Security Pack NB_CLT_51_4S01_M.tar provides security-related fixes for the Veritas NetBackup (tm) Enterprise Server / Server 5.1 on UNIX clients.

Article:TECH46905  |  Created: 2006-01-22  |  Updated: 2006-01-03  |  Article URL http://www.symantec.com/docs/TECH46905
Article Type
Technical Solution


Environment

Issue



Security Pack NB_CLT_51_4S01_M.tar provides security-related fixes for the Veritas NetBackup (tm) Enterprise Server / Server 5.1 on UNIX clients.

Solution



 CLT 5.1GA Pack NB_CLT_51_4S01_M README                            March 23, 2006
Corequirement: NB_51_4S01_M
Requirement: NB_CLT_51_4_M
================================================================================
** THIS SECURITY PACK MUST BE INSTALLED OVER THE NETBACKUP 5.1 GA Pack  
NB_CLT_51_4_M MAINTENANCE PACK.  ANY ATTEMPT TO INSTALL THIS PACK OVER AN  
EARLIER VERSION OF NETBACKUP 5.1 WILL RESULT IN A FAILED INSTALL.**

This Security Pack provides fixes for the Veritas NetBackup (tm) UNIX  
clients.  NetBackup UNIX Add-on products and Database Agents have separate
Security Packs.

================================================================================

=================
PACK DEPENDENCIES
=================

    -- NB_CLT_51_4_M_<6 digit number>.tar must be installed before this  
       pack is installed.

    -- On a server, NB_CLT_51_4S01_M (this Security Pack) can be installed on  
       a client using a remote installation procedure or a local installation  
       procedure.
     
    -- Only on a NetBackup server, NB_51_4S01_M_<6 digit number>.<server>.tar
       must be installed after this Security Pack is installed.

    -- Installation of this Security Pack requires version 1.19.4.23 of  
       the Vrts_pack.install script.
 

I.   DOWNLOAD INSTRUCTIONS
II.  KNOWN ISSUES
III. INSTALLATION INSTRUCTIONS
IV.  UNINSTALL INSTRUCTIONS
V.   DESCRIPTION OF PROBLEMS FIXED
      Current Pack  


=========================
I. DOWNLOAD INSTRUCTIONS
=========================
1) Download the NB_CLT_51_4S01_M_<6 digit number>.tar into the  
  /tmp directory,

  where <6 digit number> is an internal tracking identifier

    NOTE: NB_CLT_51_4S01_M_<6 digit number>.tar contains all client  
          binaries.

2) Extract the NB_CLT_51_4S01_M_<6 digit number>.tar file
       tar xvf NB_CLT_51_4S01_M_<6 digit number>.tar

       This will create the files:
       VrtsNB_CLT_51_4S01_M.README
       VrtsNB_CLT_51_4S01_M.tar.Z
       VrtsNB_CLT_51_4S01_M.postuninstall
       VrtsNB_CLT_51_4S01_M.postinstall  
       VrtsNB_CLT_51_4S01_M.preinstall        
       Vrts_pack.install


==================
II.  KNOWN ISSUES
==================
Description:
   Solaris 10 is now supported as follows:

   Hardware        Support
   ---------------------------------------------
   SPARC           NetBackup Server and Client
   Intel x86       NetBackup Client

   The above support is for base OS support only.  With NetBackup 5.1 MP2,
   the "Zones" or "Containers" feature introduced in Solaris 10 is not
   supported.  NetBackup is supported on a system pruning global zone  
   only, any additional local zones or containers are not supported at
   this time.

   The support of NetBackup Client for Solaris 10 x86 on AMD Opteron  
   servers is not supported with NetBackup 5.1 MP2, but the support may  
   be announced at a later time based on successful test results.

   Use of NetBackup Advanced Client methods are supported on Solaris 10
   beginning with Veritas Storage Foundation Suite version 4.1 releasing
   in 2005.  Check the Sun/Veritas web-site for availability.

   Solaris 10 is not supported on the base CD-ROM version of NetBackup 5.1.
   There are known connection and Java GUI issues that will be encountered
   if you attempt to run the NetBackup 5.1 GA version on Solaris 10.  This
   is due to a new inetd design method introduced in Solaris 10.  
   Therefore, this NetBackup 5.1 MP2 patch update must be applied.
   
   The following script must be run after this patch is installed in order
   for "Solaris Solaris 10" or "Solaris Solaris_x86_10" to show as a client
   selection in the drop down list for backup policies:

   /usr/openv/netbackup/bin/goodies/new_clients

   Upon running this script, Solaris 10 choices will be available in the  
   drop-down menu for Solaris 10 clients.



===============================
III. INSTALLATION INSTRUCTIONS
===============================
For Security Pack installation on a UNIX Cluster Environment:

NOTE: Click on the "Download Now" link, near the bottom of this document  
prior to running the following installation procedure for this pack.

1) Ensure that prior to installing the security pack, NetBackup is at
  release level 5.1 and configured to run in a cluster.

2) Freeze the NetBackup group (This will avoid a 'failover' during a patch
  installation).

3) Install this Security Pack on the inactive node(s) of the cluster  
  (follow the steps below).

4) Install this Security Pack on the active node of the cluster (follow
  the steps below).

5) Unfreeze the NetBackup group.


--------------------------------------------------------------------------------
There are two ways to install the client security pack software.

1. Remote Installation:  Loads the software on a master server with
   the intent of pushing client software out to affected clients.

2. Local Installation:   Loads and installs the software only to this
   local machine.

Remote client install:

As root on the NetBackup Master/Media Server:

1) This pack contains a full release of the IBMzSeriesLinux 2.4.21 client.  If
  you intend to install this client type, you must first create the following
  directory:

       mkdir /usr/openv/netbackup/client/Linux/IBMzSeriesLinux2.4.21

  If you intend to install the Encryption Libraries for this client type, you
  must create the following directory:

       mkdir /usr/openv/netbackup/crypt/Linux/IBMzSeriesLinux2.4.21

2) Install NB_51_4S01_M and NB_CLT_51_4S01_M Security Pack binaries.

       cd /tmp
       /bin/sh Vrts_pack.install

NOTE: The installation of the client pack on the server copies the appropriate  
client binaries into place on the server.
It is important that Server and Client binaries are kept at the same pack level  
on all NetBackup Servers.  This is enforced by the Pack install process.

3) Restart daemons.

       /usr/openv/netbackup/bin/initbprd
       /usr/openv/volmgr/bin/ltid -v

4) Update the remote NetBackup clients with the update_clients script.

       /usr/openv/netbackup/bin/update_clients <hardware> <os>

       where <hardware> <os> is one of the following:
           ALPHA OSF1_V5
           HP9000-700 HP-UX11.00
           HP9000-800 HP-UX11.00
           HP9000-700 HP-UX11.11
           HP9000-800 HP-UX11.11
           Linux IBMzSeriesLinux2.4
           Linux IBMzSeriesLinux2.4.21
           INTEL  FreeBSD4.5
           Linux  RedHat2.4
           MACINTOSH MacOSXS10.2
           RS6000 AIX4.3.3
           RS6000 AIX5
           SCO UnixWare7.1
           SGI IRIX65
           Solaris Solaris7
           Solaris Solaris8
           Solaris Solaris9
           Solaris Solaris10 *
           Solaris Solaris_x86_7
           Solaris Solaris_x86_8
           Solaris Solaris_x86_9
           Solaris Solaris_x86_10 *

           * - For "Solaris Solaris10" or "Solaris Solaris_x86_10" to show when
               configuring clients into a backup policy, the following must be
               executed on the server:

                    /usr/openv/netbackup/bin/goodies/new_clients

      Note: The /usr/openv/netbackup/bin/update_clients command without
            any parameters will update all the UNIX clients.
             
      Note: When updating an RS6000 client, there may be circumstances
            where update_clients will fail with an error similar to
            this:

            Couldn't open /usr/openv/lib/libVmangle.so on client  
            Client open errno = 26

            If this happens, execute /usr/sbin/slibclean on the client
            to be updated and re-run update_clients.

If the client (CLT) .Z file and README exist in the installation directory
during the installation of the server security pack, the Vrts_pack.install
script will install the client security pack automatically.  The client  
security pack will NOT be installed automatically during a reinstall of the
server security pack.  

Additional Notes:

If non-root administrators use the GUI only, the nonroot_admin
script no longer needs to be run.  If the non-root administrators
use the command line or bpadm, the group and file permissions
will have to be changed manually on the NetBackup binaries.  
Users can write their own script.  The script is being phased
out because there is a slight security risk that non-root users
may be able to execute NetBackup commands only because those users
are part of a group that is allowed to execute NetBackup commands.

For "Solaris Solaris10" to show when configuring clients into a  
backup policy, the following command must be executed:

  /usr/openv/netbackup/bin/goodies/new_clients


Local client install:

The install script will determine if a local client install is appropriate  
and choose the appropriate client type to install.

As root on the NetBackup client:

1) Install NB_CLT_51_4S01_M Security Pack binaries.

      cd /tmp
      /bin/sh Vrts_pack.install

  NOTE: It is not possible to install the new Linux client  
        (LinuxIBMzSeriesLinux 2.4.21) locally.  It must be installed on the
        Master server and pushed to the client.


===========================
IV. UNINSTALL INSTRUCTIONS
===========================
Note:  This will ONLY uninstall the security pack from your machine
      if the client security pack software was installed directly on the
      machine.  This uninstall procedure will NOT work on clients that were
      installed by pushing the software from a server.
   
As root on the NetBackup Master/Media Server in which the security pack was
installed:

   1) Close the NetBackup user interfaces.

       Make sure the NetBackup server has no active jobs running (for
       example, backups, restores, or duplications).

       If a database agent is being used, such as Oracle,  
       ensure that the database services are stopped.  

   2) Change directory to the patch save directory.  
       Substitute the pack name for $PACK in the following command:

          cd /usr/openv/pack/$PACK/save

   3) Run the un-install script:

         ./Vrts_pack.uninstall

   4) Verify that the pack uninstalled successfully by checking  
       /usr/openv/pack/pack.history.

   5) If update_clients was run after the pack was originally INSTALLED,  
       run it again after that pack is successfully UNINSTALLED.

   6) If necessary, restart the NetBackup and Media Manager daemons:
       /usr/openv/netbackup/bin/goodies/netbackup start


=================================
V. DESCRIPTION OF PROBLEMS FIXED
=================================
The following are descriptions of the problems fixed.  Please read the entire
document before installing.

README Conventions:

Description
    Describes a particular problem contained in this pack.

** Description **  
    Describes a problem that can lead to potential data loss. Please  
    read these problem descriptions carefully.

Workaround
    Any available workarounds to a problem are also listed. Workarounds  
    can be used INSTEAD of applying the patch, however, Symantec strongly  
    recommends the "best practice" of being at the latest patch level.

Additional Notes  
    Any additional information regarding these problems are included.


=============  
Current pack  
=============  

================================================================================

Etrack Incident(s) = ET538176 ET537661 ET537510 ET537536 ET537527 ET537519 ET537478
ET537556 ET537413 ET538161 ET542503 ET546475 ET546008 ET568450 ET568930 ET540333


ET536742

Description:  
   Multiple buffer overflow vulnerabilities have been identified in daemons
   that run on Veritas NetBackup master servers, media servers, and clients.
   An attacker, if able to access a vulnerable Veritas NetBackup server and
   successfully exploit these issues, could potentially execute arbitrary
   code resulting in possible unauthorized and elevated privilege access to
   the targeted system.
   
   For more information about this vulnerability, refer to TechNote 281521 on
   the Symantec Support Web site (  http://support.veritas.com/docs/281521).

================================================================================




Attachments

NB_CLT_51_4S01_M_282441.tar (25.9 MBytes)


Legacy ID



282441


Article URL http://www.symantec.com/docs/TECH46905


Terms of use for this information are found in Legal Notices