Patch Name: PHNE_30432 Patch Description: s700_800 11.11 ftpd(1M) and ftp(1) patch Creation Date: 04/03/19 Post Date: 04/05/18 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: InternetSrvcs.INETSVCS-RUN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair general_release manual_dependencies Path Name: /hp-ux_patches/s700_800/11.X/PHNE_30432 Symptoms: PHNE_30432: 1. JAGad94086/SR8606224998 Although Secure Internet Services (SIS) is disabled on the server system using the "inetsvcs_sec" command, ftpd continues to use the Kerberos authentication. 2. JAGad93309/SR8606224214 In the Secure Internet Services (SIS) environment, ftp does not use normal authentication if Kerberos authentication with the remote server fails . 3. JAGad69020/SR8606199834 In the Secure Internet Services (SIS) environment, HP-UX ftp client fails to connect to the Sun Solaris ftp server. PHNE_29461: 1. JAGae85593/SR8606323128. Under certain conditions ftpd does not work properly. 2. JAGae69021/SR8606305973. ftp generates an incorrect transfer report while storing files of size more than 2 GB. 3. JAGae58493/SR8606294799. 'get' command of ftp does not function properly. PHNE_27765: 1. JAGae36908/SR8606272801. ftp does not audit login activities properly. 2. JAGae21322/SR8606257010. In an FTP session, when the command "ls" is executed with the pathname of any file followed by "/.", FTP displays the long listing of the file instead of displaying the error message "not found". For instance, when "ls /etc/passwd/." is issued in an FTP session, the long listing of the file "/etc/passwd" is displayed. PHNE_23950: 1. JAGad62651/SR8606193439. ftpd does not function properly for some commands. Defect Description: PHNE_30432: 1. JAGad94086/SR8606224998 Before using the Kerberos authentication, ftpd does not check whether SIS is enabled on the system. Resolution: * ftpd now checks whether SIS is enabled on the system before using the Kerberos authentication. 2. JAGad93309/SR8606224214 If the remote server does not support Kerberos authentication, ftp from a Kerberized client fails instead of falling back to the normal mode of authentication. Resolution: * A new option "fallback" has been provided in the krb5.conf file. If this option is set to "true", ftp uses the normal mode of authentication if the Kerberos authentication fails. 3. JAGad69020/SR8606199834 HP-UX ftp client fails to connect to the Sun Solaris ftp server because the HP-UX ftp client uses the gss_mech_krb5_old GSSAPI mechanism, which is not supported by Sun Solaris. Resolution: * As an alternative to the gss_mech_krb5_old GSSAPI mechanism, the HP-UX ftp client has been modified to use the GSS_C_NULL_OID GSSAPI mechanism, which is supported by Sun Solaris, too. PHNE_29461: 1. JAGae85593/SR8606323128. Under certain conditions ftpd does not work properly. Resolution: * Code has now been modified to rectify the problem. 2. JAGae69021/SR8606305973. When ftp is used to store files of size more than 2 GB, the return type of the system call, sendfile(), used in the data transfer was incorrect. Therefore, ftp generated an incorrect report of the number of bytes transferred to the remote host. Resolution: * ftp now generates a correct report of the number of bytes transferred. 3. JAGae58493/SR8606294799. 'get' command of ftp does not function properly. Resolution: * Code changes have been made to fix the problem. PHNE_27765: 1. JAGae36908/SR8606272801. ftp does not log all the login failures into the audit log file. Also, the audit message in the audit log file does not contain the user name and audit id. Resolution: * ftpd code has been modified to audit login activities in all the failure cases of login. The audit message now contains the user name and audit id, along with other information. 2. JAGae21322/SR8606257010. The trailing pattern "/." in the pathname is ignored by the function which handles the malformed pathnames. This causes the "ls" command to misinterpret the pathname. Resolution: * Code has been modified to ensure that the trailing pattern "/." in the pathname is not ignored, and "ls" command identifies the pathname properly. PHNE_23950: 1. JAGad62651/SR8606193439. ftpd does not function properly for some commands. Resolution: * Code changes have been made to fix the problem. Enhancement: No SR: 8606224998 8606224214 8606199834 8606323128 8606305973 8606294799 8606272801 8606257010 8606193439 Patch Files: InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/lbin/ftpd /usr/bin/ftp InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/share/man/man1.Z/ftp.1 what(1) Output: InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/lbin/ftpd: $Id: ftpd.c,v 1.22 1996/04/15 05:51:04 sob Exp sob $ based on ftpd.c 5.40 (Berkeley) 7/2/91 Copyright (c) 1985, 1988, 1990 Regents of the Univer sity of California. $Id: ftpcmd.y,v 1.8 1996/03/15 06:26:20 sob Exp $ ba sed on ftpcmd.y 5.24 (Berkeley) 2/25/91 $Id: glob.c,v 1.6 1996/03/16 04:00:06 sob Exp $ from glob.c 5.9 (Berkeley) 2/25/91 popen.c 5.9 (Berkeley) 2/25/91 $Id: logwtmp.c,v 1.7 1995/10/15 06:35:17 sob Exp $ logwtmp.c 5.7 (Berkeley) 2/25/91 $Id: access.c,v 1.8 1996/03/15 07:29:08 sob Exp $ $Id: extensions.c,v 1.16 1996/03/15 06:26:20 sob Exp $ $Id: realpath.c,v 1.7 1996/03/15 08:15:56 sob Exp $ $Id: private.c,v 1.6 1995/12/11 09:20:19 sob Exp $ Revision 1.1.214.4(PHNE_30432) Thu Feb 26 10:46:14 GMT 2004 /usr/bin/ftp: Copyright (c) 1985, 1989 Regents of the University o f California. Revision 1.1.214.5(PHNE_30432) Thu Feb 26 10:45:48 GMT 2004 InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: /usr/share/man/man1.Z/ftp.1: None cksum(1) Output: InternetSrvcs.INETSVCS-RUN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 710846513 151552 /usr/lbin/ftpd 3399067981 114688 /usr/bin/ftp InternetSrvcs.INET-ENG-A-MAN,fr=B.11.11, fa=HP-UX_B.11.11_32/64,v=HP: 80462678 11690 /usr/share/man/man1.Z/ftp.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: The defect fix for SR 8606224214 (JAGad93309) requires that the Web release version of "PAM-Kerberos and Kerberos Support for HP-UX and DCE" Product Bundle (J5849AA - revision B.11.11.13 or later) be installed with this patch. The Web release version of "PAM-Kerberos and Kerberos Support for HP-UX and DCE" Product Bundle (J5849AA) is available from: http://www.software.hp.com Supersedes: PHNE_23950 PHNE_27765 PHNE_29461 Equivalent Patches: None Patch Package Size: 180 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_30432 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_30432.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_30432. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_30432.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_30432.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_30432.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: The previous implementation of the ftp client on HP-UX 11.11 used the KRB5 beta 4 (gss_mech_krb5_old) GSSAPI mechanism, which was not supported by Sun. This patch provides a modified ftp client that is interoperable with the Sun ftp server in the Secure Internet Services (SIS) mode. This is accomplished by using the GSS_C_NULL_OID GSSAPI mechanism. As a result, the ftp client provided in this patch no longer can interoperate with the HP-UX 10.20 ftp server in SIS mode as HP-UX 10.20 ftp server uses the KRB5 beta 4 GSSAPI mechanism. Additional information on this behavior change may be found in Service Request 8606199834 (JAGad69020).