dear all,
the sixth Sun Ray Core Services Patch for SRSS 4.1 is available for
download from sunsolve.sun.com.
139548-06 - Solaris SPARC
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-139548-06-1
README
http://www.sun-rays.org/patches/README/README.139548-06
139549-06 - Solaris 10 x86
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-139549-06-1
README
http://www.sun-rays.org/patches/README/README.139549-06
139550-06 - Linux
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-139550-06-1
README
http://www.sun-rays.org/patches/README/README.139550-06
below is the README for the SPARC platform patch.
greetings,
Stoyan Angelov
Patch-ID# 139548-06
NOTE:
***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************
For further information on patching best practices and resources, please
see the Big Admin Patching Center, http://www.sun.com/bigadmin/patches/
***********************************************************************
Keywords: sun ray update patch security
Synopsis: Sun Ray Core Services version 4.1 Patch Update
Date: Aug/19/2010
Install Requirements: Reboot after installing this patch to activate the
changes delivered. An alternative may be specified in the Special
Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product: Sun Ray Core Services
Unbundled Release: 4.1
Xref: This patch available for 5.10_x86 as 139549-06 and for Linux as
139550-06
Topic:
Relevant Architectures: sparc
BugId's fixed with this patch: 6497875 6578775 6638939 6688127 6699511
6706040 6706607 6709953 6715426 6727792 6730822 6739397 6742304 6744049
6744675 6745120 6747622 6749640 6754108 6754138 6756504 6758164 6760323
6765081 6773304 6775532 6777864 6778272 6780548 6781604 6783751 6785797
6786835 6788938 6792954 6794261 6800187 6801398 6801496 6803522 6805507
6805880 6807885 6808340 6808910 6809619 6811761 6812067 6813315 6814576
6817401 6818226 6824230 6828831 6830214 6838464 6847290 6849054 6852457
6853222 6854647 6856022 6856191 6860821 6874418 6887939 6889535 6896659
6897156 6900212 6901836 6902328 6904684 6904989 6908144 6910599 6911654
6926114 6940958 6945668 6945679 6948665 6948678 6951337 6952119 6952216
6953216 6955640 6958479 6971894
Changes incorporated in this version: 6742304 6777864 6896659 6897156
6900212 6901836 6904684 6904989 6908144 6910599 6911654 6926114 6940958
6945668 6945679 6948665 6948678 6952119 6952216 6953216 6955640 6958479
6971894
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/opt/SUNWut/hdlogin.start
/etc/opt/SUNWut/loginGUI.start
/etc/opt/SUNWut/noentry.start
/etc/opt/SUNWut/smartcard/GD-STARCOS.cfg
/etc/opt/SUNWut/smartcard/OpenPlatform.cfg
/opt/SUNWut/bin/utselect
/opt/SUNWut/lib/Xnewt
/opt/SUNWut/lib/admin.jar
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP10
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/firmware/CoronaP8
/opt/SUNWut/lib/firmware/CoronaP9
/opt/SUNWut/lib/firmware_gui/CoronaP1
/opt/SUNWut/lib/firmware_gui/CoronaP10
/opt/SUNWut/lib/firmware_gui/CoronaP2
/opt/SUNWut/lib/firmware_gui/CoronaP3
/opt/SUNWut/lib/firmware_gui/CoronaP4
/opt/SUNWut/lib/firmware_gui/CoronaP5
/opt/SUNWut/lib/firmware_gui/CoronaP6
/opt/SUNWut/lib/firmware_gui/CoronaP7
/opt/SUNWut/lib/firmware_gui/CoronaP8
/opt/SUNWut/lib/firmware_gui/CoronaP9
/opt/SUNWut/lib/ifdh_scbus.so.1
/opt/SUNWut/lib/libsimpleRun.so
/opt/SUNWut/lib/libusbut.so.1
/opt/SUNWut/lib/libutadmin.so.1
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/libutjadmin.so
/opt/SUNWut/lib/loginGUI
/opt/SUNWut/lib/modules/Authxlation.jar
/opt/SUNWut/lib/pam_sunray.so.1
/opt/SUNWut/lib/pam_sunray_amgh.so.1
/opt/SUNWut/lib/protocol.jar
/opt/SUNWut/lib/prototype/Xreset.SUNWut.prototype
/opt/SUNWut/lib/sdk.jar
/opt/SUNWut/lib/settings.jar
/opt/SUNWut/lib/usb/ttykeyspan.so.1
/opt/SUNWut/lib/utaddfontpath
/opt/SUNWut/lib/utati
/opt/SUNWut/lib/utatilu
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utgenpam
/opt/SUNWut/lib/utkeyvet
/opt/SUNWut/lib/utpamcfg
/opt/SUNWut/lib/utparalleld
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/utstoraged
/opt/SUNWut/lib/xmgr/gdm/remove-dpy
/opt/SUNWut/sbin/utatiscrub
/opt/SUNWut/sbin/utuser
/opt/SUNWut/share/man/man1m/utatiscrub.1m
/opt/SUNWut/share/man/man1m/utfwadm.1m
/opt/SUNWut/share/man/man1m/utuser.1m
/opt/SUNWut/share/man/man3/ut_amgh_script_interface.3
/opt/SUNWut/share/man/man3/ut_ati_script_interface.3
/opt/SUNWutref/ati/utatiref_script
/usr/kernel/misc/sparcv9/utio
/usr/kernel/misc/utio
/usr/openwin/server/modules/ddxSUNWsunray.so.1
Problem Description:
6742304 utio causes kernel panic when destroying mutex
6777864 application can be blocked without good reason in read() call
against Sun Ray serial device
6896659 User GUI application font randomly display as unexpected Bold
for some char
6897156 Inbound audio from Sun Ray 2 (P8) units is distorted
6900212 RFE: option could be added in PUI for enabling/disabling the OSD
flow(1->21->22->26->44)
6901836 SRSS 4.2 FCS, SR2 devices reboot during VPN authentication
6904684 Sun Ray VPN fails on the 2nd IKE rekey, and reboots
6904989 When a VPN gateway closes a connection, the Sun Ray sends the
previously entered password repeatedly
6908144 VPN connection expiration can leave Sun Ray in state that
requires power off
6910599 Sound setup of DTU changes to speaker and headphone on when
playing music
6911654 Hangul and Hanja keys on Korean PC 105 keyboard are not
recognized by Xnewt
6926114 MS Wireless Mouse no longer working with SRSS firmware
4.2_77_2009.10.19.17.01
6940958 Some late IPv6 changes were missed in 4.2
6945668 Login screen is off-center on pan&scan after smartcard eject
6945679 port memory corruption fix in libfb to Xnewt
6948665 Adding IPv6 DNS servers to CONFIG_DNS_SERVERS configuration
record is backward/forward incompatible.
6948678 keepAliveExpiry is being sent unexpectedly
6952119 DO NOT POWER OFF warning does not appear with DHCP6/DNS6
6952216 Add support for Macronix MX29LV640E flash for SR3+
6953216 Opnext 100-FX SFP TRF5326ANLB400 sometimes hangs during SR3+ boot
6955640 Fix Get response for G&D smartcafe cards in SR3
6958479 SRCS patches must deliver firmware images for Sun Ray 3 Plus
(P9) and Sun Ray 3 (P10) units
6971894 Regression in 4.2 patch -03 firmware prevents Code M2 Modems and
Scanners from working correctly
(from 139548-05)
6951337 SRCS patches must deliver firmware images for Sun Ray 3 Plus units
(from 139548-04)
6780548 xrandr fails to switch resolution without explanation.
6811761 on SRSS 4.1, with Japanese language login,characters on lock
window are garbled
6889535 loginGUI displays incorrect msg "Unable to authenticate -
Internal PAM Error" when user is locked
6902328 memory problems in the Sun Ray Session Server
(from 139548-03)
6497875 Device nodes are not getting created for Edgeport/1
6688127 Printers connected directly to DTUs USB port stop working after
a while
6744049 DM needs to be able to force use of "callme" protocol even when
DTU is not behind a NAT gateway
6765081 pam_ldap error in xscreensaver account management when NSCM/RHA
is in use
6794261 Multiple NSCM logins with different capitalisation
6803522 AMGH (to target FOGs running older SRSS) and Token Reader
functionality in FOGs broken by bestip fix
6805880 Pen data transfer doesn't happen for the second time in same session
6808340 AMGH doesn't redirect DTUs away from servers in some circumstances
6809619 Add 1280x800 screen resolution support
6814576 Need server-side support for 1280x...@60d timing
6817401 Some fonts are not displaying correctly with Xnewt server
6818226 Xnewt's DTrace provider request-start needs to be updated
6824230 shift+props doesn't invoke utsettings GUI
6828831 poor initial loadbalancing when using kiosk mode
6830214 need to disable the source button on the Sun Ray 270
6838464 utauthd remote denial of service attack
6847290 Add GUI option to set videoindisable switch for Sun Ray 270
6849054 Customer expects option 43 offer to be accepted even if include
option 43 in an invalid string
6852457 Clients DSA private key are not unique
6853222 logout immediately logs back in under certain circumstances on
Solaris 10
6854647 Sun Ray keyboard becomes unresponsive while mouse events are OK
6856022 Sun Rays can come up at 10 Mbps if switch port is not up when
Sun Ray boots
6856191 Retrieving data using Pc/ScLite 1.1 from Siemens CardOS4.01a
smartcard fails with FW 4.1_139548
6860821 utfwadm man page needs to be updated with new videoindisable key
6874418 In a slow network a new socket connection fails frequently when
polling for tcp connection
6887939 Update admin.version version number property on smartcard config
files to track code changes
(from 139548-02)
6578775 Safesign app + PCSC Lite + JCOP-XX smart card + correct PIN =
keypair/keyset not found error
6638939 "Choose host from list" option doesn't work for XDMCP sessions
with Xnewt
6706607 utsession -k can cause 26 D icons
6715426 [lowbandwidth] Video appears as green when the bandwidth is
lowered for chicken.mpg clip
6727792 utseriald denies access to device after server switch
6739397 Add callme device allocation back into Sun Ray smart card IFD
handler.
6744675 chicken.mpg does not play after disconnecting/relaunching
windows session with low MTU value
6745120 Sun Ray 2FS hangs at 26D (Xsun) or is black (Xnewt) when the
resolution is set to 640x480
6773304 PIX gateways no longer work for VPN with Sun Ray because of ID
type change
6775532 Xnewt dumping core due to a divide by zero error.
6778272 Enhance PCSC Support for French Health Smart Cards with Internal
reader
6781604 AMGH fails on Sun Rays when server's Primary IP address is
unreachable (sim. to CR#6747622)
6783751 Timings forced by 'utresadm' should be overridable by subsequent
'utresadm' invocations
6785797 Sun Ray firmware needs expanded network definition options
6786835 Need support for Siemens CardOS API 2.5 middleware added to
PC/SC-Lite
6788938 4.1 utauthd has a crash and redirect issue.
6792954 XVideo XvPutImage parameters not working and some boundary
conditions not working
6800187 utauthd in SRSS 4.0 on S10/TX appears to leave a number of
defunct processes and open ports
6801398 Xsun fails to work with 8bit PseudoColor Visual enabled as default
6801496 OpenPlatform.cfg and JavaBadgeCAC smartcard config files need to
support G&D JavaCard card
6805507 Xorg server uses bad locking algorithm which affects SRSS
6807885 Xnewt + XKB can erroneously autorepeat when key reports are
dropped or delayed
6808910 Netscreen VPN connections don't come up if the gateway's version
ID is not recognized.
6812067 Sun Ray VPN doesn't support AES 192 and 256 bit key sizes.
6813315 Slow repeat key after "utxconfig -k off" when using Xnewt
(from 139548-01)
6699511 Xsun hangs with OSD 26 on Sun Ray DTU with large time on poll()
if under VMware and high speed net
6706040 Xnewt can send autorepeated keystrokes into a detached session
6709953 Sessions gets killed with ctrl+alt+backspace when XKB is enabled.
6730822 utauthd does not notice that sessions have been disconnected in
certain circumstances
6747622 LAN-connected Sun Rays can't redirect to a server when its
primary IP address is not reachable
6749640 Desire a way to use token data external to SRSS to control FOG
session access
6754108 Xnewt utilizes 40% CPU for an existing server on switching to
another server on Linux
6754138 utuser deprecated "-k" (and -xdisplay and -tokenid) options
should be eliminated
6756504 Sun Ray doesn't know how to handle a request for 2 consecutive
tokens from an ASA with RSA back end.
6758164 Left-handed mouse orientation functionality is not working as
expected with Xnewt
6760323 Entering any prompting dialog causes locks to be reset
Detailed Installation Steps
---------------------------
1. Suppress firmware downloads
If the server being patched is not a member of a Sun Ray
failover group you should skip this step.
If the server being patched is a member of a Sun Ray failover
group then this step is optional but is strongly recommended.
At Patch Installation
---------------------
Before adding this patch to servers configured into a Sun
Ray failover group we advise that you disable Sun Ray
firmware delivery from all unpatched hosts in the failover
group. On each host in the group:
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
Do this only one time, before adding this patch to any
server in the group.
The purpose of this step is to prevent unpatched servers
from offering old firmware to Sun Ray appliances.
At Patch Removal
----------------
Before removing this patch from servers configured into a
Sun Ray failover group we advise that you disable firmware
delivery from any hosts in the failover group that have
this patch installed. On each already-patched host in the
group:
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
Do this only one time, before removing this patch from any
of the already-patched servers in the group.
The purpose of this step is to prevent already-patched
servers from offering new firmware to Sun Ray appliances.
If this patch is being removed from a Sun Ray failover group
then omitting this step may result in increased restart
times for your Sun Ray appliances. (A mixture of patched
and unpatched servers advertising conflicting firmware
versions may cause the appliance to download new firmware
each time it restarts. The appliance automatically
restarts itself after downloading fresh firmware so its
overall restart cycle is longer in that case. The
appliance may restart itself several times before
establishing or reconnecting to a session.) The Sun Ray
restart time will return to normal once the patch has been
removed from all servers in the failover group.
2. Stopping Sun Ray services and login sessions
Before the addition or removal of this patch to a Sun Ray server
all users should be logged out of their Sun Ray sessions.
Stop the Sun Ray services using the following commands:
$ /etc/init.d/utstorage stop
$ /etc/init.d/utsvc stop
These commands will terminate any Sun Ray sessions that were not
already logged out.
Next, use the instructions outlined below in the section
"Patch Installation Instructions" for the addition or removal
of this patch.
3. Rebooting the Sun Ray server
The Sun Ray server must be rebooted after the addition or removal
of the patch.
4. Enable firmware downloads
After the addition or removal of this patch on all Sun Ray
servers in a failover group, enable firmware downloads
using one of the following methods:
1) If all Sun Ray servers in the failover group provide default
(non GUI) firmware downloads run this command on one of the servers:
$ /opt/SUNWut/sbin/utfwsync
After which the Sun Ray DTU's will reboot themselves and load
the new firmware.
2) If only some of the Sun Ray servers in the failover group provide
firmware downloads to the DTU's, run the following command
on the servers that do provide firmware:
For default (non GUI) firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all
For GUI firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all -f \
/opt/SUNWut/lib/firmware_gui
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all -f \
/opt/SUNWut/lib/firmware_gui
3) Upgrading firmware via the config parameter (.parms) file
For default (non GUI) firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V
For GUI firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V -f \
/opt/SUNWut/lib/firmware_gui
Then restart services on all servers in the failover group by
executing the following command on a server in the group:
$ /opt/SUNWut/sbin/utfwsync -d
Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Solaris. Any other special or non-generic
installation
instructions should be described below as special instructions. The
following
example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/<patchid-rev>
The following example removes a patch from a standalone system:
example# patchrm <patchid-rev>
patchadd may give some messages while installing on a system
with zones. To suppress these messages "-G" option can be used.
example# patchadd -G /var/spool/patch/<patchid-rev>
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: This patch is for the Sun Ray Core Services 4.1 component
that is part of Sun Ray Server Software 4.1.
NOTE 2: This SRSS patch does not support Live Upgrade. Please do not
install this patch via live upgrade.
NOTE 3: The DTU firmware delivered in this patch has an increased
downgrade "barrier" of '421' to prevent accidental downgrades to
firmware from earlier releases. If you wish to revert a unit back to an
earlier release of firmware after upgrading to this version of firmware,
please see the Sun Ray Information Center for information on overriding the
barrier/barrierLevel mechanism.
NOTE 4: The DTU firmware delivered in this patch has the following version
identification string
4.2_140993-04_2010.08.02.10.41
GUI4.2_140993-04_2010.08.02.10.41
Required Patches
----------------
Warnings & Errors
-----------------
** WARNING: This patch should only be applied to systems which have
Sun Ray Server Software 4.1 fully installed.
Do not attempt to add this patch to the UFS image to be
applied as part of the install process.
** WARNING: As part of this patch installation, it will update
the Sun Ray PAM entries in the pam.conf file. This means
that your existing Sun Ray configuration in the pam.conf file
will be overwritten. However a backup of existing pam.conf
file
will be copied to /etc/pam.conf.SUNWut.bak file during
patch install
and same will be removed after patch removal. You may want
to manually
merge your changes back into the pam.conf file.
Post-Patch Installation Notes:
------------------------------
Automated Token Importation (ATI)
A feature has been added in this patch which allows
controlling session access based on information stored in
customer data sources. In addition to man pages delivered
with this patch, a description has been added to the
Sun Ray Server Software 4.1 Release Notes available at:
Solaris: http://docs.sun.com/app/docs/doc/820-3774
Linux: http://docs.sun.com/app/docs/doc/820-3775
Regression fix for Cisco PIX gateways
The addition of support for the Netscreen family of VPN
gateways in the SRSS 4.1 release caused the Cisco PIX family of
VPN gateways to stop working, though ASA and 3000 series
continue to function correctly. Unfortunately, the fix for this
requires that the VPN configuration now include an item to
specify what type of VPN gateway the Sun Ray will be connecting
to. This configuration can be done using the local GUI tool
available on the Sun Ray, or through the download of a
configuration file, using the "Download Configuration" option
of the GUI tool. A couple of other useful options have been
added to the VPN configuration, including the PFS group to use,
the IPsec phase 2 lifetime, and a switch to enable Dead Peer
Detection. (Dead Peer Detection was also introduced in SRSS 4.1,
and was on by default. Unfortunately, having it enabled also
causes the PIX gateways to fail, so it must be disabled for PIX.)
The new values in the configuration file use these keywords and
value types:
vpn.peertype integer/string (0 or "cisco" = Cisco,
1 or "netscreen" = Netscreen)
vpn.pfsgroup integer Diffie-Hellman group for Perfect
Forward Secrecy
vpn.ipsectime integer IPsec SA lifetime for phase 2 proposals
in seconds
vpn.dpdswitch integer non-zero -> enable DPD
Other than the peertype, these values may also be set using the
"Advanced" submenu of the VPN configuration menu.
Keyboard Autorepeat Limitations
In SRSS 4.1, the Xnewt server could accidentally start autorepeating
a key under certain circumstances. This patch contains a fix for that,
but part of that fix includes code that forces the autorepeat "delay"
parameter to be at least 600ms. Any request to set it lower is ignored.
README -- Last modified date: Thursday, August 19, 2010
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
