Special Maintenance Pack NB_CLT_51_3S0949_M.tar provides security-related fixes for the Java Authentication Service on VERITAS NetBackup (tm) Enterprise Server / Server 5.1 on UNIX clients.

Article:TECH44344  |  Created: 2005-01-11  |  Updated: 2005-01-12  |  Article URL http://www.symantec.com/docs/TECH44344
Article Type
Technical Solution


Environment

Issue



Special Maintenance Pack NB_CLT_51_3S0949_M.tar provides security-related fixes for the Java Authentication Service on VERITAS NetBackup (tm) Enterprise Server / Server 5.1 on UNIX clients.

Solution



CLT 5.1GA Pack NB_CLT_51_3S0949_M README October 12, 2005
Corequirement: NB_51_3AS0949_M
================================================================================
** THIS MAINTENANCE PACK IS A NON-CUMULATIVE PACK THAT MUST BE INSTALLED OVER
THE NETBACKUP 5.1GA Pack NB_CLT_51_3_M MAINTENANCE PACK. ANY ATTEMPT TO INSTALL
THIS PACK OVER AN EARLIER VERSION OF NETBACKUP 5.1 WILL RESULT IN A FAILED
INSTALL.**

NOTE: Because NetBackup 5.1 Maintenance Pack 3 contained a condition under
which data loss may occur, it was important that Symantec provide a new
release of the 5.1 MP3 server patches. To accommodate those patches,
this patch, NB_CLT_51_3S0949_M, contains a new patch installer that will
work with the new server patch, labeled NB_51_3AS0949_M. This installer
enables future patch installs to recognize the alpha character 'A' in
the version string. No binary changes were made to the patch.

(Please refer to the PACK DEPENDENCIES and the RELATED DOCUMENTS sections of
this Readme for additional information that applies to this pack.)

Symantec recommends that the backing up of active file systems be avoided,
or the use of snapshot technologies be implemented. The directory structure
reported back from the file system (to NetBackup) may not contain all of the
files available during the time of backup. NetBackup will not report errors
in many cases where the file's existence is not known to NetBackup as reported
by the file system.


=================
PACK DEPENDENCIES
=================

-- 5.1GA Pack NB_CLT_51_3_M must be installed prior to installing this
Maintenance Pack.

-- On a server, NB_51_3A_M_<6 digit number>.<server>.tar must be installed
after this Maintenance Pack is installed.

-- Installation of this Maintenance Pack requires version 1.19.4.16 of
the Vrts_pack.install script.

-- For the latest robotics support please download the latest
Mappings_5.1.<6 digit number>.tar from the support website:
www.support.veritas.com.


I. DOWNLOAD INSTRUCTIONS
II. INSTALLATION INSTRUCTIONS
III. UNINSTALL INSTRUCTIONS
IV. DESCRIPTION OF PROBLEMS FIXED
Current Pack


=========================
I. DOWNLOAD INSTRUCTIONS
=========================
1) Download the NB_CLT_51_3S0949_M_<6 digit number>.tar into the
/tmp directory,

where <6 digit number> is an internal tracking identifier

NOTE: NB_CLT_51_3S0949_M_<6 digit number>.tar contains all client
binaries.

2) Extract the NB_CLT_51_3S0949_M_<6 digit number>.tar file
tar xvf NB_CLT_51_3S0949_M_<6 digit number>.tar

This will create the files:
VrtsNB_CLT_51_3S0949_M.README
VrtsNB_CLT_51_3S0949_M.tar.Z
VrtsNB_CLT_51_3S0949_M.postuninstall
VrtsNB_CLT_51_3S0949_M.postinstall
VrtsNB_CLT_51_3S0949_M.preinstall
Vrts_pack.install



===============================
II. INSTALLATION INSTRUCTIONS
===============================
NOTE: For Maintenance Pack installation on a UNIX Cluster Environment:

1) Ensure that prior to installing the maintenance pack, NetBackup is at
release level 5.1 and configured to run in a cluster.

2) Freeze the NetBackup group (This will avoid a 'failover' during a patch
installation).

3) Install this Maintenance Pack on the inactive node(s) of the cluster
(follow steps 1-3 below).

4) Install this Maintenance Pack on the active node of the cluster (follow
steps 1-3 below).

5) Unfreeze the NetBackup group.


--------------------------------------------------------------------------------
There are two ways to install the client maintenance pack software.

1. Remote Installation: Loads the software on a master server with
the intent of pushing client software out to affected clients.

2. Local Installation: Loads and installs the software only to this
local machine.

Remote client install:

As root on the NetBackup Master/Media Server:

1) This pack contains a full release of the IBMzSeriesLinux 2.4.21 client. If
you intend to install this client type, you must first create the following
directory:

mkdir /usr/openv/netbackup/client/Linux/IBMzSeriesLinux2.4.21

If you intend to install the Encryption Libraries for this client type, you
must create the following directory:

mkdir /usr/openv/netbackup/crypt/Linux/IBMzSeriesLinux2.4.21

2) Install NB_51_3AS0949_M and NB_CLT_51_3S0949_M Maintenance Pack binaries.

cd /tmp
/bin/sh Vrts_pack.install

NOTE: The installation of the client pack on the server copies the appropriate
client binaries into place on the server.
It is important that Server and Client binaries are kept at the same pack level
on all NetBackup Servers. This is enforced by the Pack install process.

3) Restart daemons.

/usr/openv/netbackup/bin/initbprd
/usr/openv/volmgr/bin/ltid -v

4) Update the remote NetBackup clients with the update_clients script.

/usr/openv/netbackup/bin/update_clients <hardware> <os>

where <hardware> <os> is one of the following:
ALPHA OSF1_V5
HP9000-700 HP-UX11.00
HP9000-800 HP-UX11.00
HP9000-700 HP-UX11.11
HP9000-800 HP-UX11.11
Linux IBMzSeriesLinux2.4
Linux IBMzSeriesLinux2.4.21
INTEL FreeBSD4.5
Linux RedHat2.4
MACINTOSH MacOSXS10.2
RS6000 AIX4.3.3
RS6000 AIX5
SCO UnixWare7.1
SGI IRIX65
Solaris Solaris7
Solaris Solaris8
Solaris Solaris9
Solaris Solaris10 *
Solaris Solaris_x86_7
Solaris Solaris_x86_8
Solaris Solaris_x86_9
Solaris Solaris_x86_10 *

* - For "Solaris Solaris10" or "Solaris Solaris_x86_10" to show when
configuring clients into a backup policy, the following must be
executed on the server:

/usr/openv/netbackup/bin/goodies/new_clients

Note: The /usr/openv/netbackup/bin/update_clients command without
any parameters will update all the UNIX clients.

Note: When updating an RS6000 client, there may be circumstances
where update_clients will fail with an error similar to
this:

Couldn't open /usr/openv/lib/libVmangle.so on client
Client open errno = 26

If this happens, execute /usr/sbin/slibclean on the client
to be updated and re-run update_clients.

If the client (CLT) .Z file and README exist in the installation
directory during the installation of the server maintenance pack,
the Vrts_pack.install script will install the client maintenance
pack automatically. The client maintenance pack will NOT be
installed automatically during a reinstall of the server
maintenance pack.

Additional Notes:

If non-root administrators use the GUI only, the nonroot_admin
script no longer needs to be run. If the non-root administrators
use the command line or bpadm, the group and file permissions
will have to be changed manually on the NetBackup binaries.
Users can write their own script. The script is being phased
out because there is a slight security risk that non-root users
may be able to execute NetBackup commands only because those users
are part of a group that is allowed to execute NetBackup commands.

For "Solaris Solaris10" to show when configuring clients
into a backup policy, the following command must be executed:
/usr/openv/netbackup/bin/goodies/new_clients


Local client install:

The install script will determine if a local client install is appropriate
and choose the appropriate client type to install.

As root on the NetBackup client:

1) Install NB_CLT_51_3_M Maintenance Pack binaries.

cd /tmp
/bin/sh Vrts_pack.install

NOTE: It is not possible to install the new Linux client
(LinuxIBMzSeriesLinux 2.4.21) locally. It must be installed on the
Master server and pushed to the client.


===========================
III. UNINSTALL INSTRUCTIONS
===========================
Note: This will ONLY uninstall the maintenance pack from your machine
if the client maintenance pack software was installed directly on the
machine. This uninstall procedure will NOT work on clients that were
installed by pushing the software from a server.

As root on the NetBackup Master/Media Server in which the maintenance pack was
installed:

1) Close the NetBackup user interfaces.

Make sure the NetBackup server has no active jobs running (for
example, backups, restores, or duplications).

If a database agent is being used, such as Oracle,
ensure that the database services are stopped.

2) Change directory to the pack save directory.
Substitute the pack name for ${PACK} in the following command:

cd /usr/openv/pack/${PACK}/save

3) Run the un-install script:

./Vrts_pack.uninstall

4) Verify that the pack uninstalled successfully by checking
/usr/openv/pack/pack.history.

5) If update_clients was run after the pack was originally INSTALLED,
run it again after that pack is successfully UNINSTALLED.

6) If necessary, restart the NetBackup and Media Manager daemons:
/usr/openv/netbackup/bin/goodies/netbackup start


=================================
IV. DESCRIPTION OF PROBLEMS FIXED
=================================
The following are descriptions of the problems fixed.
Please read the entire document before installing.

README Conventions:

Description
Describes a particular problem or feature contained in this Maintenance
Pack.

** Description **
Describes a problem that can lead to potential data loss. Please
read these problem descriptions carefully.

Workaround
Any available workarounds to a problem are also listed. Workarounds
can be used INSTEAD of applying the patch, however, Symantec strongly
recommends the "best practice" of being at the latest patch level.

Additional Notes
Any additional information regarding this problem or feature is included.


=============
Current pack
=============

================================================================================
Etrack Incident = ET427175

Description:
A change has been made to avert a potential vulnerability in a Java
authentication service that runs on VERITAS NetBackup servers and clients.
This change prohibits remote attackers from executing arbitrary code on a
targeted system. In addition, Symantec recommends that users block the
affected ports from external network access.

(NetBackup Servers and Clients)
================================================================================



Attachments

NB_CLT_51_3S0949_M_279647.tar (15.5 MBytes)


Legacy ID



279647


Article URL http://www.symantec.com/docs/TECH44344


Terms of use for this information are found in Legal Notices