Patch Name: PHSS_21012 Patch Description: s700_800 10.24 VirtualVault 3.5 tgp-edit corrupts conf file Creation Date: 00/02/04 Post Date: 00/03/07 Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: VirtualVault A.03.50 US/Canada Release; VirtualVault A.03.50 International Release Filesets: VaultTGP.TGP-CORE Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_21012 Symptoms: PHSS_21012: When adding a TGP proxy entry using the VirtualVault administration interface (tgp-edit CGI), the browser returns an error 500 and the /tcb/files/tgp.conf file is corrupted. PHSS_20958: When proxying from localhost to an external IP (off the VirtualVault), the following error messages is written to the /tcb/files/tgp.log file: Error: Failed to get peer attributes. error: 4 count XX where XX ranges from 1 to 31. After a 30 second wait, the data is proxied. PHSS_20476: Programs running on the VirtualVault may be proxied by the TGP without having the proper access. PHSS_17692: There is no way to run an application server that requires a platform other than VVOS, including those that require HP-UX 11.0. Currently there is a demand from customers for VirtualVault that will act as a front-end to provide security for such services, but the current implementation of the Trusted Gateway Proxy (TGP) prevents this type of configuration. The TGP requires that a server be local to the VirtualVault. Defect Description: PHSS_21012: tgp-edit initially creates an 8 element array to store proxy entries. Up to 7 entries can be stored, plus one null terminator. When the 8th entry is added, tgp-edit attempts to reallocate more space, but the amount of storage acquired is insufficient. This causes corruption of the TGP entries and a failure when writing the corrupted data to the /tcb/files/tgp.conf file. PHSS_20958: If TGP receives an error when checking a peer's attributes, it will invoke a 30 count wait loop. This loop produces an error message and waits 1 second per iteration. When TGP is proxying from localhost to an external IP, TGP will always receive a socket not connected error (errno 235). This causes the loop to be executed and hence a 30 second hang before establishing the connection. PHSS_20476: TGP made the wrong assumptions about the sessions and requires more checking to validate privileges. PHSS_17692: The TGP does not adequately support communication between a secured plug-in for the Outside NES and a back end server on the Inside network. SR: 8606127920 8606127287 8606110533 4701417204 Patch Files: /tcb/lib/tgpd /var/opt/vaultTS/inside/vault/bin/tgp-edit /var/opt/vaultTS/inside/vault/bin/tgp-global /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html what(1) Output: /tcb/lib/tgpd: $Source: src/tgproxy/configuration.c, vaultTGP, vaul tTGP_3.5 $Date: 00/02/03 09:06:05 $ $Revisio n: 1.9.1.2 PATCH_10.24 (PHSS_20476) $ $Source: src/tgproxy/proxy.c, vaultTGP, vaultTGP_3.5 $Date: 00/02/03 09:06:05 $ $Revision: 1.11. 1.2 PATCH_10.24 (PHSS_20476) $ $Source: src/tgproxy/security.c, vaultTGP, vaultTGP_ 3.5 $Date: 00/02/03 09:06:05 $ $Revision: 1. 5.2.3 PATCH_10.24 (PHSS_20958) $ HP VirtualVault, tgpd, revision A.01.01 $Source: gpent.c, vaultTGP, vaultTGP_3.5 $Date: 00/0 2/03 13:45:29 $ $Revision: 1.7.1.1 PATCH_10. 24 (PHSS_21012) $ gpent.c, vaultTGP, vaultTGP_3.5 1.7.1.1 02/03/00 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 00/02/03 09:06:07 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ lib/libsecurity/identity.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:16:15 $ $Re vision: 1.8 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/mandlib.c, libsecurity_macilb, vvos_ davis, davis26 $Date: 97/10/01 15:16:16 $ $R evision: 1.17 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/privileges.c, libsecurity_util, vvos _davis, davis26 $Date: 97/10/01 15:16:17 $ $ Revision: 1.1.1.12 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/authaudit.c, libsecurity_audit, vvos _davis, davis26 $Date: 97/10/01 15:16:11 $ $ Revision: 1.21 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_conf.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:18:19 $ $Re vision: 1.5 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_nls.c, libsecurity, vvos_davis, davis60 $Date: 97/10/01 16:00:20 $ $Revision : 1.1.1.4 PATCH_10.24 (PHCO_12734) $ Internal_Unsupported_Version libc.a_ID@@/main/r10dav /libc_dav/15 /ux/libc/libs/libc/archive_pa1/libc.a_ID Jul 18 1997 15:26:17 /var/opt/vaultTS/inside/vault/bin/tgp-edit: $Source: src/admin/cgi/tgp-edit/tgp-edit.c, vaultTGP , vaultTGP_3.5 $Date: 00/02/03 09:06:06 $ $R evision: 1.9.1.2 PATCH_10.24 (PHSS_20476) $ HP VirtualVault, tgp-edit, revision A.01.00 $Source: gpent.c, vaultTGP, vaultTGP_3.5 $Date: 00/0 2/03 11:12:57 $ $Revision: 1.7.1.1 PATCH_10. 24 (PHSS_21012) $ gpent.c, vaultTGP, vaultTGP_3.5 1.7.1.1 02/03/00 $Source: src/lib/conf/port.c, vaultTGP, vaultTGP_3.5 $Date: 00/02/03 09:06:07 $ $Revision: 1.7.1 .2 PATCH_10.24 (PHSS_20476) $ $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 00/02/03 09:06:07 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ /var/opt/vaultTS/inside/vault/bin/tgp-global: HP VirtualVault, tgp-global, revision A.01.00 $Source: gpent.c, vaultTGP, vaultTGP_3.5 $Date: 00/0 2/03 13:45:29 $ $Revision: 1.7.1.1 PATCH_10. 24 (PHSS_21012) $ gpent.c, vaultTGP, vaultTGP_3.5 1.7.1.1 02/03/00 /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html: src/admin/html/tgp-edit.html, vaultTGP, vaultTGP_3.5 1.6 03/03/99 -- cksum(1) Output: 1917526762 533972 /tcb/lib/tgpd 2297433565 65753 /var/opt/vaultTS/inside/vault/bin/tgp-edit 417578137 36997 /var/opt/vaultTS/inside/vault/bin/tgp-global 2721264787 27159 /var/opt/vaultTS/inside/vault/loc/C/html/ tgp-edit.html Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_17692 PHSS_20476 PHSS_20958 Equivalent Patches: None Patch Package Size: 710 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_21012 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_21012.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_21012. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_21012.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_21012.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: The patch installation replaces the Trusted Gateway Proxy Daemon (tgad) as well the tgp-edit CGI program. The TGP Daemon processes must be stopped prior to the installation of the patch and restarted after installation completes.