Patch Name: PHSS_31827 Patch Description: s700_800 11.04 Virtualvault 4.5 IWS Update Creation Date: 04/08/24 Post Date: 04/08/30 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: Virtualvault A.04.50 Filesets: VaultTS.VV-IWS,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP VaultTS.VVOS-ADM-RUN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP VaultTS.VV-CORE-CMN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: No Category Tags: defect_repair general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_31827 Symptoms: PHSS_31827: 1. SSL-enabled Apache Administration web server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.19 PHSS_30647: 1. Apache Administration web server may exhibit unexpected behavior with Apache versions prior to 1.3.31. 2. SSL-enabled Apache Administratrion web server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7d 3. SSL-enabled Apache Administration web server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.18 4. mod_proxy module of Apache Administration web server may exhibit unexpected behavior in versions 1.3.26 to 1.3.31. PHSS_30159: Inside admin web server may exhibit unexpected behavior with Apache versions prior to 1.3.29. PHSS_29892: SSL-enabled Apache Administration Web server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7c PHSS_29541: Inside Admin web server may exhibit unexpected behavior with Apache versions prior to 1.3.28. PHSS_28521: Apache Administration Web Server does not clean up allocated shared memory segment. PHSS_28111: Inside Admin web server may exhibit unexpected behavior with Apache versions prior to 1.3.27. PHSS_27477: Apache Inside Admin Web Server may exhibit unexpected behavior. PHSS_24527: 1) VirtualVault account administration supports password aging and other strong password controls, but there is no means to administer it. There are also other strong login and password controls like time of day restrictions supported on the underlying OS, but not by the VirtualVault. 2) A user is not forced to reset his password after another user administratively changes it. 3) There is no way to set password triviality checks via the HTTP VirtualVault Administration Interface. PHSS_24212: 1) Nameserver Address entered by the user through administration interface is not being validated. 2) VirtualVault does not have any command or GUI utility available to select or assign an account's privileges. This means that using the mkacct command there is no option to set the u_syspriv and u_basepriv fields of the prpwd file. 3) VirtualVault administrator accounts cannot be created with a name containing an underscore character. 4) The mkacct program produces unexpected output under certain conditions. PHSS_23943: Alarm creation does not prevent alarm names with a colon in them. PHSS_24038: Apache Inside Web Server may exhibit unexpected behavior. Defect Description: PHSS_31827: 1. SSL-enabled Apache Administration web server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.19 Resolution: 1. Migrated mod_ssl module of Apache Administration Web Server version from 2.8.18 to 2.8.19. PHSS_30647: 1. Apache Administration web server may exhibit unexpected behavior with Apache versions prior to 1.3.31. 2. SSL-enabled Apache Administratrion web server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7d 3. SSL-enabled Apache Administration web server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.18 4. mod_proxy module of Apache Administration web server may exhibit unexpected behavior in versions 1.3.26 to 1.3.31. Resolution: 1 Migrated Apache version for the Apache Administration web server from 1.3.29 to 1.3.31. 2 Migrated OpenSSL version to 0.9.7d 3. Migrated mod_ssl module of Apache Administration Web Server version from 2.8.17 to 2.8.18. 4. Apache provided a patch for the mod_proxy module that adds a check for invalid content length. PHSS_30159: Inside admin web server may exhibit unexpected behavior with Apache versions prior to 1.3.29. Resolution: Migrated Apache version for the inside admin web server from 1.3.28 to 1.3.29. PHSS_29892: SSL-enabled Apache Administration Web server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7c Resolution: Migrated OpenSSL version to 0.9.7c PHSS_29541: Inside Admin server may exhibit unexpected behavior with Apache versions prior to 1.3.28. Resolution: Migrated Apache version for the inside admin server from 1.3.27 to 1.3.28. PHSS_28521: Apache Administration Web Server does not clean up allocated shared memory segment. Resolution: Dynamic memory allocated instead of shared memory segment. PHSS_28111: Inside Admin server may exhibit unexpected behavior with Apache versions prior to 1.3.27. Resolution: Migrated Apache version for the inside admin server from 1.3.19 to 1.3.27. PHSS_27477: Apache Inside Web Server may exhibit unexpected behavior. Resolution: Corrected the Apache Inside Admin Server to function as expected. PHSS_24527: The underlying OS support for these features was never enabled in the VirtualVault Administration interface. Resolution: 1) All strong password and login controls supported by the underlying VirtualVault operating system will now be enforced by the application layer. They will also be configurable from the administration interface. 2) After creating a new user via vaultconfig or the "Create Account" interface, or after changing the password of another user via the "Modify Account" interface, the real user will be forced to reset his password on first login to the VirtualVault administration interface. 3) The "Modify Account Defaults" screen will now be used to manipulate whether password triviality checks are enforced on a systemwide basis. PHSS_24212: 1) The Nameserver IP address entered by the user through the administration interface is not being validated. Anything entered by the user is taken as is and written into the /etc/resolv.conf file. 2) The mkacct command does not provide any method to set the u_syspriv and u_basepriv fields of the prpwd file. So, any new user who gets created will always receive the default privileges from the system default file. The only method that is available now to change this is to edit the prpwd file of the newly created account. 3) The login name checking code(in both mkacct and vaultconfig) was incorrectly disallowing names that contained a '_' character within them (like "vv_adm"). 4) The function handling the -h option was not allocating enough memory to hold the path string. Resolution: 1) The IP address entered for Nameserver is validated before writing into the /etc/resolv.conf file. 2) Two new options -k and -b have been added to the mkacct command. The account administrator will now have an option of specifying the kernel authorizations and base privileges for the newly created account. 3) The legal_login() and validUserName functions will now accept '_' as a valid character for login names. 4) The checkhome() function will now allocate the right amount of memory required to hold the path. PHSS_23943: Alarm creation does not prevent use of colons in the alarm name. Colons are used as field delimiters. Resolution: A check was added to ensure colons are not allowed as a valid character in alarm names. PHSS_24038: Apache Inside Web Server is missing expected functionality. Resolution: Corrected the Apache Inside Web Server to function as expected. Enhancement: No SR: 8606374112 8606367048 8606367047 8606363846 8606355700 8606269065 8606195659 8606196478 8606201073 8606193585 8606199676 8606204402 8606205848 8606272389 8606283593 8606295386 8606322520 8606295989 8606339401 Patch Files: VaultTS.VV-IWS,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultTS/ws-admserv/bin/httpd /opt/vaultTS/ws-admserv/PUBLIC_LICENSE_INFORMATION /etc/auth/system/files.fcdb/25.patches/24038_PHSS.fcdb /etc/auth/system/files.fcdb/25.patches/24527_PHSS.fcdb VaultTS.VVOS-ADM-RUN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /sbin/mkacct VaultTS.VV-CORE-CMN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/nls/msg/C/vvts-admin.cat /var/opt/vaultTS/inside/vault/bin/alarm-create /var/opt/vaultTS/inside/vault/bin/sys-confdevice /opt/vaultTS/lib/vaultconfig/functions/validUserName /var/opt/vaultTS/inside/vault/bin/acc-moddefs /var/opt/vaultTS/inside/vault/bin/acc-modpass /var/opt/vaultTS/inside/vault/bin/acc-moduser /var/opt/vaultTS/inside/vault/bin/acc-newuser /var/opt/vaultTS/inside/vault/bin/acc-query /var/opt/vaultTS/inside/vault/loc/C/html/acc-locked.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-moddefs.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-modpass.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-moduser.html /var/opt/vaultTS/inside/vault/loc/C/html/acc-query.html /var/opt/vaultTS/inside/vault/loc/C/include/ acc-userattr.html what(1) Output: VaultTS.VV-IWS,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultTS/ws-admserv/bin/httpd: mod_ssl/2.8.19 $Source: apache/src/main/http_main.c, vaultTS, vault TS_4.5 $ $Date: 04/06/06 00:59:02 $ $Revisio n: 1.2.1.10 PATCH_11.04 (PHSS_30647) $ $Source: apache/src/main/vvauth_verify.c, vaultTS, v aultTS_4.5 $ $Date: 01/08/29 04:18:12 $ $Rev ision: 1.13 PATCH_11.04 (PHSS_24527)$ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /opt/vaultTS/ws-admserv/PUBLIC_LICENSE_INFORMATION: 86 1.3.1.3 PUBLIC_LICENSE_INFORMATION, vaultTS, va ultTS_4.5 06/15/04 02:07:57 /etc/auth/system/files.fcdb/25.patches/24038_PHSS.fcdb: src/host/24038_PHSS.fcdb, vaultTS, vaultTS_4.5 1.1 05/01/01 /etc/auth/system/files.fcdb/25.patches/24527_PHSS.fcdb: src/host/24527_PHSS.fcdb, vaultTS, vaultTS_4.5 1.1 07/24/01 VaultTS.VVOS-ADM-RUN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /sbin/mkacct: $Revision: 1.45 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 05:00:26 $ $Source: src/admin/cgi/account/mkacct/mkacct.c, vaul tTS, vaultTS_4.5 $ $Revision: 1.43 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 04:52:14 $ $Source: src/admin/cgi/account/acc-util/swp_mkacct.c , vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 VaultTS.VV-CORE-CMN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/nls/msg/C/vvts-admin.cat: None /var/opt/vaultTS/inside/vault/bin/alarm-create: $Source: src/admin/cgi/audit/alarm-create/alarm-crea te.c, vaultTS, vaultTS_4.5 $ $Date: 01/06/08 07:57:27 $ $Revision: 1.33 PATCH_11.04 (PHS S_24212) $ /var/opt/vaultTS/inside/vault/bin/sys-confdevice: 95 1.26 src/admin/cgi/sysadmin/sys-confdevice/sys- confgeneric.c, vaultTS, vaultTS_4.5 05/14/99 08:50:39 $Source: src/admin/cgi/sysadmin/sys-util/sysconf.c, vaultTS, vaultTS_4.5 $ $Date: 01/06/08 02:51 :16 $ $Revision: 1.37 PATCH_11.04 (PHSS_2421 2) $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /opt/vaultTS/lib/vaultconfig/functions/validUserName: 08 1.1.1.2 src/misc/vaultconfig/functions/validUse rName, vaultTS, vaultTS_4.5 06/18/01 00:40:0 5, PHSS_24212, Hewlett-Packard Company /var/opt/vaultTS/inside/vault/bin/acc-moddefs: $Revision: 1.23 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:13:33 $ $Source: src/admin/cgi/account/acc-moddefs/acc-modde fs.c, vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-modpass: $Revision: 1.26 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 01:57:56 $ $Source: src/admin/cgi/account/acc-modpass/acc-modpa ss.c, vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-moduser: $Revision: 1.51 PATCH_11.04 PHSS_24527 $ $Date: 01/08/30 06:12:20 $ $Source: src/admin/cgi/account/acc-moduser/acc-modus er.c, vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ $Revision: 1.19.1.7 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:40:39 $ $Source: src/admin/cgi/account/acc-util/swp_chacct.c , vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-newuser: $Revision: 1.44 PATCH_11.04 PHSS_24527 $ $Date: 01/08/30 06:12:54 $ $Source: src/admin/cgi/account/acc-newuser/acc-newus er.c, vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ $Revision: 1.43 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 04:52:14 $ $Source: src/admin/cgi/account/acc-util/swp_mkacct.c , vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/bin/acc-query: $Revision: 1.24 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 01:59:17 $ $Source: src/admin/cgi/account/acc-query/acc-query.c , vaultTS, vaultTS_4.5 $ $Revision: 1.61 PATCH_11.04 PHSS_24527 $ $Date: 01/07/17 02:20:39 $ $Source: src/admin/cgi/account/acc-util/acc-util.c, vaultTS, vaultTS_4.5 $ src/lib/vvcertutil/certutil.c, vaultTS, vaultTS_4.5 1.9 08/14/98 src/lib/vvcertutil/b64dec.c, vaultTS, vaultTS_4.5 1. 1 06/07/97 /var/opt/vaultTS/inside/vault/loc/C/html/acc-locked.html: $Source: src/admin/html/account/acc-locked.html, vau ltTS, vaultTS_4.5 $ $Revision: 1.2.1.2 PATCH_11.04 PHSS_24527 $Date: 01/07/17 01:14:27 $ /var/opt/vaultTS/inside/vault/loc/C/html/acc-moddefs.html: $Source: src/admin/html/account/acc-moddefs.html, va ultTS, vaultTS_4.5 $ $Revision: 1.8.1.3 PATCH_11.04 PHSS_24527 $Date: 01/09/03 02:38:39 $ /var/opt/vaultTS/inside/vault/loc/C/html/acc-modpass.html: $Source: src/admin/html/account/acc-modpass.html, va ultTS, vaultTS_4.5 $ $Revision: 1.26.1.2 PATCH_11.04 PHSS_24527 $Date: 01/07/17 01:17:47 $ /var/opt/vaultTS/inside/vault/loc/C/html/acc-moduser.html: $Source: src/admin/html/account/acc-moduser.html, va ultTS, vaultTS_4.5 $ $Revision: 1.28.1.2 PATCH_11.04 PHSS_24527 $Date: 01/07/17 01:16:45 $ /var/opt/vaultTS/inside/vault/loc/C/html/acc-query.html: $Source: src/admin/html/account/acc-query.html, vaul tTS, vaultTS_4.5 $ $Revision: 1.29.1.3 PATCH_11.04 PHSS_24527 $Date: 01/09/03 02:39:06 $ /var/opt/vaultTS/inside/vault/loc/C/include/ acc-userattr.html: $Source: src/html-inc/acc-userattr.html, vaultTS, va ultTS_4.5 $ $Revision: 1.34.1.3 PATCH_11.04 PHSS_24527 $Date: 01/09/03 02:37:51 $ cksum(1) Output: VaultTS.VV-IWS,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: 2806039531 2825875 /opt/vaultTS/ws-admserv/bin/httpd 3449992416 45767 /opt/vaultTS/ws-admserv/ PUBLIC_LICENSE_INFORMATION 4175053789 735 /etc/auth/system/files.fcdb/25.patches/ 24038_PHSS.fcdb 1334251070 761 /etc/auth/system/files.fcdb/25.patches/ 24527_PHSS.fcdb VaultTS.VVOS-ADM-RUN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: 2601282134 98624 /sbin/mkacct VaultTS.VV-CORE-CMN,fr=A.04.50,fa=HP-UX_B.11.04_32/64,v=HP: 2223464322 57391 /usr/lib/nls/msg/C/vvts-admin.cat 1027962455 61558 /var/opt/vaultTS/inside/vault/bin/ alarm-create 1787550966 94514 /var/opt/vaultTS/inside/vault/bin/ sys-confdevice 1036950454 571 /opt/vaultTS/lib/vaultconfig/functions/ validUserName 276102140 86310 /var/opt/vaultTS/inside/vault/bin/ acc-moddefs 145386280 78104 /var/opt/vaultTS/inside/vault/bin/ acc-modpass 663307685 94515 /var/opt/vaultTS/inside/vault/bin/ acc-moduser 2418094993 94520 /var/opt/vaultTS/inside/vault/bin/ acc-newuser 4079118375 78099 /var/opt/vaultTS/inside/vault/bin/acc-query 3207278370 1165 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-locked.html 2901127789 13219 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-moddefs.html 2267411752 7489 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-modpass.html 2084215134 4583 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-moduser.html 3635570258 9039 /var/opt/vaultTS/inside/vault/loc/C/html/ acc-query.html 2454342135 24860 /var/opt/vaultTS/inside/vault/loc/C/ include/acc-userattr.html Patch Conflicts: None Patch Dependencies: s700: 11.04: PHCO_24852 s800: 11.04: PHCO_24852 Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_23943 PHSS_24212 PHSS_24038 PHSS_24527 PHSS_27477 PHSS_28111 PHSS_28521 PHSS_29541 PHSS_29892 PHSS_30159 PHSS_30647 Equivalent Patches: PHSS_31823: s700: 11.04 s800: 11.04 PHSS_31825: s700: 11.04 s800: 11.04 Patch Package Size: 1430 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_31827 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_31827.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_31827. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_31827.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_31827.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_31827.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: PHSS_24527: This patch requires the prior installation of PHCO_24852 or its successor onto the system to be patched. To obtain this patch, use a web browser to access the HP Electronic Support Center web site at http://us-support.external.hp.com for US, Canada, Asia-Pacific & Latin America, or http://europe-support.external.hp.com for Europe. Patch installs the actual code required to implement the changes described herein. Please also obtain and install patch PHSS_24529 or its successor in order to update the electronic version of the Virtualvault Administrator's Guide where the functionality of creating a user or changing his password has changed. The Virtualvault administration server and any outside web servers will be restarted due to the patch's automatic reboot requirement.