6.5.1.2 Hotfix

Article:TECH69124  |  Created: 2009-01-25  |  Updated: 2011-03-25  |  Article URL http://www.symantec.com/docs/TECH69124
Article Type
Technical Solution


Environment

Issue



Hotfix NB_PDE_6.5.1.2.tar provides critical fixes to Symantec Veritas NetBackup (tm) PureDisk Remote Office Edition 6.5.1.


Solution



Name: NB_PDE_6.5.1.2
Date: 22 April 2009

==============================================================================
This hotfix provides features and fixes to the Veritas NetBackup
PureDisk Remote Office Edition 6.5.1 software.

WARNING: When you apply this hotfix, all PureDisk services stop and
start. This can cause running jobs to abort.
==============================================================================

* PREREQUISITES

* PRODUCT ENHANCEMENTS

* DATALOSS ISSUES - RESOLVED

* SECURITY VULNERABILITIES - RESOLVED

* PREINSTALLATION STEPS

* INSTALLATION INSTRUCTIONS FOR THE STORAGE POOL AUTHORITY NODE

* INSTALLATION INSTRUCTIONS FOR ALL NON-SPA NODES

* VCS DOWNGRADE PROCEDURE



=============
PREREQUISITES
=============


This hotfix can only be installed on PureDisk 6.5.1 and 6.5.1.1.


====================
PRODUCT ENHANCEMENTS
====================


The following product enhancements are included in this release of
PureDisk:

* ET1524685 - The installation of PureDisk 6.5.1 resets the default
 Java maxheap size to 128 MB. This value can result in poor performance
 of the webui. Applying this hotifx updates the maxheap size to an
 appropriate value. The new value is based on the current value and on
 the services running on the machine. The value will be at least 256MB.
 For more information on this issue, see TechNote 289413 at
 http://support.veritas.com/docs/289413.



==========================
DATALOSS ISSUES - RESOLVED
==========================


The following dataloss issues are resolved in this release of PureDisk:

* ET1557553 - The parameter "Remove versions backed up : Older than (in
 days)" specified in a "Time Based Data Removal Policy" is always
 interpreted as zero. This value implies that only the last version of
 every file is retained. For the files that were deleted (on the
 source/client) before the latest backup, no version will be retained at
 all.

 - This bug leads to incomplete point-in-time restores. If you select
 "Restore version from date", several files will be missing from the
 restore.

 - This bug does NOT affect restores from the latest version. If you
 select "Restore latest version", the restore will be correct. Data
 Removal Policies using Version Based Data Removal are NOT affected.
 Only 6.5.1 is affected.

 Titan Case 281-528-482. For more information, see TechNote 321408
 (http://support.veritas.com/docs/321408)


* ET1587284 - For performance purposes, the PureDisk content router
 uses an internal memory cache to hold data signatures. On rare
 occasions, the system may have more signatures than the cache can hold.
 This condition causes the cache to become incomplete and can lead to
 data loss. For a content router with only 8GB of minimum required
 memory, the cache can hold approximately 116 million signatures. This
 amount of memory is often sufficient to store all signatures. If this
 amount is exceeded, data loss can occur. This issue has been present
 since PureDisk 6.5.

 For more information, see TechNote 321531
 (http://support.veritas.com/docs/321531)



===================================
SECURITY VULNERABILITIES - RESOLVED
===================================



Note:


While all the listed vulnerabilities are valid and resolved in 6.5.1.2,
they are not necessarily in use in all deployments of PureDisk. PDOS
ships with an extensive set of packages that are included for the
convenience of the user, but not used in a default deployment. As a
result, many of the vulnerabilities that are listed are in the packages
not used in by default in PureDisk. This PureDisk release addresses the
larger set of vulnerabilities and provides users with the most up-to-date
security.


The following security issues are resolved in this release of PureDisk:

* ET1322567 - DNS replies can be spoofed due to the predicable port and
 sequence number usage.

* ET1375191, 1425022, 1437562, 1438497, and 1469097 - Multiple security
 vulnerabilities exist in the PureDisk kernel.

* ET1378560 - Multiple heap-based buffer overflows exist in the rc4
 encryption (exsltCryptoRc4EncryptFunction) and decryption
 (exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in
 libxslt 1.1.8 through 1.1.24. That allows context-dependent attackers
 to execute arbitrary code by an XML file that contains a long string as
 "an argument in the XSL input."

* ET1437409 - Multiple heap-based buffer overflows exist in the NDR
 parsing in smbd in Samba 3.0.0 through 3.0.25rc3. That allows remote
 attackers to execute arbitrary code by crafted MS-RPC requests.

* ET1437547 - A invalid packet can underflow and potentially cause
 memory corruption and code execution in the librpcsecgss library that
 is used by NFSv4 and krb5.

* ET1437549 - Programs that use libext2fs are vulnerable to memory
 corruptions that can lead to arbitrary code execution while loading a
 specially crafted image.

* ET1437550 - A bug in freetype2 can lead to a heap overflow that can
 be exploited to execute arbitrary code when TTF images are handled.

* ET1437552 - A vulnerability in net-snmp allows denial-of-service
 attacks, an authentication bypass, and contains several memory leaks.

* ET1437553 - Attackers can exploit a buffer overflow in the DTLS
 implementation of openssl to potentially execute arbitrary code.

* ET1437554 - A local privilege escalation vulnerability as well as a
 mailbox ownership problem is present in postfix.

* ET1437560 - The libxml2 binary contains a denial of service condition
 in the UTF-8 processing of xmlCurrentChar().

* ET1437561 - Several security vulnerabilities are present in python.

* ET1437563 - Attackers can use specially crafted png files to
 overwrite arbitrary memory and potentially execute arbitrary code.

* ET1437565 - Attackers can use specially crafted files to lead unzip
 to use uninitialized memory.

* ET1437566 - A bug in rsync allows remote attackers to access
 restricted files outside a module's hierarchy if no chroot setup was
 used.

* ET1437568 - Certain regular expressions can cause the boost library
 to crash.

* ET1437571 - A vulnerability exists in dbus-1 when policies are
 applied incorrectly.

* ET1437574 - Users can prevent scheduled cron jobs from by setting
 hard links in /etc/crontab. Additionally, a symlink bug allows users to
 edit the crontab of other users.

* ET1437575 - An integer overflow in functionfile_printf() can be used
 to execute arbitrary code.

* ET1437576 - Missing Kerberos fixes allow for multiple possible
 attacks.

* ET1508146 - Specially crafted expressions can crash perl.

* ET1508149 - A header injection problem exists in Sys.Web.

* ET1508150 - A buffer underflow exists in libtiff.

* ET1508152 - Specially crafted xml files can cause a crash or a
 heap-based buffer overlow in libxml2.

* ET1508153 - The ntp daemon does not use the supplied keys.

* ET1508157 - A security update for openldap2-client introduced a
 problem in libldap that can cause LDAP clients to prematurely truncate
 search results.



=====================
PREINSTALLATION STEPS
=====================


This section describes the preinstallation steps for the hotfix.

Downloading and extracting the patch

1. Use scp to copy the tar file, NB_PDE_6.5.1.2.tar, to the /root
  directory of the PureDisk node that hosts the storage pool authority.

2. Log on as root to the node that hosts the storage pool authority.

3. Type the following command to verify the integrity of the hotfix:

  md5sum /root/NB_PDE_6.5.1.2.tar

  This command computes the md5 checksum of the hotfix. The md5 checksum
  of the hotfix must match the value below:

  00bbc6b88385ca94341668bebc4a577b

  If you obtain a different checksum, the hotfix was corrupted during
  download. Try to download the hotfix again.

4. Type the following command to extract the README file:

  tar -C / -xf /root/NB_PDE_6.5.1.2.tar ./NB_PDE_6.5.1.2.README



=============================================================
INSTALLATION INSTRUCTIONS FOR THE STORAGE POOL AUTHORITY NODE
=============================================================


This section describes the steps that are required to upgrade the
PureDisk software on the storage pool authority.

Installing the patch on the storage pool authority

1. Make sure that no PureDisk jobs are currently running or are
  scheduled to be run.

2. Log out from the Web UI.

3. (Conditional) Freeze the PureDisk service groups for the clustered
  PureDisk server.

  Perform this step if the storage pool is installed with VCS cluster
  software. Use the Cluster Manager Java Console, and freeze all the
  service groups.

  For information about how to freeze and unfreeze clustered storage
  pools, see the Veritas NetBackup PureDisk Storage Pool Installation
  Guide.

4. Type the following command to unpack the hotfix software:

  tar -C / -xf /root/NB_PDE_6.5.1.2.tar ./opt

5. Type the following command to run and install the hotfix:

  /opt/pdinstall/apply-NB_PDE_6.5.1.2.sh

6. Type the following command to start the first part of the kernel
  upgrade:

  sh /opt/pdinstall/upgrade-pdos-6.5.1.2.sh --pre

  At the end of a successful installation, the software prompts you to
  restart the storage pool authority.

7. (Conditional) Terminate any of the listed process with the
  following command if the upgrade-pdos-6.5.1.2.sh --pre script quits
  with a message similar to "Following programs are keeping /Storage
  locked...". This message indicates that active processes are
  preventing /Storage from being unmounted.

  kill -9 <pid>

  After all processes have been closed in this way, rerun
  upgrade-pdos-6.5.1.2.sh --pre script.

8. Type the following command to start the second part of the kernel
  upgrade:

  sh /opt/pdinstall/upgrade-pdos-6.5.1.2.sh --post

  At the end of a successful installation, the software prompts you to
  restart the storage pool authority.

9. On each individual PureDisk node with a Content Router, run the
  following script:

  /opt/pdconfigure/scripts/support/VerifyContainersVsCacheAndDB.sh

  to see if you are affected by the Data Loss issue as described in Tech
  Alert http://library.veritas.com/docs/321531



Note:


If you add new nodes to the PureDisk environment after this upgrade, run
the prepare_additionalNode.sh script before you upgrade PDOS. If this is
not done, the necessary scripts and packages for the PDOS upgrade are not
present.



===============================================
INSTALLATION INSTRUCTIONS FOR ALL NON-SPA NODES
===============================================



Note:


Make sure to upgrade the storage pool authority node before you upgrade
the other nodes in the storage pool.


This section describes the steps that are required to upgrade the
PureDisk software on all non-Storage Pool Authority PureDisk nodes.

Installing the patch on all non-SPA nodes

1. (Conditional) Freeze the PureDisk service groups for the clustered
  PureDisk server.

2. Type the following command to start the first part of the kernel
  upgrade:

  sh /opt/pdinstall/upgrade-pdos-6.5.1.2.sh --pre

  At the end of a successful installation, the software prompts you to
  restart the server.

3. (Conditional) Terminate any of the listed process with the
  following command if the upgrade-pdos-6.5.1.2.sh --pre script quits
  with a message similar to "Following programs are keeping /Storage
  locked...". This message indicates that active processes are
  preventing /Storage from being unmounted.

  kill -9 <pid>

  After all processes have been closed in this way, rerun
  upgrade-pdos-6.5.1.2.sh --pre script.

4. After the restart, type the following command to start the second
  part of the kernel upgrade:

  sh /opt/pdinstall/upgrade-pdos-6.5.1.2.sh --post

  At the end of a successful installation, the software prompts you to
  restart the server.

5. (Conditional) Unfreeze and online the PureDisk service groups for
  the clustered PureDisk server once all nodes are upgraded.

6. On each individual PureDisk node with a Content Router, run the
  following script:

  /opt/pdconfigure/scripts/support/VerifyContainersVsCacheAndDB.sh

  to see if you are affected by the Data Loss issue as described in Tech
  Alert http://library.veritas.com/docs/321531



Note:


If you add new nodes to the PureDisk environment after this upgrade, run
the prepare_additionalNode.sh script before you upgrade PDOS. If this is
not done, the necessary scripts and packages for the PDOS upgrade are not
present.



=======================
VCS DOWNGRADE PROCEDURE
=======================


If the VCS services fail to start or if /Storage is unavailable, it may
be necessary to downgrade the VCS cluster. To downgrade the cluster,
perform the following procedure on all nodes of the cluster:

Downgrading a VCS Cluster

1. Copy the following RPMs from the specified VCS disc to the node:

  From VCS disc 1:

  * storage_foundation_cluster_file_system/rpms/VRTScscm-4.4.30.00-MP
    3_GENERIC.noarch.rpm


  From VCS disc 2:

  * volume_manager/rpms/VRTSjre-1.4.1.3-3.i386.rpm

  * storage_foundation_cluster_file_system/rpms/VRTSvxfen-4.1.40.00-M
    P4_SLES10.x86_64.rpm

  * storage_foundation_cluster_file_system/rpms/VRTSgab-4.1.40.00-MP4
    _SLES10.x86_64.rpm

  * storage_foundation_cluster_file_system/rpms/VRTSllt-4.1.40.00-MP4
    _SLES10.x86_64.rpm

  * storage_foundation_cluster_file_system/rpms/VRTSvcs-4.1.40.00-MP4
    _SLES10.i586.rpm


  From the PDOS disc:

  * suse/x86_64/VRTSvxfs-platform-4.1.40.30-MP4RP3_SLES10.x86_64.rpm

  * suse/x86_64/VRTSvxvm-platform-4.1.40.30-MP4RP3_SLES10.x86_64.rpm

  * suse/i586/VRTSvxfs-common-4.1.40.30-MP4RP3_SLES10.i586.rpm

  * suse/i586/VRTSvxvm-common-4.1.40.30-MP4RP3_SLES10.i586.rpm


2. Change the boot loader to start the old kernel by default by doing
  the following:

  * Start YaST.

  * Go to system, Boot loader.

  * Highlight the "Boot old kernel" line and press the "Set as
    Default" button.

  * Press the "Finish" button.

  * Quit YaST.


3. Restart the node.

4. Stop all PureDisk services and VCS kernel components by issuing all
  of the following commands from a command prompt:

  * /etc/init.d/vcs stop

  * /etc/init.d/gab stop

  * /etc/init.d/llt stop

  * /etc/init.d/cron stop

  * /etc/init.d/ldap stop

  * /etc/init.d/vxatd stop


5. Downgrade all the required RPMs by issuing the following commands
  from a command prompt:

  * rpm -Uvh --force
    VRTSvxfs-common-4.1.40.10-MP4RP1_SLES10.i586.rpm

  * rpm -Uvh --force
    VRTSvxfs-platform-4.1.40.10-MP4RP1_SLES10.x86_64.rpm

  * rpm -Uvh --force
    VRTSvxvm-common-4.1.40.10-MP4RP1_SLES10.i586.rpm

  * rpm -Uvh --force
    VRTSvxvm-platform-4.1.40.10-MP4RP1_SLES10.x86_64.rpm

  * rpm -Uvh --force VRTSjre-1.4.1.3-3.i386.rpm

  * rpm -Uvh --force VRTScscm-4.4.30.00-MP3_GENERIC.noarch.rpm

  * rpm -Uvh --force VRTSvxfen-4.1.40.00-MP4_SLES10.x86_64.rpm

  * rpm -Uvh --force VRTSgab-4.1.40.00-MP4_SLES10.x86_64.rpm

  * rpm -Uvh --force VRTSllt-4.1.40.00-MP4_SLES10.x86_64.rpm

  * rpm -Uvh --force VRTSvcs-4.1.40.00-MP4_SLES10.i586.rpm


6. Restart the node.



 

Attachments

NB_PDE_6.5.1.2_321606.tar (243.7 MBytes)


Legacy ID



321606


Article URL http://www.symantec.com/docs/TECH69124


Terms of use for this information are found in Legal Notices