-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
you can download the patch directly from the list web page:
download patch 114880-05:
http://www.filibeto.org/sun/sunray-users/patches/2.0/114880-05.zip
download signed patch 114880-05:
http://www.filibeto.org/sun/sunray-users/patches/2.0/114880-05.jar
or from sunsolve: http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage
Patch-ID# 114880-05
Keywords: sun ray update patch security
Synopsis: Sun Ray Server version 2.0 Patch Update
Date: Jul/02/2004
Install Requirements: Reboot after installation
Solaris Release: 8 9
SunOS Release: 5.8 5.9
Unbundled Product: Sun Ray Server Software
Unbundled Release: 2.0
Xref:
Topic:
Relevant Architectures: sparc
BugId's fixed with this patch: 4369691 4433854 4759966 4775352 4781321
4792984
4810192 4810962 4813815 4817187 4825312 4825808 4828674 4833004 4834790
4836233
4838105 4838376 4838723 4839252 4839685 4840440 4841227 4841245 4841279
4841623
4841678 4842640 4842791 4842800 4844714 4847413 4847657 4849042 4850576
4855375
4857347 4858575 4863617 4874498 4877262 4878246 4881981 4889019 4890267
4894276
4898094 4902617 4905168 4907215 4913927 4917981 4931943 4934961 4937735
4942260
4944875 4945510 4954684 4958188 4958479 4959964 4959969 4959976 4960514
4963980
4965543 4965942 4965958 4967253 4976175 4977771 4979769 4980867 4985620
4992187
4992396 4994404 4995913 4997442 4997503 5003520 5006545 5009497 5010353
5010789
5012100 5013617 5013715 5014959 5016553 5024925 5028734 5041770 5043517
5043539
5046583 5047600 5048434 5049181 5054679 5057683 5057692 5057957 5061744
Changes incorporated in this version: 5041770 5043539 5047600 5048434
5049181
5043517 5057683 5057692 5057957 5054679 5046583 5061744
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/opt/SUNWut/gulogin.start
/etc/opt/SUNWut/loginGUI.start
/etc/opt/SUNWut/reaper.conf.template
/etc/opt/SUNWut/sessionTypes.props
/etc/opt/SUNWut/smartcard/ActivCardGoldJavaCard.cfg
/etc/opt/SUNWut/smartcard/JavaBadgeCAC.cfg
/etc/opt/SUNWut/smartcard/probe_order.conf
/etc/opt/SUNWut/tokenreader.start
/etc/opt/SUNWut/waitforprimary.start
/opt/SUNWut/bin/utaudio
/opt/SUNWut/cgi-bin/desktop
/opt/SUNWut/cgi-bin/log
/opt/SUNWut/lib/app-defaults/guloginGUI.res
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/guloginGUI
/opt/SUNWut/lib/libsrcom.so.2
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/libutjadmin.so
/opt/SUNWut/lib/libutscr.so.2
/opt/SUNWut/lib/libutsmon.so.1
/opt/SUNWut/lib/modules/Authxlation.jar
/opt/SUNWut/lib/modules/StartSession.jar
/opt/SUNWut/lib/modules/StartxlationSession.jar
/opt/SUNWut/lib/modules/TerminalId.jar
/opt/SUNWut/lib/nscloginGUI
/opt/SUNWut/lib/pixmaps/GUdefault.xpm
/opt/SUNWut/lib/pixmaps/GUsunray.xpm
/opt/SUNWut/lib/prototype/Xsetup.SUNWut.prototype
/opt/SUNWut/lib/prototype/Xstartup.SUNWut.prototype
/opt/SUNWut/lib/scloginGUI
/opt/SUNWut/lib/settings.jar
/opt/SUNWut/lib/sunray_get_user.so.1
/opt/SUNWut/lib/tokenreader.yuv
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevctl
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utdmsession
/opt/SUNWut/lib/utdtsession
/opt/SUNWut/lib/utgenpolicy
/opt/SUNWut/lib/utload
/opt/SUNWut/lib/utpamcfg
/opt/SUNWut/lib/utparalleld
/opt/SUNWut/lib/utprefs-helper
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/utsessiond
/opt/SUNWut/lib/utxexec
/opt/SUNWut/lib/utxinit
/opt/SUNWut/lib/utxset
/opt/SUNWut/lib/yuvfile
/opt/SUNWut/sbin/utdesktop
/opt/SUNWut/sbin/utfwadm
/opt/SUNWut/sbin/utresadm
/opt/SUNWut/sbin/utresdef
/opt/SUNWut/sbin/utuser
/usr/lib/secure/libc_ut.so
/usr/lib/secure/sparcv9/libc_ut.so
/usr/openwin/server/modules/ddxSUNWsunray.so.1
Problem Description:
5041770 Add support for 1400x1050 resolution for Tadpole Comet
5043517 CAC/JavaBadge cards with usernames longer than 9 characters cannot
login
5043539 utaudio cpu consumption is increased 20 fold from patch 2 to 3
5046583 DTU may reset when audiokeys are pressed
5047600 Compression strategy sometimes uses wavelets inappropriately
5048434 Multihead problem with windowpane on non primary monitor.
5049181 X server crashes in newtCachePolyText8
5054679 installation of SR2.0 patch 114880-04 causes 'utgstatus'
segmentation
fault
5057683 interrupt transfer descriptors are requeued with incorrect length
5057692 microsoft intellimouse 2.0 wireless tilt scroll wheel combo
mouse does
not work
5057957 Text rendering through font cache clips entire line at screen edge.
5061744 security: screenlock not available on detach after login on TSol
(from 114880-04)
4759966 utdevmgrd: getting double mapping error messages and incorrect
$UTDEVROOT link
4775352 Second screen in MH config goes blank on its own
4838376 cannot issue CLEAR_FEATURE command on USB bulk endpoint
4841245 Random port selections aren't random enough
4842800 utaudio and utxset don't do bw management properly
4847413 Screen update does not occur when flipping screens
4847657 Rasterop lines are drawn twice
4849042 Group manager segment violation when too many interfaces are
configured
4850576 Degenerate multihead breaks and remakes connection when switching
screens
4857347 forceInsert porperty is not cleared until the next redirection
4917981 Add keyboard, mouse, monitor to card reader and you can bypass
security
policy
4937735 double ldap_value_free() call in ut_incGeneration()
4942260 Firmware upgrades fail over high latency, lbw connections
4944875 Need to explicitly request vendor parameters
4945510 utload can't load firmware to Copernicus hardware or to multihead
secondaries
4954684 Firmware load icon can display incorrect FW server
4958479 ut_check_name needs to be public
4960514 Sun Ray 1G needs normal blanking interval 1600x1200 at 60 Hz timing
4963980 Need server-side support for [EMAIL PROTECTED] VESA timing
4965543 Sun Ray DTUs don't work behind NAT gateways
4965942 svclib/svcs needs to use unique ut_ naming for register callbacks.
4965958 usblib returns incorrect value for I/O calls when length exceeds
MAX_DATA
4967253 DHCP lease renewal algorithm is flawed
4976175 X server crashes in newtPolyFillRect
4977771 Load Balancing doesn't work properly in LAN deployment of SRS2.0
4979769 rendering issues on SR1G
4980867 Icons don't show up at all on a P7 based SR100
4985620 USB mass storage service needs to know display ID
4992187 svclib device struct missing certain device descriptor fields
4992396 authd not responding to callback requests
4994404 server side OSD icons change to 26D after some time
4995913 sunray firmware closes tcp connection unnecessarily
4997442 device link name generation should be consistent
4997503 long delay between card insertion and PIN loginGUI.
5003520 Recursive mutex locking in processing callme causes false deadlock
detection
5006545 Loss of network connection is not reported quickly enough
5009497 Scrolling of a textedit window continues after button release
5010353 Crossing screens in degenerate mode can cause the mouse to hang
5010789 Add support for Quatech DSU-100 devices
5012100 scbus library always passes UID=0 to DM
5013617 mouse freezes when dragging windows across multiheads
5013715 set boot protocol is missing for some mice devices
5014959 X server font cache disables itself on output disable/reenable
5016553 X server calls ALP rendering functions from a signal handler
5024925 SunRayServer 2.0 failover groups fail
5028734 firmware needs to support short reads for control transfers
(from 114880-03)
4889019 Card Recognition fails at times on P4 hardware
4902617 Provide firmware support for Sunray Plus (P7) models
4905168 Oberthur cards don't work with on SunRays
4913927 Unable to read ATR on P4 boards.
4931943 Firmware returns wrong data for some APDUs
4934961 The audio quality from Sunray is quite poor.
4958188 tmds pll programming on SR 1g incorrect
4959964 SRCOM library needs to support PC/SC
4959969 scbus library has terminal list race condition
4959976 Update smartcard config file to extract username from CAC
(from 114880-02)
4369691 Firmware info displayed in GUI/CLI for DTU is confusing to user.
4781321 SunRay Module causes SunMC agent VM to grow
4792984 pam.conf update ignores existing pam entries for dtlogin/dtsession
4834790 Firmware returns wrong data for return code 0x63XX during an APDU
transaction.
4838105 utuser -p $CORONA_TOKEN sometimes fails when raw token is JavaBadge
4855375 Load balancing takes too long to even out unbalanced load.
4858575 /usr/lib/libc_ut.so library's stat routine seg. faults at NULL file
argument
4863617 ut_isServerAlive SEGFAULTS if server times out
4877262 GNC vulnerability in non-default session types
4878246 off-by-one memory write in library key/value code
4881981 Admin library calls use multithread unsafe system calls.
4890267 New Quatech SSU-100 devices (PID 0xC020) not working with SunRays
4894276 Sun Ray firmware responds to arbitrary multicast ping
4898094 Freed memory is being referenced later in the code.
4907215 utinfo::issuePropertiesCallback() should block for connected
(from 114880-01)
4433854 Sometimes smartcard removal is not detected and session stays active
4810192 X server rendering cleanup
4810962 A forceInsert on redirect should carry forward the redirectProps
values
4813815 username property does not get carried along for redirects to
non-trusted hosts
4817187 Minor mathematical manipulation mitigates multihead mouse
mispositioning
4825312 CAM/kiosk session does not restart after logout on fast hardware
4825808 Javabadge smartcards are sometimes recogonized as OpenPlatform
cards.
4828674 sunray_get_user.so does not work correctly if stacked multiple times
4833004 Determine the home server for a DTU
4836233 Lazy Authentication, authd should push authentication to as late as
possible
4838723 Remove the acceptRedirectToken property from auth.props
4839252 SRSS2.0; outline of StarOffice window remains
4839685 X server drops to lbw limit when packets are lost
4840440 postpatch script needs to handle LAN case for utfwadm
4841227 Bad processing after lost packet causes bad command interpretation
4841279 utfwadm -N all with no LAN subnets gives bogus errors
4841623 Need a new PAM module to get username infomation
4841678 utfwadm -A -a -N all does not work
4842640 Need utility interfaces for lazy auth (sunray_get_user)
4842791 Redirection from server doing encryption to one that's not fails
4844714 Add DHCP XDM option to specify Sun Ray server list
4874498 Sun/Fujitsu mouse rev(05c/06c) may fail to work in SunRay due to bad
packets
Patch Installation Instructions:
- --------------------------------
For Solaris 2.8 & 9 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
~ example# patchadd /var/spool/patch/114880-05
The following example removes a patch from a standalone system:
~ example# patchrm 114880-05
For additional examples please see the appropriate man pages.
Special Install Instructions:
- -----------------------------
"NOTE 1: To get the complete fix for 4484759,
Solaris 8 users should also install
~ 108528-15 (or later): kernel update patch".
"NOTE 2: To get the complete fix for 4678927,
Solaris 8 users should also install
~ 108652-59 (or later): Xsun patch".
"NOTE 3: To get the complete fix for 4642695,
Solaris 8 users should also install
~ 108940-46 (or later): Motif runtime library patch,
Solaris 7 users should install 107081-51 (or later),
Solaris 2.6 users should also install 105284-50 (or later).
Required Patches
- ----------------
Warnings & Errors
- -----------------
** WARNING: This patch should only be applied to systems which
~ have Sun Ray Server Software 2.0 fully installed. Do not
~ attempt to add this patch to the UFS image to be applied as
~ part of the install process **
** WARNING: Unconfiguring the Sun Ray Server Software before
removal of this patch may lead to error messages and/or
removal failure
** WARNING: Login behavior for Non-SmartCard Mobility sessions is
slightly different, see the following section on LAN Security
Enhancement.
LAN Security Enhancement
- ------------------------
LAN Security for Non-SmartCard Mobility (NSCM) has been improved, and this
results in a very slightly different user experience when logging in,
which users may wish to be prepared for. The property
acceptRedirectTokens in /etc/opt/SUNWut/auth.props no longer exists.
Instead, normal login for NSCM now may redirect a user after the
username is entered and before the password-entry screen is presented.
This results in final authentication occurring on the server where the
user's session will be accessed or created. This has two user-visible
effects, when contrasted to the previous default case where
acceptRedirectTokens=false:
1. Users will never need to enter their username and password
twice.
2. After entering the username, the NSCM screen will disappear
and some Sun Ray On Screen Display (OSD) icons will briefly
appear while the Sun Ray is being redirected to the correct
server, after which the NSCM screen for "Enter password" will
appear. Note that type-ahead will no longer function during
this interval. The user must now wait for the password-entry
screen to be drawn before typing their password.
It is hoped that this should not present a significantly different
login experience to users, while providing increased security.
Post-Login Security Enhancement for Trusted Solaris
- ---------------------------------------------------
On Trusted Solaris 8 systems that have installed Trusted Solaris patch
116336-05 or greater and Sun Ray 2.0 patch 114880-05 or greater, the
system may be configured to terminate a freshly logged-in desktop
session that becomes detached from a Sun Ray unit before the login has
proceeded to the point where a screen lock can be activated. To enable
this behaviour the administrator should create a file
/etc/opt/SUNWut/reaper.conf containing the following lines:
REAPER_TIMEOUT=0
REAPER_DEFER_DISARM=1
Please review the file /etc/opt/SUNWut/reaper.conf.template for
additional details.
Sun Ray Firmware Upgrades
- -------------------------
This patch includes firmware updates for Sun Ray appliances. The
updated firmware will be loaded by your Sun Ray appliances through the
usual Sun Ray firmware download mechanism. The firmware changes are
independent of the Sun Ray Server Software changes but are delivered
in this patch for your convenience.
If this patch is being applied to servers configured into a Sun Ray
failover group it must be applied to all servers in the group at your
earliest convenience. While some members of the group remain unpatched
the restart time of your Sun Ray appliances may be noticeably longer
than usual. The increased restart time can be avoided by taking the
action described in step 1 below.
The following additional steps are required when adding this patch on a
live system:
~ (before applying patch to system)
~ 1. (optionally) Suppress firmware downloads from all servers in
~ a Sun Ray failover group
~ 2. Stop Sun Ray services on the server being patched
~ (after applying patch)
~ 3. Reboot the Sun Ray server
To remove this patch, carry out these steps in the following order:
~ (before removing the patch)
~ 1. (optionally) Suppress firmware downloads from all servers in
~ a Sun Ray failover group
~ 2. Stop Sun Ray services on the server being patched
~ (after removing the patch)
~ 3. Reboot the Sun Ray server
Detailed Steps
- --------------
1. Suppress firmware downloads
~ If the server being patched is not a member of a Sun Ray
~ failover group you should skip this step.
~ If the server being patched is a member of a Sun Ray failover
~ group then this step is optional but is strongly recommended.
~ At Patch Installation
~ ---------------------
~ Before adding this patch to servers configured into a Sun
~ Ray failover group we advise that you disable Sun Ray
~ firmware delivery from all unpatched hosts in the failover
~ group. On each host in the group:
~ For each of the dedicated network interconnects:
~ $ /opt/SUNWut/sbin/utfwadm -a -D -n <intf>
~ For each of the shared subnetwork interconnects:
~ $ /opt/SUNWut/sbin/utfwadm -a -D -N <subnetwork>
~ Do this only one time, before adding this patch to any
~ server in the group.
~ The purpose of this step is to prevent unpatched servers
~ from offering old firmware to Sun Ray appliances that have
~ already accepted the new firmware delivered with this
~ patch.
~ If this patch is being applied to a Sun Ray failover group
~ then omitting this step may result in increased restart
~ times for your Sun Ray appliances. (A mixture of patched
~ and unpatched servers advertising conflicting firmware
~ versions may cause the appliance to download new firmware
~ each time it restarts. The appliance automatically
~ restarts itself after downloading fresh firmware so its
~ overall restart cycle is longer in that case. The
~ appliance may restart itself several times before
~ establishing or reconnecting to a session.) The Sun Ray
~ restart time will return to normal once the patch has been
~ added to all servers in the failover group.
~ At Patch Removal
~ ----------------
~ Before removing this patch from servers configured into a
~ Sun Ray failover group we advise that you disable firmware
~ delivery from any hosts in the failover group that have
~ this patch installed. On each already-patched host in the
~ group:
~ For each of the dedicated network interconnects:
~ $ /opt/SUNWut/sbin/utfwadm -a -D -n <intf>
~ For each of the shared subnetwork interconnects:
~ $ /opt/SUNWut/sbin/utfwadm -a -D -N <subnetwork>
~ Do this only one time, before removing this patch from any
~ of the already-patched servers in the group.
~ The purpose of this step is to prevent already-patched
~ servers from offering new firmware to Sun Ray appliances.
~ If this patch is being removed from a Sun Ray failover group
~ then omitting this step may result in increased restart
~ times for your Sun Ray appliances. (A mixture of patched
~ and unpatched servers advertising conflicting firmware
~ versions may cause the appliance to download new firmware
~ each time it restarts. The appliance automatically
~ restarts itself after downloading fresh firmware so its
~ overall restart cycle is longer in that case. The
~ appliance may restart itself several times before
~ establishing or reconnecting to a session.) The Sun Ray
~ restart time will return to normal once the patch has been
~ removed from all servers in the failover group.
2. Stopping Sun Ray services and login sessions
~ Before applying this patch to a Sun Ray server or removing this
~ patch from a Sun Ray server all users should be logged out of
~ their Sun Ray sessions.
~ Stop the Sun Ray services using the following command:
~ $ /etc/init.d/utsvc stop
~ This command will terminate any Sun Ray sessions that were not
~ already logged out.
~ Next, add or remove the patch using the instructions outlined
~ above in the section "Patch Installation Instructions".
~ Adding the patch automatically prepares the server to advertise
~ new firmware to your Sun Ray appliances. Removing the patch
~ automatically prepares the server to revert to advertising
~ pre-patch firmware to your Sun Ray appliances.
3. Rebooting the Sun Ray server
~ The Sun Ray server must be rebooted after the addition or
~ removal of the patch.
README -- Last modified date: Friday, July 2, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SunOS)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQOpbbwYfcoPsD0o3AQIwDA/+MUselKOtNVLt4xQKacxoyvlg+yAerMzr
L+ovH6YrJ2HGgrsqZyqOFQhtSIWHuA4vQ6zFihsBwtCRz4MSaD19xmj9EY5wFpp9
LpBK61dxeczmko/ShiHN7LrasX7oRc2fJXMTHucZxGkT9vRlJlb8zoWtHcpch8CE
ax31qa1ZwIGYsntLSWSLIw7YtgYrjtyb2HWlwSpKeWvhl0vtFr0DmhZDamsPdd8U
S3Tdj7HN6rsOibP0J3Rmv6ZyDDfU+WYL1YL8Jg2ed8G+OXrF/B2JEeNGkKTx5N24
saB5xtrY1gM5aFN4j+AZLbudDFo8HGwDlXkl51McBHc/Uvmn9/JdT1H3JjhNLESl
pqnIogQVfFvcbA9rnHD93fhcxtZSsh/8rLj7VxEHyvDq5+qckPpBjv9VaLG2eJQv
wYAspCmEnODxVohrZIcda4qrpDrnAZu1o0UNqUCTPcreNydmdesF3lZTw3FFsf/q
UY2lnIFjpLCNyKPpRGPj3fayBvKjMRP5IKIA3YnUGzFtIoH8HA5rkoBF5sYB1H/c
aJwueLm6ymSmr1rtSzzLUX6ZKAfEjDg+JyrIprBAdgBQrd7fkwonuZCC92K1ads1
PbDhPpGyzdD6Iecz26TfbqqJVvKGQyKZCR/wLQ7mbw5mBuTjmoowkUQ7v0TkNaw8
FIyJ0eVl9gA=
=yLF/
-----END PGP SIGNATURE-----
_______________________________________________
SunRay-Users mailing list
[EMAIL PROTECTED]
http://www.filibeto.org/mailman/listinfo/sunray-users
