Patch Name: PHSS_19389

Patch Description: s700_800 10.24 VirtualVault 2.00 NES NSAPI fix

Creation Date: 99/08/02

Post Date:  99/08/10

Hardware Platforms - OS Releases:
	s700: 10.24
	s800: 10.24

Products:
	VirtualVault A.02.00 US/Canada Release;
	VirtualVault A.02.00 International Release

Filesets:
	VaultNES.NES-COMMON VaultTS.INES-COMMON
	VaultTS.VAULT-CORE-CMN

Automatic Reboot?: Yes

Status: General Release

Critical: No

Path Name: /hp-ux_patches/s700_800/10.X/PHSS_19389

Symptoms:
	PHSS_19389:
	Under certain conditions, the Netscape Enterprise
	Server (NES) does not function properly.  This
	has been observed in the NES bundled with
	VirtualVault A.02.00 .

	PHSS_18620:
	Under certain conditions, the Netscape Enterprise
	Server (NES) does not function properly.  This
	has been observed in the NES bundled with
	VirtualVault A.02.00 .

	PHSS_11074:
	1) PHSS_10371 introduced a 16k byte data POST limitation on
	   the NSAPI TGA client module.  This patch removes that
	   limitation to provide unlimited posting of data as the
	   pre-PHSS_10371 TGA NSAPI module allowed.
	2) Adds short pathname, VV1.0-like, CGI compatibility flag.
	   As of version 2.0 of VVTS, poorly written CGIs core when
	   started via the NSAPI.  The reason is that the CGI is
	   expecting a basename in argv[0], rather than a full
	   pathname to the CGI. VV 1.0 only passed the basename in
	   argv[0], which is inconsistent with the base Enterprise
	   Server's normal operation.  Then NSAPI TGA in VV2.0
	   corrected the inconsistency, and revealed some poor
	   programming in certain customer CGI programs.  This patch
	   adds a -s1 compatibility switch to the tgad executable to
	   allow the CGIs to run.

	PHSS_10435:
	1) The creation of a new Unix Domain socket on the
	   filesystem for each CGI execution becomes prohibitive
	   during heavy load conditions.  The establishment and
	   subsequent unlinking of files causes a thrashing of
	   the systems disk and degrades the overall performance
	   of the machine.  By switching to a single connection
	   point throughout execution, the thrashing is
	   eliminated.
	2) The MD5 routine used to generate the Program Integrity
	   Codes (PIC) had an extra 'byteReverse()' call in it.
	   This made the resultant sum have the byte ordering
	   reversed throughout the hash value. As a result,
	   PICs from the VV 1.x versions of the product would not
	   be usable with 2.0.
	3) If the TGA daemon can not execute a given CGI request,
	   it places a specific error message into a buffer for
	   later auditing.  This specific error message was always
	   being overwritten by a more generic message just before
	   the audit event was written to disk.

	PHSS_10371:
	1) A malformed loop construct did an extra read when pulling
	   post data from the browser into the NSAPI module.  At
	   that time, no data was available for reading.  The
	   routine would wait 2 minutes for the non-existent data to
	   arrive and then time out.  This had the effect that all
	   POST requests would have a 2 minute delay.
	2) The NSAPI routine netbuf_getc() returns a positive number
	   on success: zero or minus one on error.  By explicitly
	   checking for 'zero', the ability to POST binary data was
	   removed.  This is not acceptable.

Defect Description:
	PHSS_19389:
	Under certain conditions, the Netscape Enterprise
	Server (NES) does not function properly.  This
	has been observed in the NES bundled with
	VirtualVault A.02.00 .

	PHSS_18620:
	Under certain conditions, the Netscape Enterprise
	Server (NES) does not function properly.  This
	has been observed in the NES bundled with
	VirtualVault A.02.00 .

	PHSS_11074:
	1) PHSS_10371 introduced a 16k byte data POST limitation on
	   the NSAPI TGA client module.  This patch removes that
	   limitation to provide unlimited posting of data as the
	   pre-PHSS_10371 TGA NSAPI module allowed.
	2) Adds short pathname, VV1.0-like, CGI compatibility flag.
	   As of version 2.0 of VVTS, poorly written CGIs core when
	   started via the NSAPI.  The reason is that the CGI is
	   expecting a basename in argv[0], rather than a full
	   pathname to the CGI. VV 1.0 only passed the basename in
	   argv[0], which is inconsistent with the base Enterprise
	   Server's normal operation.  Then NSAPI TGA in VV2.0
	   corrected the inconsistency, and revealed some poor
	   programming in certain customer CGI programs.  This patch
	   adds a -s1 compatibility switch to the tgad executable to
	   allow the CGIs to run.

	PHSS_10435:
	1) The creation of a new Unix Domain socket on the
	   filesystem for each CGI execution becomes prohibitive
	   during heavy load conditions.  The establishment and
	   subsequent unlinking of files causes a thrashing of
	   the systems disk and degrades the overall performance
	   of the machine.  By switching to a single connection
	   point throughout execution, the thrashing is
	   eliminated.
	2) The MD5 routine used to generate the Program Integrity
	   Codes (PIC) had an extra 'byteReverse()' call in it.
	   This made the resultant sum have the byte ordering
	   reversed throughout the hash value. As a result,
	   PICs from the VV 1.x versions of the product would not
	   be usable with 2.0.
	3) If the TGA daemon can not execute a given CGI request,
	   it places a specific error message into a buffer for
	   later auditing.  This specific error message was always
	   being overwritten by a more generic message just before
	   the audit event was written to disk.

	PHSS_10371:
	1) A malformed loop construct did an extra read when pulling
	   post data from the browser into the NSAPI module.  At
	   that time, no data was available for reading.  The
	   routine would wait 2 minutes for the non-existent data to
	   arrive and then time out.  This had the effect that all
	   POST requests would have a 2 minute delay.
	2) The NSAPI routine netbuf_getc() returns a positive number
	   on success: zero or minus one on error.  By explicitly
	   checking for 'zero', the ability to POST binary data was
	   removed.  This is not acceptable.

SR:
	0000000000 4701349415 4701349506 4701349514 4701348870
	4701354373 4701354365 8606102059

Patch Files:
	/var/opt/vaultTS/inside/nsbase/bin/vvauth.so
	/var/opt/vaultTS/outside/nsbase/bin/https/vvlog.so
	/opt/vaultTS/root/tcb/bin/tga
	/var/opt/vaultTS/outside/nsbase/bin/https/vvtga.so
	/opt/vaultTS/root/tcb/lib/tgad
	/opt/vaultTS/lib/libswp.sl

what(1) Output:
	/var/opt/vaultTS/inside/nsbase/bin/vvauth.so:
		@(#)05  1.1.1.2  swp/src/misc/nsapi/log.c, swp_src_m
			isc, vaultTS_2.0 08/03/99 10:19:10 PATCH_10.
			24 (PHSS_19389)
	/var/opt/vaultTS/outside/nsbase/bin/https/vvlog.so:
		@(#)05  1.1.1.2  swp/src/misc/nsapi/log.c, swp_src_m
			isc, vaultTS_2.0 08/03/99 10:19:10 PATCH_10.
			24 (PHSS_19389)
	/var/opt/vaultTS/outside/nsbase/bin/https/vvtga.so:
		HP VirtualVault, vvtga.so, revision A.02.00 w/ PHSS_
			10371, PHSS_11074
		swp/src/gateway/cgi2/nsapi/env.c, swp_gw_client, vau
			ltTS_2.0 1.4  01/08/97
		swp/src/gateway/cgi2/nsapi/argv.c, swp_gw_client, va
			ultTS_2.0 1.4.1.1  01/29/97
		93  1.3.1.1  io.c, swp_gw_client, vaultTS_2.0 05/24/
			99 14:36:37 PATCH_10.24 (PHSS_18620)
	/opt/vaultTS/root/tcb/lib/tgad:
		HP VirtualVault, tgad, revision A.02.00 w/ PHSS_1043
			5, PHSS_11074
		Internal_Unsupported_Version libc.a_ID@@/main/r10dav
			/libc_dav/15
		/ux/libc/libs/libc/archive_pa1/libc.a_ID
		Jan 27 1997 18:28:57
	/opt/vaultTS/root/tcb/bin/tga:
		swp/src/gateway/cgi2/cgi/tga.c, swp_gw_client, vault
			TS_2.0 1.2  01/14/97
		93  1.3.1.1  io.c, swp_gw_client, vaultTS_2.0 05/24/
			99 14:36:37 PATCH_10.24 (PHSS_18620)
	/opt/vaultTS/lib/libswp.sl:
		@(#)35  1.2  swp/src/lib/swp/util.c, swp_lib, vaultT
			S_2.0 05/26/99 15:35:53 PATCH_10.24 (PHSS_18
			620)

cksum(1) Output:
	782029657 24614 /var/opt/vaultTS/inside/nsbase/bin/vvauth.so
	3591184134 16402 /var/opt/vaultTS/outside/nsbase/bin/https/
		vvlog.so
	3256964660 32852 /var/opt/vaultTS/outside/nsbase/bin/https/
		vvtga.so
	2054700123 316378 /opt/vaultTS/root/tcb/lib/tgad
	4183375050 24643 /opt/vaultTS/root/tcb/bin/tga
	4025760623 143874 /opt/vaultTS/lib/libswp.sl

Patch Conflicts: None

Patch Dependencies:
	s700: 10.24: PHCO_18615
	s800: 10.24: PHCO_18615

Hardware Dependencies: None

Other Dependencies: None

Supersedes:
	PHSS_18620 PHSS_10371 PHSS_10435 PHSS_11074

Equivalent Patches: None

Patch Package Size: 620 KBytes

Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

	2. Login as root.

	3. Copy the patch to the /tmp directory.

	4. Move to the /tmp directory and unshar the patch:

		cd /tmp
		sh PHSS_19389

	5a. For a standalone system, run swinstall to install the
	    patch:

		swinstall -x autoreboot=true -x match_target=true \
			-s /tmp/PHSS_19389.depot

	By default swinstall will archive the original software in
	/var/adm/sw/patch/PHSS_19389.  If you do not wish to retain a
	copy of the original software, you can create an empty file
	named /var/adm/sw/patch/PATCH_NOSAVE.

	WARNING: If this file exists when a patch is installed, the
	         patch cannot be deinstalled.  Please be careful
		 when using this feature.

	It is recommended that you move the PHSS_19389.text file to
	/var/adm/sw/patch for future reference.

	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

		dd if=/tmp/PHSS_19389.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions:
	The PHCO_18615 (libsecalarm) patch should be installed
	prior to installing this patch in order to maintain
	application library compatibility.