Security Pack NB_CLT_50_6S01_M.tar provides fixes for the Veritas NetBackup (tm) Enterprise Server / Server 5.0 on UNIX clients.

Article:TECH46975  |  Created: 2006-01-22  |  Updated: 2006-01-27  |  Article URL http://www.symantec.com/docs/TECH46975
Article Type
Technical Solution


Environment

Issue



Security Pack NB_CLT_50_6S01_M.tar provides fixes for the Veritas NetBackup (tm) Enterprise Server / Server 5.0 on UNIX clients.

Solution



CLT 5.0GA Pack NB_CLT_50_6S01_M README March 23, 2006
Corequirement: NB_50_6S01_M
Requirement: NB_CLT_50_6_M
================================================================================
**THIS SECURITY PACK MUST BE INSTALLED OVER THE NETBACKUP 5.0GA CLIENT PACK
NB_CLT_50_6_M MAINTENANCE PACK. ANY ATTEMPT TO INSTALL THIS PACK OVER AN
EARLIER VERSION OF NETBACKUP 5.0 WILL RESULT IN A FAILED INSTALL.**

This Security Pack provides fixes for the Veritas NetBackup (tm) UNIX clients.
NetBackup UNIX Add-on products and Database Agents have separate Security Packs.

================================================================================



=================
PACK DEPENDENCIES
=================

-- NB_CLT_50_6_M_<6 digit number>.tar must be installed before this
pack is installed.

-- On a server, NB_CLT_50_6S01_M (this pack) can be installed
on a client using a remote installation procedure or a local
installation procedure.

-- Only on a NetBackup server, NB_50_6S01_M_<6 digit number>.<server>.tar
must be installed after this pack is installed.

-- Installation of this pack requires version 1.17.4.34 of
the Vrts_pack.install script.


I. DOWNLOAD INSTRUCTIONS
II. KNOWN ISSUES
III. INSTALLATION INSTRUCTIONS
IV. UNINSTALL INSTRUCTIONS
V. DESCRIPTION OF PROBLEMS FIXED
Current Pack
NB_CLT_50_6S01_M



=========================
I. DOWNLOAD INSTRUCTIONS
=========================
1) Download the NB_CLT_50_6S01_M_<6 digit number>.tar into the
/tmp directory,

where <6 digit number> is an internal tracking identifier

NOTE: NB_CLT_50_6S01_M_<6 digit number>.tar contains all client
binaries.

2) Extract the NB_CLT_50_6S01_M_<6 digit number>.tar file
tar xvf NB_CLT_50_6S01_M_<6 digit number>.tar

This will create the files:
VrtsNB_CLT_50_6S01_M.README
VrtsNB_CLT_50_6S01_M.tar.Z
VrtsNB_CLT_50_6S01_M.postuninstall
VrtsNB_CLT_50_6S01_M.postinstall
VrtsNB_CLT_50_6S01_M.preinstall
Vrts_pack.install


=================
II. KNOWN ISSUES
=================
The following are known issues with NB_CLT_50_6S01_M. Please note that
these known issues will NOT be resolved after installing this pack.

Description:
Solaris 10 (Sparc) first appeared as a client choice in
NetBackup 5.0 MP4. This was in preparation for when Sun Solaris 10
is generally available and support for Solaris 10 will begin after
Solaris 10 (Sparc) is officially released. Solaris 10 support is
available for the client only.

Description:
When applying pack updates to AIX host <A>, do not use a
NetBackup GUI running on any other host to monitor the
NetBackup jobs/processes/daemons/devices on host <A> during
the installation. On AIX this may cause text busy errors
to occur during the installation. The safest approach is to not
have any GUIs running on remote systems which are accessing AIX
host <A> during pack application.

Description:
A backup that stops and resumes can successfully complete, but there may be
multiple duplicate fragments. This type of problem causes the import to not
be able to determine which duplicate fragment is correct. This is
technically not a data-loss issue (since the data is on tape), however the
data will be difficult to recover if the import is needed.


===============================
III. INSTALLATION INSTRUCTIONS
===============================
For pack installation on a UNIX Cluster Environment:

NOTE: Click on the "Download Now" link, near the bottom of this document
prior to running the following installation procedure for this pack.

1) Ensure that prior to installing the pack, NetBackup is at
release level 5.0 and configured to run in a cluster.

2) Freeze the NetBackup group (This will avoid a 'failover' during a patch
installation).

3) Install this pack on the inactive node(s) of the cluster
(follow the steps below).

4) Install this pack on the active node of the cluster (follow
the steps below).

5) Unfreeze the NetBackup group.


--------------------------------------------------------------------------------
There are two ways to install the client pack software.

1. Remote Installation: Loads the software on a master server with
the intent of pushing client software out to affected clients.

2. Local Installation: Loads and installs the software only to this
local machine.

Remote client install:

As root on the NetBackup Master/Media Server:

1) This pack contains a full release of the IBMzSeriesLinux 2.4.21 client. If
you intend to install this client type, you must first create the following
directory:

mkdir /usr/openv/netbackup/client/Linux/IBMzSeriesLinux2.4.21

If you intend to install the Encryption libraries for this client type,
create the following directory:

mkdir /usr/openv/lib/client/Linux/IBMzSeriesLinux2.4.21

2) Install NB_50_6S01_M and NB_CLT_50_6S01_M pack binaries.

cd /tmp
/bin/sh Vrts_pack.install

3) Restart daemons.

/usr/openv/netbackup/bin/initbprd
/usr/openv/volmgr/bin/ltid -v

4) Update the NetBackup clients, including the NetBackup master and media
servers, with the update_clients script.

/usr/openv/netbackup/bin/update_clients <hardware> <os>

where <hardware> <os> is one of the following:
ALPHA OSF1_V5
HP9000-700 HP-UX11.00
HP9000-800 HP-UX11.00
HP9000-700 HP-UX11.11
HP9000-800 HP-UX11.11
Linux IBMzSeriesLinux2.4
Linux IBMzSeriesLinux2.4.21
INTEL FreeBSD4.5
Linux RedHat2.4
MACINTOSH MacOSXS10.2
RS6000 AIX4.3.3
RS6000 AIX5
SCO UnixWare7.1
SGI IRIX65
Solaris Solaris7
Solaris Solaris8
Solaris Solaris9
Solaris Solaris10 *
Solaris Solaris_x86_7
Solaris Solaris_x86_8

* - For "Solaris Solaris10" to show when configuring clients
into a backup policy, the following must be executed:

/usr/openv/netbackup/bin/goodies/new_clients

Only Solaris 10 client running a Sparc is supported.
Solaris 10 client running on a X86 system is not supported.

Remember to include the master server's <hardware> <os> type.

Note: The /usr/openv/netbackup/bin/update_clients command without
any parameters will update all the UNIX clients.

Note: When updating an RS6000 client, there may be circumstances
where update_clients will fail with an error similar to
this:

Couldn't open /usr/openv/lib/libVmangle.so on client
Client open errno = 26

If this happens, execute /usr/sbin/slibclean on the client
to be updated and re-run update_clients.

If the client (CLT) .Z file and README exist in the installation
directory during the installation of the server pack, the Vrts_pack.install
script will install the client pack automatically. The client pack will NOT
be installed automatically during a reinstall of the server pack.

Additional Notes:

If non-root administrators use the GUI only, the nonroot_admin
script no longer needs to be run. If the non-root administrators
use the command line or bpadm, the group and file permissions
will have to be changed manually on the NetBackup binaries.
Users can write their own script. The script is being phased
out because there is a slight security risk that non-root users
may be able to execute NetBackup commands only because those users
are part of a group that is allowed to execute NetBackup commands.

For "Solaris Solaris10" to show when configuring clients into a
backup policy, the following command must be executed:

/usr/openv/netbackup/bin/goodies/new_clients

--------------------------------------------------------------------------------

Local client install:

The install script will determine if a local client install is appropriate
and choose the appropriate client type to install.

As root on the NetBackup client:

1) Install NB_CLT_50_6S01_M pack binaries.

cd /tmp
/bin/sh Vrts_pack.install

NOTE: It is not possible to install the new Linux client
(LinuxIBMzSeriesLinux 2.4.21) locally. It must be installed on the
Master server and pushed to the client.


===========================
IV. UNINSTALL INSTRUCTIONS
===========================
Note: This will ONLY uninstall the pack from your machine
if the client pack software was installed directly on the
machine. This uninstall procedure will NOT work on clients that were
installed by pushing the software from a server.

As root on the NetBackup Master/Media Server in which the pack was
installed:

1) Close the NetBackup user interfaces.

Make sure the NetBackup server has no active jobs running (for
example, backups, restores, or duplications).

If a database agent is being used, such as Oracle,
ensure that the database services are stopped.

2) Change directory to the patch save directory.
Substitute the pack name for ${PACK} in the following command:

cd /usr/openv/pack/${PACK}/save

3) Run the un-install script:

./Vrts_pack.uninstall

4) Verify that the pack uninstalled successfully by checking
/usr/openv/pack/pack.history.

5) If update_clients was run after the pack was originally INSTALLED,
run it again after that pack is successfully UNINSTALLED.

6) If necessary, restart the NetBackup and Media Manager daemons:
/usr/openv/netbackup/bin/goodies/netbackup start


=================================
V. DESCRIPTION OF PROBLEMS FIXED
=================================
The following are descriptions of the problems fixed. Please read the entire
document before installing.

README Conventions:

Description
Describes a particular problem contained in this pack.

** Description **
Describes a problem that can lead to potential data loss. Please
read these problem descriptions carefully.

Workaround
Any available workarounds to a problem are also listed. Workarounds
can be used INSTEAD of applying the patch, however, Symantec strongly
recommends the "best practice" of being at the latest patch level.

Additional Notes
Any additional information regarding these problems are included.

=============
Current pack
=============

================================================================================
Etrack Incident = ET521918

Description:
A stack-based buffer overflow vulnerability existed in the volume manager
daemon (vmd) running on NetBackup servers. If an attacker was able to
gain access to a vulnerable NetBackup server and successfully exploit this
issue, it could have lead to arbitrary code execution and resulted in
unauthorized access with elevated privileges on the targeted system.

This vulnerability impacted only NetBackup server systems and did not
impact NetBackup client systems.
--------------------------------------------------------------------------------
Etrack Incident = ET538174 ET537659 ET537508 ET537534 ET537525 ET537517 ET537472
ET537554 ET537411 ET538159 ET542501 ET546266 ET564217 ET540337 ET536765

Description:
Multiple buffer overflow vulnerabilities have been identified in daemons
that run on Veritas NetBackup master, media, and client servers. An
attacker, if able to access a vulnerable Veritas NetBackup server and
successfully exploit these issues, could potentially execute arbitrary
code resulting in possible unauthorized and elevated privilege access to
the targeted system.

For more information about this vulnerability, refer to TechNote 281521 on
the Symantec Support Web site (http://support.veritas.com/docs/281521 ).
================================================================================



Attachments

NB_CLT_50_6S01_M_282496.tar (20.2 MBytes)


Legacy ID



282496


Article URL http://www.symantec.com/docs/TECH46975


Terms of use for this information are found in Legal Notices