponding application upon receipt of a Telnet IP from the Telnet client regardless of the VINTR character setting on its pty. Based on HP-UX patch PHNE_8328: The following symptoms correspond to the descriptions in the defect descriptions field for PHNE_8328: 1. The telnetd(1M) daemon does not allow use of the port identification feature apart from connections originating on a DTC and, in particular, it does not allow connections from IP addresses only (specifically, PCs logging in via Telnet). 2. The telnetd(1M) daemon hangs if more than 512 characters are received before the initial environment option negotiation is completed. PHNE_24394: Port portions of base HP-UX patch PHNE_23948 to VVOS 10.24. Note that CR JAGad68257/SR 8606199070 is not supported on VVOS. Port portions of base HP-UX patch PHCO_24267 to VVOS 10.24. Note that SR:8606189604/CR:JAGad58818 is not supported on VVOS. Note that SR:8606152919/CR:JAGad22237 is not supported on VVOS. Based on HP-UX patch PHNE_23948: 1. CR JAGad68308/ SR 8606199121. ftpd does not function properly for some commands. 2. CR JAGad68257/ SR 8606199070. ftpd does not behave as expected in trusted systems. 3. CR JAGad24502/ SR 8606155185. ftpd man page does not have information on -S option. Based on HP-UX patch PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login allows certain shell users excessive freedom. ( SR:8606152919 CR:JAGad22237 ) In a cluster of 10.20 and 11.0 systems, an identical password aging metric expires at different times for the same user. PHNE_22059: Port base HP-UX patch PHNE_22057: Based on HP-UX patch PHNE_22057: 1. CR JAGad12040/SR 8606142685. ftpd does not function properly. 2. CR JAGaa27007/SR 8606160774 ls command fails in an anonymous ftp session. Based on HP-UX patch PHNE_17963: 1. Implement passive mode in 10.20 ftp client. 2. Suppress the printing of machine name in the ftpd banner. 3. 'ftp' client does not work properly. PHNE_15802: Repackaged part of HP-UX patch PHNE_13597 for VVOS. Based on a portion of HP-UX patch PHNE_13597: * ftp: problem with passing files. * FTP Newer command does not work as documented if file does not exist. * FTP:don't get error message if filesystem gets full. * Proxy Get command not working. * ftpd does not allow ports under 1024 even with -p option. * FTP giving error 425:Can't create data socket. * have inbound/outbound transfer logging in ftpd. * FTP Newer command has problem handling dates. PHNE_12984: Users cannot telnet or ftp to a VVOS system. Based on HP-UX patch PHNE_10010: A ftp client could interrupt a data transfer by sending a data close and an ABORT. A timing problem has been observed on the ftpd side. Based on HP-UX patch PHNE_9785: * ftpd returns a 550 after an NLST when the file is not found. * Privileged ports cannot be specified as a part of the PORT command. * An error message "You've GOT to be joking" is displayed when a client specifies a privileged port as a data-port. * The command modtime displays incorrect date and time for some dates. Based on HP-UX patch PHCO_13913: - incorret SELF-AUDITING record on a Failed Login Attempt. - login coredumps, users are not allowed to login. Based on HP-UX patch PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. Based on HP-UX patch PHCO_10138: - rlogin TERM is ignored and TERM set to hpterm. - rsh changes to rksh if previous patch exists. Based on HP-UX patch PHCO_9197: - message sh: /usr/bin/quota: The operation is not allowed in a restricted shell. - message in an hpterm window Sorry. Maximum numbers of users already logged in - chroot sublogins do not work properly in trusted mode Defect Description: PHNE_25894: Port HP-UX patch PHCO_25591 to VVOS Based on HP-UX patch PHCO_25591: ( SR:8606224513 CR:JAGad93601 ) User input to login is not appropriately verified to ensure that it does not overflow an internally allocated buffer. Resolution: A check has been put into place to ensure that user input does not exceed the allowable size. PHNE_25217: Port HP-UX patch PHNE_24821 to VVOS Based on HP-UX patch PHNE_24821: SR 8606212875 / CR JAGad82062 1. Buffer handling in telnetd needs to be enhanced. Resolution: Code changes have been made to fix it. SR 8606212874 / CR JAGad82061 2. Telnetd has a service issue. Resolution: Code changes have been made to fix it. Based on HP-UX patch PHNE_13414: The following defect descriptions are for PHNE_13414: 1. Currently in output, kernel telnet implements a delay which forces small amounts of data to coalesce before putting it into a packet, since sending too many small packets quickly may overload a system. This delay is slowing down throughput for large amounts of data output. The fix allows the user to have the telnetd option to remove the delay on output, by setting OUT_NO_DELAY. ** For 10.30 and later releases, the implementation of telnet is changed such that throughput is increased, so the OUT_NO_DELAY option is no longer needed and will not be valid. ** Based on HP-UX patch PHNE_10425: The following defect descriptions are for PHNE_10425: 1. The problem is that the telnen feature apart from connections originating on a DTC is simply not implemented within the telnetd(1M) daemon. 2. The problem is that the telnetd(1M) daemon drops all subsequent characters received after the first 512 characters. Thus, any environment option negotiation received after that point is not processed and the telnetd(1M) daemon waits forever. This condition will be handled by terminating the telnetd(1M) daemon whenever more than 512 characters are received before the completion of the initial environment option negotiation. PHNE_24394: Port base HP-UX patch PHNE_23948 to VVOS 10.24. Note that CR JAGad68257/SR 8606199070 is not supported on VVOS. Port base HP-UX patch PHCO_24267 to VVOS 10.24. Note that SR:8606189604/CR:JAGad58818 is not supported on VVOS. Note that SR:8606152919/CR:JAGad22237 is not supported on VVOS. Based on HP-UX patch PHNE_23948: 1. CR JAGad68308/ SR 8606199121. ftpd does not function properly for some commands. Resolution: * Code changes have been made to fix the problem. 2. CR JAGad68257/ SR 8606199070. ftpd does not behave as expected in trusted systems. Resolution: * Code changes have been made to fix the problem. 3. CR JAGad24502/ SR 8606155185. PHNE_17963, adds a -S option to suppress the hostname and version from the initial banner. However, this option is not documented in the ftpd man page. Resolution: Man page has been updated to include the -S option: -S Suppresses the name and version of the FTP server in the banner output. Based on HP-UX patch PHCO_24267: ( SR:8606189604 CR:JAGad58818 ) Login should be more stringent in which environment variables it allows restricted shell users to set. Resolution: Login now only allows the DISPLAY and TERM variables to be set by restricted shell users unless configured otherwise in the security configuration file. To change the behavior of this patch, the /etc/default/security file must be created if it does not already exist. This file should be world readable and root writeable. To this file, add one of the following three entries: The new default behavior corresponds to a setting of: RSH_SECURITY=2 It is possible to ease the restrictions and allow the setting of any environment variables which are not known to be potentially risky. This is done by specifying: RSH_SECURITY=1 Finally, for compatibility reasons, it is possible to revert to the old, excessively permissive behavior by specifying: RSH_SECURITY=0 ( SR:8606152919 CR:JAGad22237 ) The password aging mechanism changed with the introduction of PAM in 11.0, causing slightly differing expiration dates in environments where PAM and non-PAM systems are mixed. This incompatibility is the result of a change in the way days are rounded into weeks. Resolution: With this patch, an option is made available which can force the login command to use PAM compatible aging. To enable this behavior, the /etc/default/security file must be created if it does not already exist. To this file, the following line can be added: PAM_AGING_COMPAT=1 This flag is valid for the 10.20 release only. It is ignored in later releases, where the default is the PAM behavior. PHNE_22059: Port base patch PHNE_22057: Based on PHNE_22057: 1. CR JAGad12040/SR 8606142685. ftpd does not function properly. 2. CR JAGaa27007/SR 8606160774 ls command fails in an anonymous ftp session. Based on PHNE_17963: 1. Implement passive mode in 10.20 ftp client. 2. Suppress the printing of machine name in the ftpd banner. 3. 'ftp' client does not work properly. PHNE_15802: Repackaged part of HP-UX patch PHNE_13597 for VVOS. Based on a portion of HP-UX patch PHNE_13597: * ftp: problem with passing files. * FTP Newer command does not work as documented if file does not exist. * FTP:don't get error message if filesystem gets full. * Proxy Get command not working. * ftpd does not allow ports under 1024 even with -p option. * FTP giving error 425:Can't create data socket. * have inbound/outbound transfer logging in ftpd. * FTP Newer command has problem handling dates. PHNE_12984: Single-level telnetd and ftpd has been added to the VVOS supported feature set. Installation of this patch makes the system capable of providing server side services, to the inside network, for telnet and ftp sessions. The patch will allow users from the inside network to telnet and/or ftp into a VirtualVault machine. Please refer to the special installation instructions on how to enable these services. Based on HP-UX patch PHNE_10010: ftpd has been fixed to handle a simultaneous data close and ABORT appropriately. Based on HP-UX patch PHNE_9785: * ftpd returns a 550 after a NLST when a file is not found. The return code was changed to 450 per RFC 959. * An option "-p" has been added. The PORT command can now specify a privileged port as a data-port if this option is set. * The error message "You've GOT to be joking" has been replaced by "Port command failure". * The command modtime now behaves correctly. Based on HP-UX patch PHCO_13913: - incorret SELF-AUDITING log on a Failed Login Attempt, The User information is not recorded. - login coredumps, users are not allowed to login Based on HP-UX patch PHCO_10428: trusted passwd expiration warning does not print if applicable to all users. Based on HP-UX patch PHCO_10138: - rlogin TERM variable is lost when exec'ing login internally - previous quota fix was incomplete Based on HP-UX patch PHCO_9197: - quotas are not checked with restricted shells - each hpterm pty is counted as one user - chroot sublogins are allowed in trusted mode SR: 1653165837 1653193581 1653193656 1653197392 1653203067 1653232942 1653245845 1653245852 1653254193 1653296475 4701334763 4701346098 4701372359 4701373696 4701379156 4701409938 5003306308 5003322867 5003343202 5003343970 5003344846 5003361626 5003369611 5003386581 5003395004 5003424218 8606142685 8606147747 8606152919 8606155185 8606160774 8606189604 8606199121 8606212874 8606212875 8606224513 Patch Files: /sbin/init.d/inetd /usr/bin/login /usr/bin/ftp /usr/lbin/telnetd /usr/lbin/ftpd /usr/lbin/net_daemons/telnetd /usr/lbin/net_daemons/ftpd /usr/share/man/man1m.Z/ftpd.1m /usr/share/man/man1m.Z/telnetd.1m /usr/share/man/man1.Z/login.1 /etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb /etc/auth/system/files.fcdb/15.patches/PHNE24394.fcdb what(1) Output: /sbin/init.d/inetd: $Revision: Hewlett-Packard ISSL 1.13 services/INETSV CS/scripts/inetd, hpuxinitscripts, vvos_davi s, davis187 $ $Date: 97/10/30 09:20:28 $ /usr/bin/login: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Mon Dec 10 11:26:58 EST 2001 $ $Revision: 78.6.1.12 $ $Source: cmd/login.c, hpuxcmdcntl, vvos_davis, davis 188 $ $Date: 01/12/10 10:35:43 $ $Revision: 1.29 PATCH_10.24 (PHNE_25894) $ /usr/bin/ftp: Copyright (c) 1985, 1989 Regents of the University o f California. main.c based on 5.13 (Berkeley) 3/14/89 Revision 1.1.212.3 Wed Jul 14 10:27:17 GMT 1999 cmds.c 5.18 (Berkeley) 4/20/89 cmdtab.c 5.9 (Berkeley) 3/21/89 ftp.c 5.28 (Berkeley) 4/20/89 glob.c 5.7 (Berkeley) 12/14/88 ruserpass.c 5.1 (Berkeley) 3/1/89 domacro.c 1.6 (Berkeley) 2/28/89 /usr/lbin/telnetd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Mon Dec 10 11:26:58 EST 2001 $ $Source: services/INETSVCS/telnetd/telnetd_wrapper.c , hpuxcmdnet, vvos_davis, davis187 $ $Date: 01/12/10 10:33:15 $ $Revision: 1.3 PATCH_10. 24 (PHNE_12984) $ /usr/lbin/ftpd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Mon Dec 10 11:26:58 EST 2001 $ $Source: services/INETSVCS/ftpd/ftpd_wrapper.c, hpux cmdnet, vvos_davis, davis187 $ $Date: 01/12/ 10 10:33:15 $ $Revision: 1.4 PATCH_10.24 (PH NE_12984) $ /usr/lbin/net_daemons/telnetd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Mon Dec 10 11:26:58 EST 2001 $ Copyright (c) 1983, 1986 Regents of the University o f California. $Source: services/INETSVCS/telnetd/telnetd.c, hpuxcm dnet, vvos_davis, davis187 $ $Date: 01/12/10 10:29:06 $ $Revision: 1.21.1.6 PATCH_10.24 (PHNE_25217) $ telnetd.c $Revision: 1.27.212.15 $ $Date: 2001/08/30 07:25:33 $ PHNE_24821 telnetd.c 5.31 (Berkeley) 2/23/89 /usr/lbin/net_daemons/ftpd: $Revision: Hewlett-Packard ISSL Level vvos_davis40 $ $Header: Hewlett-Packard ISSL Release vvos_ davis $ $Date: Mon Dec 10 11:26:58 EST 2001 $ Copyright (c) 1985, 1988 Regents of the University o f California. $Source: services/INETSVCS/ftpd/ftpd.c, hpuxcmdnet, vvos_davis, davis187 $ $Date: 01/07/08 15:35 :29 $ $Revision: 1.19.1.18 PATCH_11.04 (PHNE _24394) $ ftpd.c based on 5.28 (Berkeley) 4/20/89 Revision 1.7.212.5 Mon Dec 10 21:04:55 GMT 2001 ftpcmd.y 5.20 (Berkeley) 2/28/89 glob.c 5.7 (Berkeley) 12/14/88 popen.c 5.7 (Berkeley) 2/14/89 logwtmp.c 5.2 (Berkeley) 9/22/88 /usr/share/man/man1m.Z/ftpd.1m: None /usr/share/man/man1m.Z/telnetd.1m: None /usr/share/man/man1.Z/login.1: None /etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb: $Revision: Hewlett-Packard ISSL 1.1 etc/auth/system/ files.fcdb/05.patches/PHNE12984.fcdb, files_ etc, vvos_davis, davis187 $ $Date: 97/10/29 16:52:02 $ etc/auth/system/files.fcdb/05.patches/PHNE12984.fcdb , files_etc, vvos_davis, davis187 $Date: 01/ 12/10 10:33:16 $ $Revision: 1.1 PATCH_10.24 (PHNE_12984) $ /etc/auth/system/files.fcdb/15.patches/PHNE24394.fcdb: $Revision: Hewlett-Packard ISSL 1.1 etc/auth/system/ files.fcdb/15.patches/PHNE24394.fcdb, files_ etc, vvos_davis, davis187 $ $Date: 01/07/11 17:02:14 $ cksum(1) Output: 2737875845 1574 /sbin/init.d/inetd 2777335412 61440 /usr/bin/login 4105651290 98304 /usr/bin/ftp 389331346 12288 /usr/lbin/telnetd 611631679 12288 /usr/lbin/ftpd 2472888703 49152 /usr/lbin/net_daemons/telnetd 949800362 86016 /usr/lbin/net_daemons/ftpd 1112697332 8959 /usr/share/man/man1m.Z/ftpd.1m 2851835761 5554 /usr/share/man/man1m.Z/telnetd.1m 1128670498 10494 /usr/share/man/man1.Z/login.1 4245073158 1561 /etc/auth/system/files.fcdb/05.patches/ PHNE12984.fcdb 4089302268 517 /etc/auth/system/files.fcdb/15.patches/ PHNE24394.fcdb Patch Conflicts: None Patch Dependencies: s700: 10.24: PHNE_18965 PHNE_25245 s800: 10.24: PHNE_18966 PHNE_25245 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_12984 PHNE_15802 PHNE_22059 PHNE_24394 PHNE_25217 Equivalent Patches: PHNE_24821: s700: 10.20 s800: 10.20 PHNE_23948: s700: 10.20 s800: 10.20 PHCO_25590: s700: 11.00 s800: 11.00 PHCO_25591: s700: 10.20 s800: 10.20 PHNE_24762: s700: 11.00 s800: 11.00 PHNE_23949: s700: 11.00 s800: 11.00 PHNE_24395: s700: 11.04 s800: 11.04 PHNE_25893: s700: 11.04 s800: 11.04 PHNE_23947: s700: 10.01 10.10 s800: 10.01 10.10 Patch Package Size: 430 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_25894 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_25894.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_25894. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_25894.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_25894.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Installation of this patch makes the system capable of providing server side telnet and ftp services to the inside network. To enable these services, which will let users from the inside network telnet and/or ftp into the system, the system administrator will have to perform the following steps - 1. Login as root in a system window. 2. Enable desired service(s) by uncommenting the following lines in /etc/inetd.conf: #ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l #telnet stream tcp nowait root /usr/lbin/telnetd telnetd to read: ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l telnet stream tcp nowait root /usr/lbin/telnetd telnetd 3. Unlock desired pseudo terminals (ttyp0, ttyp1...etc) in the terminal control database. Each tty has two entries. - Make a safe copy of the terminal control database, /etc/auth/system/ttys. - Edit the database (/etc/auth/system/ttys) pty/ttyp0:t_devname=pty/ttyp0:t_lock:chkent: ttyp0:t_devname=ttyp0:chkent: For each set of entries make the following modifications: If a field t_lock exists for the entry, just add an @ sign at the end of the field. (t_lock@) If the field does not exist, add the entire field, t_lock@, to the entry. ( The field separator is a : ) pty/ttyp0:t_devname-pty/ttyp0:t_lock@:chkent: ttyp0:t_devname=ttyp0:t_lock@:chkent: 4. Run "/tcb/bin/authck -t" to check the internal consistency of the Terminal Control database. 5. Run "/tcb/bin/setfiles" to set system file attributes. 6. Run "/usr/sbin/inetd -c" to force the inetd to reread /etc/inetd.conf. NOTE: The patch should be installed after VirtualVault 3.X is installed.