Patch Version: 2.8.2.0300.21 Product: Intel(R) NetStructure(tm) 7140 Traffic Director Intel(R) NetStructure(tm) 7140E Traffic Director-Export Intel(R) NetStructure(tm) 7145 Traffic Director Intel(R) NetStructure(tm) 7145E Traffic Director-Export Intel(R) NetStructure(tm) 7170 Traffic Director Intel(R) NetStructure(tm) 7170E Traffic Director-Export Intel(R) NetStructure(tm) 7175 Traffic Director Intel(R) NetStructure(tm) 7175E Traffic Director-Export Intel(R) NetStructure(tm) 7180 e-Commerce Director Intel(R) NetStructure(tm) 7180E e-Commerce Director-Export Intel(R) NetStructure(tm) 7185 e-Commerce Director Intel(R) NetStructure(tm) 7185E e-Commerce Director-Export Release Date: 08/01/01 Fix Details: CR003279: RFE #346: rich_app allows invalid header responses from servers With rich services, a server response without an HTTP header or with data preceding the HTTP header is allowed, and forwarded to the client as-is. This change causes this behavior to be interpreted as an error condition with HTTP error detection enabled. CR003317: rich_app allows a connection to a server although the active list is empty If all servers are disabled or dead for a service, connections will still be allowed to be connected to a server. This change causes the client to receive a "503 - No Servers Available" message in this case. CR003809: Traffic is intercepted by the broker rather than forwarded for specific ports When configured to forward traffic (such as in SAP mode, where the broker is the default gateway), connections intiated by a server to a remote system may be intercepted by the broker, rather than being forwarded. Specifically, TCP connections to port 22, 1095, 1099, 1097, 49291, and UDP connections to port 514 and 49990 will not be forwarded. CR003907: HTTP errror detection incorrectly catching 401 Authentication error HTTP error detection will not allow backend Servers to do basic HTTP authentication. The HTTP Server returns a 401 error when they want the Browser to pop up the user/password dialog box - HTTP error detection erroroneously catches this error and returns the "503 - No servers available" message. CR003991: Setting nat.open_delay to 3600 via sysctl causes a kernel loop in nat_timeout There is a connection idle timeout that currently drops idle connections for Layer 4 services after a 5 minute period. This idle timeout restricts applications that need a single connection between the client and server to be maintained over a long period of time (i.e. telnet/3270). There is a kernel tuning parameter to adjust this idle timeout that was restricted to less than 2147 seconds. This change increases the connection idle timeout to accept reasonable values to allow maintaining long running connections. CR004525: security issue with telnetd A potential security issue has been identified related to Telnet options negotiation during the establishment of a Telnet connection from a client. It is theoretically possible for a malicious client to send a sequence of Telnet options that would cause arbitrary, untrusted code to be executed by causing a buffer overflow in the telnet daemon. While there have been no reported incidents of this issue to date, it is theoretically possible to use this overflow in the telnet daemon to gain administrative access to the system. This change installs a new telnet daemon to address this issue. Installation Instructions: 1) Download the patch install file to a local ftp server. 2) Verify that the device is currently booted to a valid boot index for patch installation. This patch can only be installed on release 2.8.2.x.21 for the same product with a patch version less than 0300. Note: If this patch is installed on an incorrect release, the "config sys software install" command may report that the image has been installed, but the new boot index will not be shown with the "config sys software info" command. 3) Save the current policygroup configuration to a save filename (not default.cfg). Note: This is a precautionary measure. A manual restore of the configuration will only be necessary if the current running configuration fails to restore normally after booting to the new boot index. 4) Install the patch install file file using the CLI "config sys software install" command or the GUI Update Software facility. 5) Verify the newly installed boot index is available for boot. 6) Boot to the newly installed boot index. 7) Verify the policygroup configuration has restored normally. Additional instructions for the fix for CR003991. These steps are not required at most sites: 8) From a CLI login, perform "config sys software info" to ensure the running software version is at least 2.8.2.0200.21 before proceeding to the next step. 9) Log in as root. Perform "sysctl net.inet.nat.open_delay" (no quotes). You should see: net.inet.nat.open_delay = 300 10) Change this object to the desired value (the parameter is in seconds. This example will use 960): sysctl -w net.inet.nat.open_delay=960 You will see: net.inet.nat.open_delay: 300 -> 960 In the above example, the nat idle timeout value is changed from 5 minutes (300 seconds) to 16 minutes (960 seconds). The change is dynamic, taking effect immediately. No reboot is required. 11) To make the change survive reboots, add the "sysctl -w" command (see step 10) at the end of the /etc/rc.local file. Note: This change will be required each time software is upgraded.