Patch Name: PHNE_28841 Patch Description: s700_800 11.11 telnet kernel, telnetd(1M), telnet(1) patch Creation Date: 04/03/17 Post Date: 04/05/19 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP InternetSrvcs.INETSVCS-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: Yes PHNE_28841: ABORT PHNE_24829: MEMORY_LEAK PHNE_24131: MEMORY_LEAK Memory leak in telnetd Category Tags: defect_repair enhancement general_release critical halts_system memory_leak manual_dependencies Path Name: /hp-ux_patches/s700_800/11.X/PHNE_28841 Symptoms: PHNE_28841: SR 8606199877 / CR JAGad69063 1. telnet, in the Secure Internet Services environment, fails to forward credentials when KDC is Windows 2000, and the user is a member of a large number of groups in the KDC. In some cases, telnet may dump core when the credential size is large. SR 8606267498 / CR JAGae31740 2. telnetd replies to TELNET NOP sequence. SR 8606224447 / CR JAGad93535 3. In Secure Internet Services(SIS) environment, telnet does not read default SIS options specified in the [appdefaults] section of krb5.conf file. SR 8606224214 / CR JAGad93309 4. In Secure Internet Services(SIS) environment, telnet does not use normal authentication if Kerberos authentication with the remote server fails. SR 8606248696 / CR JAGae15094 5. telnetd exits when the telnet client sends an IAC sequence (authentication option) with NULL authentication type. SR 8606224774 / CR JAGad93862 6. Credential cache file created by PAM Kerberos is not cleaned up when telnetd exits. PHNE_24829: SR 8606212875 / CR JAGad82062 1. Buffer handling in telnetd needs to be enhanced. SR 8606212874 / CR JAGad82061 2. Telnetd has a service issue. SR 8606220839 / CR JAGad89975 3. Incorrect records might be written into /etc/utmpx by telnetd when it exits. SR 8606230839 / CR JAGae00077 4. Credential forwarding to telnetd fails in DCE environment. SR 8606238651 / CR JAGae07675 5. If telnet is invoked with the "-f" or "-F" option or using the TACACS mechanism, the TERM environment variable may not be set. SR 8606232804 / CR JAGae02032 6. Provide a command line option in telnetd to close the telnet connection when "stty 0" command is executed. SR 8606231734 / CR JAGae00970 7. IPv6 connection might be closed by telnetd(1M). SR 8606236626 / CR JAGae05679 8. Memory leak in telnet multiplexor. SR 8606261511 / CR JAGae25830 9. Use of malloc(3C) in telnetd signal handler. PHNE_24131: SR 8606182980 / CR JAGad52196 1. telnetd does not close the connection when stty 0 is executed. SR 8606176054 / CR JAGad45294 2. Memory leak as telnetd does not manage telnet queues properly. SR 8606157405 / CR JAGad26736 3. telnet daemon sets the pty speed to 0 if the telnet client speed is > 38400 SR 8606114446 / CR JAGac29210 4. telnet hangs with "Reflection1", a terminal emulation software used by Windows telnet client when displaying large files. SR 8606188928 / CR JAGad58144 5. While transferring huge amount of data at high speed, telnetd adds extra null characters to the byte stream thereby breaking the application. SR 8606174421 / CR JAGad43667 6. Enhancement to telnet to work in IPv6 environment. Defect Description: PHNE_28841: SR 8606199877 / CR JAGad69063 1. Description: When the user is a member of a large number of groups in KDC, the user's credentials will be large. When the size of the user's credentials exceeds 1024 bytes, telnet fails to forward these credentials. A large credential size could also lead to failure of the Kerberos authentication. Resolution: Now telnet handles credentials with size upto 4096 bytes. If the credential size exceeds 4096 bytes it will be truncated to 4096 bytes and if authentication debugging (toggle authdebug) is enabled on the telnet client, the following message will be displayed : Kerberos credentials exceeded buffer size, truncating... SR 8606267498 / CR JAGae31740 2. Description: telnetd does not handle the TELNET NOP sequence properly. Resolution: telnetd now handles the TELNET NOP sequence properly. SR 8606224447 / CR JAGad93535 3. Description: In Secure Internet Services(SIS) environment, telnet does not read default SIS options specified in the [appdefaults] section of krb5.conf file. Resolution: telnet now reads the default SIS options specified in the [appdefaults] section in the krb5.conf file. SR 8606224214 / CR JAGad93309 4. Description: telnet does not fall back to normal authentication if Kerberos authentication with remote server fails. Resolution: If the "fallback" option is set to "true" in the [appdefaults] section in the krb5.conf file, telnet uses normal authentication if the Kerberos authentication fails. SR 8606248696 / CR JAGae15094 5. Description: telnetd does not fall back to normal authentication mode when the client sends an IAC sequence with NULL authentication type. Resolution: If the "-f" option is specified with telnetd in /etc/inetd.conf file, telnetd uses normal authentication on receiving an IAC sequence with NULL authentication type from the client. SR 8606224774 / CR JAGad93862 6. Description: If the system is configured to use PAM Kerberos for authentication, a credential cache file will be created. This cache file is not cleaned up when telnetd exits. Resolution: Now telnetd cleans up the credential cache file before exiting. PHNE_24829: SR 8606212875 / CR JAGad82062 1. Description: Buffer handling in telnetd needs to be enhanced. Resolution: Code changes have been made to fix it. SR 8606212874 / CR JAGad82061 2. Description: Telnetd has a service issue. Resolution: Code changes have been made to fix it. SR 8606220839 / CR JAGad89975 3. Description: telnetd might write a duplicate record into /etc/utmpx when the _pututline() API is interrupted by a signal. Resolution: Signals are blocked before calling _pututline() and enabled after it returns. SR 8606230839 / CR JAGae00077 4. Description: k5dcelogin expects the environment variable KRB5CCNAME to be set by telnetd. But telnetd passes the KRB5CCNAME variable only in the argument list of the execl(2) and not in the environment list. Resolution: KRB5CCNAME is now passed in the environment list, in addition to the argument list, thereby forwarding the credentials properly. SR 8606238651 / CR JAGae07675 5. Description: telnetd execs login with improperly ordered arguments due to which the TERM environment variable, if present, is ignored by login. Resolution: The arguments are now passed in the correct order. SR 8606232804 / CR JAGae02032: 6. Description: Provide a command line option in telnetd to close the telnet connection when "stty 0" command is executed. Resolution: A command line option, "-y", has been provided in telnetd to close the telnet connection when "stty 0" command is executed. Refer to man page telnetd(1M) for more information. SR 8606231734 / CR JAGae00970 7. Description: IPv6 enabled telnetd closes the connection if the IPv6 client negotiates for environment option. Resolution: Now it would not close the connection, but flash an appropriate error message. SR 8606236626 / CR JAGae05679: 8. Description: Only the first message block of the STREAMS message was freed in telnet multiplexor. The remaining message blocks in the STREAMS message cause a memory leak. Resolution: All the message blocks of the STREAMS message are now freed. SR 8606261511 / CR JAGae25830 9. Description: malloc(3C) is called inside a signal handler in telnetd. Resolution: Calls to malloc(3C) have been removed from the signal handler. PHNE_24131: SR 8606182980 / CR JAGad52196 1. Setting stty 0 results in zero byte msgblk which was ignored. Resolution: stty 0 results in zero byte msgblk which is now processed to close the telnet connection. SR 8606176054 / CR JAGad45294 2. If the connection is closed while telnet is doing option negotiation, memory is not freed. Resolution: Code has been modified to free memory whenever connection is closed. SR 8606157405 / CR JAGad26736 3. If any telnet client requests for baud rate > 38400, the telnet daemon resets the baud rate value to zero. Resolution: If any request for Baud rate is received, which is greater than the maximum, i.e 38400, then the telnet daemon resets the Baud rate value to the default value instead of setting it to zero. SR 8606114446 / CR JAGac29210 4. While displaying large files using "Reflection1", a terminal emulation software, the telnet connection hangs. Resolution: Flow control has been properly enabled which solved this problem. SR 8606188928 / CR JAGad58144 5. While transferring the byte stream at a high speed, the character 0x0d which is not followed by 0x0a is appended with multiple 0x0 characters. Resolution: Handling of flow control has been modified to solve this problem. SR 8606174421 / CR JAGad43667 6. Enhancements to telnet to work in the IPv6 environment. Resolution: telnetd and telnet code has been enhanced so that they will work in the IPv6 environment. Enhancement: No (superseded patches contained enhancements) PHNE_24131: This patch contains IPv6 enhancements for telnet and telnetd. SR: 8606182980 8606176054 8606157405 8606114446 8606188928 8606174421 8606212875 8606212874 8606220839 8606230839 8606238651 8606232804 8606231734 8606236626 8606261511 8606199877 8606267498 8606224447 8606224214 8606248696 8606224774 Patch Files: Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libtelnet.a Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libtelnet.a InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/lbin/telnetd /usr/bin/telnet InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/share/man/man1m.Z/telnetd.1m /usr/share/man/man1.Z/telnet.1 what(1) Output: Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libtelnet.a: str_telnet.c: PHNE_28841 Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libtelnet.a: str_telnet.c: PHNE_28841 InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/lbin/telnetd: Copyright (c) 1983, 1986 Regents of the University o f California. Patch ID: PHNE_28841 InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/bin/telnet: Revision 1.1.214.3 PHNE_28841 Tue Feb 24 11:01:55 GM T 2004 Copyright (c) 1988 Regents of the University of Cali fornia. InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/share/man/man1m.Z/telnetd.1m: None InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/share/man/man1.Z/telnet.1: None cksum(1) Output: Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: 593518272 35220 /usr/conf/lib/libtelnet.a Networking.NET2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: 2369505734 65050 /usr/conf/lib/libtelnet.a InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 2673141343 98304 /usr/lbin/telnetd InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 2143699622 110592 /usr/bin/telnet InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 3296623510 6406 /usr/share/man/man1m.Z/telnetd.1m InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 284894807 9352 /usr/share/man/man1.Z/telnet.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: The defect fixes for SR 8606224774 (JAGad93862), SR 8606224214 (JAGad93309) and SR 8606224447 (JAGad93535) require that the Web release version of "PAM-Kerberos and Kerberos Support for HP-UX and DCE" Product Bundle (J5849AA - revision B.11.11.13 or later) be installed with this patch. The Web release version of "PAM-Kerberos and Kerberos Support for HP-UX and DCE" Product Bundle (J5849AA) is available from: http://www.software.hp.com/ The solution to SR 8606174421 / CR JAGad43667 will work only when IPv6 stack is installed. Supersedes: PHNE_24131 PHNE_24829 Equivalent Patches: None Patch Package Size: 190 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_28841 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_28841.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_28841. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_28841.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_28841.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_28841.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: PHNE_24829 contains a fix for the telnetd code defect described in SR: 8606220839 (JAGad89975) - telnetd writes to the wrong entry in /etc/utmpx on logout. Although the SR: 8606220839 (JAGad89975) fix will prevent any further corruption of /etc/utmpx(4), installing PHNE_24829 will not correct any existing corruption in the /etc/utmp(4) or /etc/utmpx(4) files. Therefore if you are installing PHNE_24829 to fix the SR: 8606220839 (JAGad89975) defect, to completely resolve the problem you must also ensure that the /etc/utmp and /etc/utmpx files are cleared of any previous corruption caused by this defect. The /etc/utmp and /etc/utmpx files may be cleared using the following procedure: Before installing PHNE_24829 insert two lines into the /etc/inittab(4) file as follows, then save /etc/inittab and continue the PHNE_24829 patch installation. init:3:initdefault: utm1::sysinit:> /etc/utmp # clear current logon \ accounting files utm2::sysinit:> /etc/utmpx # clear current login \ accounting files After PHNE_24829 is installed and the system rebooted, you may delete the above two entries from /etc/inittab or retain them. In the latter case, /etc/utmp and /etc/utmpx will be cleared every time the system is rebooted. NOTE: The above steps are only required if the problem described in SR: 8606220839 (JAGad89975) exists on the system where PHNE_24829 is being installed.