Patch Name: PHSS_28198 Patch Description: s700_800 11.04 VirtualVault 4.0 NES libproxy fix Creation Date: 02/11/13 Post Date: 02/12/16 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: VirtualVault A.04.00 Filesets: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: No Category Tags: defect_repair general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_28198 Symptoms: PHSS_28198: When the request is proxied by the outside Nestscape server the performance is affected. PHSS_27499: TGA daemon may exhibit unexpected behavior PHSS_27262: VirtualVault Netscape outside server does not give content length for missing CGIs. PHSS_25662: The outside NES server error log contains "Error accepting connection,oserr=233 (Insufficient resources)" PHSS_25435: TGA server cannot communicate with non-chrooted client NSAPI PHSS_25208: 1) libproxy.so fails to record GET HTTP status and length i.e, access.log shows that GET HTTP status and length are not recorded. 2) Web browser requests going through VirtualVault return HTTP 400 error code. PHSS_24836: Problems proxying cookies with a combination of both lower and upper case characters. PHSS_23526: Problems proxying HTTP 1.1 connection headers PHSS_22296: This patch addresses the following problems 1) The NSAPI plugin versions of the TGA and the java servlet proxy demonstrate high CPU utilization under certain conditions. 2) The predefined Server Application Function "get-client-cert" in a server's obj.conf file allows client certificates to be passed from the iPlanet Web Server to back-end applications for further processing. Certain back-end applications incorrectly interpret the line feed characters that are embedded in the certificate to mean "the end of an HTTP header field". 3) iPlanet Server has memory leak. 4) If a customer is running a CGI script that continuously sends information every other second, there may be a long delay before he gets the response back from the script PHSS_21259: The TGA doesn't respond properly after executing a nonexistent CGI. PHSS_20733: 1) The TGA configuration did not work for chrooted CGIs properly. 2) The NSAPI was not supporting CGI redirect with URL greater than 244 characters in length. Defect Description: PHSS_28198: As the TCP_NODELAY option is not enabled for the libproxy module of the outside Netscape server, the performance is affected. Resolution: The TCP_NODELAY option is enabled. PHSS_27499: TGA daemon may exhibit unexpected behavior Resolution: Corrected the tgad to function as expected. PHSS_27262: When a missing CGI is accessed through the outside Netscape web server the Content-Length header is not returned because libvvtga fails to add the header. Resolution: A check is introduced to determine if it is a 404 (Not Found) response and if so, the Content-Length header is added in the response. PHSS_25662: A tgad configuration entry gw_time_out was introduced with a low value causing the tgad processes to not be properly utilized. Resolution: The gw_time_out entry has been removed. PHSS_25435: If the Chroot directive is commented out (non-chroot environment) in magnus.conf, the tgad server will not respond to the NSAPI client. Resolution: 1) If the Chroot directive is commented out in magnus.conf, the TGA client doesn't send the chroot path over. TGA server handles a default condition that no client chroot path means to use the file system '/' for chroot path. 2) Created a configuration variable (gw_tgad_subdir) in the tgad.conf file. This variable allows the TGA admin to override the default tgad sub directory (/tmp) and choose a non-MLD alternative that the client and server can share. If the new subdir config variable is not specified in the tgad.conf file, default path used is /tmp. This new behavior will have no impact whatsoever on any TGA configurations currently in existence today. PHSS_25208: 1) libproxy fails to record the correct content-length and response-status fields in the outside server Resolution: Modify libproxy to correctly record the content-length and response-status fields in the outside server access logs 2) Garbled http request-headers are not correctly parsed by libproxy before sending them to the inside servers Resolution: Modify libproxy to correctly parse the garbled incoming request headers and send them across to inside servers. PHSS_24836: Cookies that are passed through the customer's proxy (on iPlanet 4.1 sp5) are returned to the browser altered, i.e., missing cookie name, date field truncation, and other miscellaneous changes to the cookie. The problem exists only when there are uppercase characters in the cookie string. Resolution: The TGA has been modified so that the characters contained within a browser cookie are not changed to lowercase letters. PHSS_23526: Some HTTP application servers do not properly handle "connection" headers in association with HTTP/1.1. Since the proxy allows these connection headers through, they can cause errors for the application servers. Also, the proxy does not send a "connection: close" HTTP header to prevent persistent connections. Resolution: The proxy has been modified to provide the ability to automatically downgrade HTTP requests from HTTP/1.1 to HTTP/1.0. The proxy has also been modified so that it always sends a "connection: close" HTTP header. PHSS_22296: This patch addresses the following 4 problems: 1)The NSAPI plugin versions of the TGA and the java servlet proxy demonstrate high CPU utilization under certain conditions. Resolution: The TGA and Java servlet proxies are being re-released to remove these conditions. 2) Some applications incorrectly interpret HTTP header fields with embedded line feeds (a LF, as opposed to the standard header field-ending CRLF combination). The iPlanet Web Server correctly encodes a client certificate in the auth-cert portion of the request with embedded linefeeds, but downstream applications may interpret the resulting header as a series of improperly constructed request headers. Resolution: Since multiple applications may make this mistake, the iWS libproxy module is an acceptable location to remove the embedded linefeeds from the client certificate header, and removal of the linefeeds does not compromise header or certificate integrity. 3) iPlanet Server has memory leak. Resolution: Free up allocated memory. 4) Some CGI programs are not working properly. Resolution: NSAPI now take care of small trunk of data. PHSS_21259: If user tries to execute a cgi program that doesn't exist, the server responds with 404 Not Found as it should. After that the server starts responding "500 Server Error" to a lot of existing cgi requests. The server error log: : for host .... trying to GET /cgi-bin/cgi, vvtga_log reports: ERROR: setup_connection(): Failed to transfer execution message to slave TGA daemon on /tmp/tga.1979 If user configures an invalid cgi in tgad.conf (there is no cgi with that name in the real cgi directory), user never sees the problem. Resolution: The TGA is being re-released to respond to this problem. PHSS_20733: 1) The TGA configuration did not work under chrooted CGIs properly. The chroot directive in tgad.conf file is not working. we get an error message from tgad saying that it can't execute the program. Refer to SR 8606125743 for more detail. The tgad.log from the working machine: LEVEL = 3 DATE = Wed Dec 15 10:42:48 1999 AUDIT : Program entry used: */c Environment entry used: cgi Mapped pathname: /cgi/cgi Message: Executing cgi program '/cgi/c'. And from the other: LEVEL = 3 DATE = Wed Dec 15 18:59:30 1999 AUDIT : Program entry used: */c Environment entry used: cgi Mapped pathname: /cgi/cgi Message: Could not execute /cgi/cgi 2) A NES NSAPI function did not support a URL with more than 244 characters for 302 redirects. Resolution: 1) The TGA configuration interface now supports chrooted CGIs properly. The TGA daemon performs the access check after the chroot call. 2) The NES NSAPI function parameters were modified to allow CGI redirects with URLS greater than 244 characters in length. Enhancement: No SR: 8606286672 8606269303 8606257653 8606226219 8606218828 8606217540 8606213876 8606183510 8606160635 8606160608 8606157837 8606155741 8606131390 8606125743 8606123993 Patch Files: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultTS/lib/libproxy.so /opt/vaultTS/lib/libvvtga.so VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /tcb/lib/tgad /opt/vaultTS/lib/libvv.sl what(1) Output: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultTS/lib/libproxy.so: $Source: src/misc/nsapi/proxy/proxy.c, vaultNES, vau ltNES_4.0 $ $Date: 02/11/14 03:55:06 $ $Revi sion: 1.8.1.19 PATCH_11.04 (PHSS_28198) $ /opt/vaultTS/lib/libvvtga.so: @(#)98 1.28.1.21 src/gateway/cgi2/nsapi/tgansapi.c , vaultNES, vaultNES_4.0 06/13/02 03:12:44 V VOS 11.04 PHSS_27262 97 1.14.1.2 src/gateway/cgi2/nsapi/env.c, vaultNES , vaultNES_4.0 09/01/99 11:23:32 95 1.13 src/gateway/cgi2/nsapi/argv.c, vaultNES, v aultNES_4.0 06/30/98 18:02:06 65 1.10 src/gateway/cgi2/nsapi/log.c, vaultNES, va ultNES_4.0 02/15/00 13:47:23 src/gateway/cgi2/nsapi/cgi-audit.c, vaultNES, vaultN ES_4.0 1.8 02/15/00 93 1.13.3.1 src/gateway/cgi2/iolib/io.c, vaultTS, vaultTS_4.0, A.04.00.C 06/24/99 11:25:56 VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /tcb/lib/tgad: 70 1.13.2.1 src/gateway/cgi2/daemon/communications .c, vaultTS, vaultTS_4.0 03/22/01 09:34:36 $Source: src/gateway/cgi2/daemon/configuration.c, va ultTS, vaultTS_4.0 $ $Date: 01/12/18 04:41:4 7 $ $Revision: 1.10.1.8 PATCH_11.04 (PHSS_25 662) $ $Source: src/gateway/cgi2/daemon/execute.c, vaultTS, vaultTS_4.0 $ $Date: 02/07/24 06:49:23 $ $R evision: 1.17.2.14 PATCH_11.04 (PHSS_27499) $ $Source: src/gateway/cgi2/daemon/gwconf.c, vaultTS, vaultTS_4.0 $ $Date: 01/12/18 04:44:13 $ $Re vision: 1.17.1.4 PATCH_11.04 (PHSS_25662) $ HP VirtualVault, tgad, revision A.04.00 $Source: src/gateway/cgi2/daemon/main.c, vaultTS, va ultTS_4.0 $ $Date: 01/12/18 06:02:46 $ $Revi sion: 1.20 PATCH_11.04 (PHSS_25662) $ src/lib/swp/setlocale.c, vaultTS, vaultTS_4.0 1.1 0 9/29/97 $Source: lib/libsecalarm/app_audit.c, libsecalarm, v vos_rose, rose0082 $ $Date: 99/06/03 11:09:4 2 $ $Revision: 1.7 PATCH_11.04 (PHCO_18729) $ $Source: lib/libsecurity/auditdb.c, libsecurity_audi t, vvos_rose, rose0227 $ $Date: 01/08/23 16: 33:10 $ $Revision: 1.14.2.2 PATCH_11.04 (PHC O_24852) $ $ PATCH/11.00:PHCO_24148 May 25 2001 08:03:42 $ /opt/vaultTS/lib/libvv.sl: src/lib/vv/vvauth.c, vaultTS, vaultTS_4.0 1.1 06/30 /98 src/lib/vv/vvpriv.c, vaultTS, vaultTS_4.0 1.1 06/30 /98 src/lib/vv/vvlabel_vvos.c, vaultTS, vaultTS_4.0 1.2 11/06/98 src/lib/vv/vvpriv_vvos.c, vaultTS, vaultTS_4.0 1.1 06/30/98 14 1.9 src/lib/vv/vvfile_vvos.c, vaultTS, vaultTS_ 4.0 11/19/98 19:06:31 48 1.5 src/lib/vv/vvlabel.c, vaultTS, vaultTS_4.0 11/19/98 13:07:36 src/lib/vv/vvaudit.c, vaultTS, vaultTS_4.0 1.2 11/1 6/98 src/lib/vv/vvutil.c, vaultTS, vaultTS_4.0 1.1 06/30 /98 13 1.8 src/lib/vv/vvfile.c, vaultTS, vaultTS_4.0 1 1/24/98 20:18:25 src/lib/vv/vvauth_vvos.c, vaultTS, vaultTS_4.0 1.3 07/10/98 @(#)17 1.4.1.3 vvaudit_vvos.c, vaultTS, vaultTS_4. 0 09/20/00 10:41:08 VVOS 11.04 PHSS_22296 cksum(1) Output: VaultNES.NES-VAULT,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 2895076215 20518 /opt/vaultTS/lib/libproxy.so 3456681757 57470 /opt/vaultTS/lib/libvvtga.so VaultTS.VV-CORE-CMN,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 533366240 974420 /tcb/lib/tgad 2350911999 41134 /opt/vaultTS/lib/libvv.sl Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_20733 PHSS_21259 PHSS_22296 PHSS_23526 PHSS_24836 PHSS_25208 PHSS_25435 PHSS_25662 PHSS_27262 PHSS_27499 Equivalent Patches: PHSS_28199: s700: 11.04 s800: 11.04 PHSS_28200: s700: 11.04 s800: 11.04 Patch Package Size: 1120 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_28198 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_28198.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_28198. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_28198.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_28198.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_28198.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: PHSS_25662: Update is required in the the tgad.conf configuration file to use non-chrooted tgad feature. Insert the gw_tgad_subdir variable and value for the same in Server Global Configuration part. Example: config:gw_type=server:gw_uid#57:gw_gid#58:\ :gw_sl=SYSTEM INSIDE:\ :gw_tgad_subdir=/mysubdir/sub_one:\ :gw_log@:\ :gw_log_file=/tcb/files/tgad.log:chkent: