Patch Name: PHNE_9294 Patch Description: s700_800 10.01 Raptor Systems Eagle International 3.1 Patch Creation Date: 96/11/20 Post Date: 96/11/25 Hardware Platforms - OS Releases: s700: 10.01 s800: 10.01 Products: J2689AA Raptor Eagle System 3.1 (INTL) for 10.01 HP Servers J2693AA Raptor Eagle System 3.1 (INTL) for 10.01 HP Workstations Filesets: RaptorEagleRemot.EAGLE-RUN,r=3.1,a=HP-UX_B10.01_800 RaptorEagleRemot.EAGLE-RUN,r=3.1,a=HP-UX_B10.01_700 Automatic Reboot?: No Status: Special Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHNE_9294 Symptoms: PHNE_9294: Patch PHNE_7720 fails to install. PHNE_7720: Level 1: - Remote management connections hang. - Dynamic IP treated as any address on EagleMobile and EagleDesks. - Hawk error when reading large log file remotely. - Httpd crash when doing DNS reverse-forward checks. - Failed to detect when http clients has stopped communicating. - Failed to detect when http clients has closed connection. - Http ignore a client's subsequent requests when the 1st request failed on a single connection - Failed to use a client specified proxy to fufill http requests. - Failed to log message when http client closes unexpectedly. - Name displayed at the authentication prompt not appropriate. - Wrong timezone was used when logging file transfers. - TCP keepalive timers not beign set correctly. - Various enhancements Defect Description: PHNE_9294: A defect in the PHNE_7720 install script caused the patch failed to be installed sucessfully. PHNE_7720: Level 1: Defects fixes: - Fixed gwproxy and readhawk to avoid remote management connections from hanging randomly. - Users could add EagleMobile and EagleDesks with dynamic IP addresses to rules without realizing that they are treated as *any* address. Added a check to Hawk to prevent users from doing this. - Hawk would generate an error when reading a large log file remotely. - Httpd would crash when doing DNS reverse-forward checks if the client was a multihomed machine and the first address did not match. - Enabled KEEPALIVE on connections to clients to detect when the user has stopped communicating over the socket. KEEPALIVE is a socket option that causes the daemon to periodically test that the client is listening at the other end. - In a related fix, if the HTTP daemon detects that a client has closed its connection, the daemon cancels any server request it has started for that client. For example, if the user presses the "Stop" button on their browser, the HTTP daemon daemon stops its attempt to process the request previously made by the client. - Fixed problem with clients and servers that attempt to leave an HTTP connection open to process multiple requests. The HTTP daemon does not support that mode of operation, and in the past, the daemon would ignore a client's second and subsequent requests on a single connection. This would cause browsers to fail their attempts to do things like loading images. The HTTP daemon now tells the client to close its connection after the first request. Clients will properly open multiple connections to service multiple request. - Fixed handling of a client specified HTTP proxy when using the Eagle HTTP daemon in transparent mode. The daemon now properly uses a client specified proxy to fullfill client HTTP requests. - If the client closes its connection unexpectedly, the HTTP daemon no longer logs the message "Internal Error: Broken Pipe". These messages were being logged in response to innocuous actions such as the user clicking the "stop" button on the browser. - Changed name displayed at the authentication prompt to "Eagle Gateway on hostname" where hostname is the name of the machine on which the Eagle is installed. The wrong timezone was used whe logging ftp file transfers. - TCP Keepalive timers were not being set correctly through adb. Modified to use the nettune utility in the startgw script. Enhancements: - Timezone change information is now logged by changelogfile when starting a new logifle. This is required for EagleNetwatch support. - Eagle 3.1 did not allow any user daemons running on the firewall to be connected to through the Eagle proxies. This can now be done provided the daemon listen on ports in the range 8000-8999. - Significant HTTP enhancements (see /opt/raptor/ patches/1/README.patch1 for detailed information. SR: 4701332015 Patch Files: /tmp/epi31-hpuxv10.tar /tmp/hawk-31i.hpuxv10.tar what(1) Output: /tmp/epi31-hpuxv10.tar: $Id: httpd.c,v 1.65 1996/03/22 21:27:36 philip Exp $ $Id: capability.c,v 1.1 1996/03/22 21:27:32 philip E xp $ $Id: connect.c,v 1.3.2.1 1996/04/18 19:07:06 philip Exp $ $Id: strnsafe.c,v 1.2 1995/12/18 19:32:56 philip Exp $ $Id: strnstr.c,v 1.1 1995/12/20 16:55:13 philip Exp $ $Id: thissystem.c,v 1.6 1996/02/12 19:39:30 dave Exp $ $Id: changelog.c,v 1.7 1996/03/12 00:18:54 philip Ex p $ Copyright (c) 1985, 1988, 1990 Regents of the Univer sity of California. $Id: ftpd.c,v 1.37 1996/02/21 15:14:11 jkraemer Exp $ ftpcmd.y 5.23 (Berkeley) 6/1/90 vers.c 5.1 (Berkeley) 6/24/90 $Id: ftp.c,v 1.22 1996/02/19 20:26:47 philip Exp $ $Id: connect.c,v 1.3.2.1 1996/04/18 19:07:06 philip Exp $ $Id: cryptocard.c,v 1.6 1996/03/19 15:44:26 philip E xp $ $Id: thissystem.c,v 1.6 1996/02/12 19:39:30 dave Exp $ $Id: gwproxy.c,v 1.26 1996/03/21 21:47:17 philip Exp $ $Id: enc_read.c,v 1.5 1996/03/21 21:48:12 philip Exp $ $Id: readhawk.c,v 1.41 1996/03/21 21:47:18 philip Ex p $ $Id: enc_read.c,v 1.5 1996/03/21 21:48:12 philip Exp $ /tmp/hawk-31i.hpuxv10.tar: (hawk-31i.hpuxv10.tar has no what strings) cksum(1) Output: 4293598841 1387008 /tmp/epi31-hpuxv10.tar 1350416320 276480 /tmp/hawk-31i.hpuxv10.tar Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_7720 Equivalent Patches: None Patch Package Size: 1690 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_9294 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_9294.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_9294.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_9294. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_9294.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_9294.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Install this patch only on systems that have the Raptor Eagle System V3.1 (INTL) Firewall installed. After this patch is installed via "swinstall", perform the following steps to carry out the actual Eagle patch or Hawk patch installation: For systems that have BOTH Eagle and Hawk configured: (Note: For Hawk only systems, see hpatch instructions) cd/tmp tar xvf epi31-hpuxv10.tar cd epatch Now, execute the script named "epatch". Choose option 1 to update to current patch level (e.g. 1). Finally, type `E' to exit "epatch". Reboot your system to restart the Eagle firewall. For systems that have ONLY the Hawk configured: (Note: if your have already installed the epatch above, you do not need to install the hpatch below.) cd /tmp tar xvf hawk-31i.hpuxv10.tar cd hpatch Now, execute the script named "hpatch". Choose option 1 to update Hawk software. Finally, type `E' to exit the "hpatch" script. You don't need to reboot your system before you run Hawk.