This patch replaces the following patches:

3004

This patch has no known incompatiblities with other patches.

This patch fixes the following bugs:

581294 - Performer API tool security hole
581950 - pfsearch.cgi doesn't
584224 - pfresults.cgi doesn't work with perl5
585820 - wrong title for patch 3004

1. Patch SG0003018 Release Note

       This release note describes patch SG0003018; IRIS Performer
       2.2 performer_tools security fixes.

       Note:  Patch SG0003018 replaces patch SG0003004.  See
       section 1.5 below if you have installed patch SG0003004.

       This patch contains bug fixes for all systems.

       This patch contains bug fixes for the performer_tools
       subsystem shipped with IRIS Performer 2.2.  The patch should
       be loaded on any system which has performer_tools 2.2
       installed.  It is only necessary with performer_tools 2.2
       and cannot be installed on prior versions of IRIS Performer.
       This patch has been tested with IRIS Performer 2.2 on
       systems running IRIX 6.2, IRIX 6.3, IRIX 6.4, and IRIX 6.5.

       This patch contains fixes for the following bugs.  Bug
       numbers from Silicon Graphics bug tracking system are
       included for reference.

          o SCR 581294 - Performer API tool security vulnerability

          o SCR 581950 - pfsearch.cgi fails with outbox webserver

          o SCR 584224 - pfresults.cgi fails with perl5

          o SCR 585820 - wrong title for patch 3004

       This patch release includes these subsystems:

          o patchSG0003018.performer_tools_sw.webtools

          o patchSG0003018.performer_tools_man.relnotes

       Patch 3004 (the predecessor to this patch) contains an
       installation rule error which, on some systems, causes
       /var/www/cgi-bin to be renamed to /var/www/cgi-bin.o if the
       patch is removed or /var/www/cgi-bin.O if the patch is


       upgraded.

       If you have already installed patch 3004, do the following
       before upgrading to this patch:

          % su - root
          # versions remove patchSG0003004
          # cd /var/www
          # ls

       Some users may see an empty cgi-bin, a cgi-bin.o or cgi-
       bin.O, and other files.  If you do not see a cgi-bin.o or
       cgi-bin.O, then your system was not effected by the bug and
       you can go on to install this patch.

       If you do see a cgi-bin.o or cgi-bin.O, and cgi-bin is
       empty, do the following:

          # rmdir cgi-bin
          # mv cgi-bin.o cgi-bin   (or mv cgi-bin.O cgi-bin)

       Then install this patch normally.

       Because you want to install only the patches for problems
       you have encountered, patch software is not installed by
       default.  After reading the descriptions of the bugs fixed
       in this patch (see Section 1.3), determine the patches that
       meet your specific needs.

       If, after reading Sections 1.1 and 1.2 of these release
       notes, you are unsure whether your hardware and software
       meet the requirements for installing a particular patch, run
       inst.  The inst program does not allow you to install
       patches that are incompatible with your hardware or
       software.

       Patch software is installed like any other Silicon Graphics
       software product.  Follow the instructions in your Software
       Installation Administrator's Guide to bring up the miniroot
       form of the software installation tools.

       Follow these steps to select a patch for installation:

         1.  At the Inst> prompt, type

             install patchSGxxxxxxx


             where xxxxxxx is the patch number.

         2.  Initiate the installation sequence. Type

             Inst> go

         3.  You may find that two patches have been marked as
             incompatible.  (The installation tools reject an
             installation request if an incompatibility is
             detected.)  If this occurs, you must deselect one of
             the patches.

             Inst> keep patchSGxxxxxxx

             where xxxxxxx is the patch number.

         4.  After completing the installation process, exit the
             inst program by typing

             Inst> quit

       To remove a patch, use the versions remove command as you
       would for any other software subsystem.  The removal process
       reinstates the original version of software unless you have
       specifically removed the patch history from your system.

       versions remove patchSGxxxxxxx

       where xxxxxxx is the patch number.

       To keep a patch but increase your disk space, use the
       versions removehist command to remove the patch history.

       versions removehist patchSGxxxxxxx

       where xxxxxxx is the patch number.

No Requirements Information Available.

These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line):

01679      2   patchSG0003018
01339      2   patchSG0003018.idb
10201      8   patchSG0003018.performer_tools_man
48474     18   patchSG0003018.performer_tools_sw

The following lists the files which get installed from each subsystem in the patch:

patchSG0003018.performer_tools_man.relnotes

usr/relnotes/patchSG0003018/TC
usr/relnotes/patchSG0003018/ch1.z

patchSG0003018.performer_tools_sw.webtools

var/www/cgi-bin/pfdispaly.cgi
var/www/cgi-bin/pfresults.cgi
var/www/cgi-bin/pfsearch.cgi

Download Server	File Name	Date Added	Size	Download
download.sgi.com	patchSG0003018.tar	01-Apr-1998	30 K	FTP	HTTP
download.sgi.com	patchSG0003018.tardist	01-Apr-1998	30 K	FTP	HTTP
FTP = download using FTP protocol HTTP = download using HTTP protocol = store in your basket for downloading later