ALTERPATH
ACS FAMILY RELEASES
This document outlines the new features and bug fixes for AlterPath
ACS/CS family of products (including BETA releases that are designated
with a letter after the
version number).
V_2.6.0-1
Nov/07/05
: (official
release;
upgrade from V_2.6.0)
a) Bug fixes
- The Web interface (AcsWeb program) not running
after
upgrading to 2.6.0 version. The webui.conf file was changed. Please
verify the new configuration in the /etc/daemon.d directory.
V_2.6.0 Oct/31/2005
: (official
release;
upgrade from V_2.3.1)
a) New features
- Upgrade of the Linux Kernel to 2.6.11 version which
includes
improvements in many different areas, including scalability, device
support, and performance
- Compact Flash : the Cyclades Virtual Flash File System
was
implemented, it is mounted in the "/mnt/flash" directory during the
boot time.
These are the files : boot_ori, boot_alt, boot_conf (old config) ,
zImage and
config.tgz (old scripts).
- Modules : the file with modules configuration was changed
from
'/etc/modules.conf" to "/etc/modprobe.conf"
- IPSec : the 2.6 kernel uses Openswan 2.3.0 in place of
Freeswan
(see Change Log for upgrade notes)
- has support for NAT-Transversal that allows IPSec to be
used
behind any NAT device by encapsuling ESP in UDP
- the client need to include the following line in
/etc/ipsec.conf file : "nat_transversal=yes"
- LAN Bonding (Active Backup only)
- achieve redundancy on the Ethernet devices;
- the standard Ethernet interface and one PCMCIA card act
as
one
unique interface, answering for the same IP address, with the same MAC
address;
- no manual intervention is required when the primary
connection
is lost or recovered;
- the failover is transparent and all connection sessions
continue working with
no interruption.
- Authentication Enhancement :
- admin can choose different authentication types for
accessing
the box from accessing the port. The
configuration can be done by web interface or CLI.
- each authentication server configuration is stored in its
own configuration file.
- for Radius : /etc/raddb/server
- for TACACS+ : /etc/tacplus.conf
- for Kerberos : /etc/krb5.conf
- for LDAP : /etc/ldap.conf
- for NIS : /etc/yp.conf
- the PAM configuration file was divided into several
files,
one file per service. The configuration file name has the same
service name which it
provides information for. They are saved under /etc/pam.d/.
- see Change Log for upgrade notes
- Group Authorization
Enhancement : it retrieves "group" information from the
authentication servers (TACACS+, RADIUS and LDAP) in order to perform a
kind of "network-based" authorization.
- TIMEZONE : the ACS image includes official timezones. The
administrator must
run the set_timezone script, which shows to administrator a sequential
menu, or configure it by WebUI or CLI. This menu shows basic options or
regions, and user can browser
the options to choose one. (see Change Log for upgrade notes)
- Power Management Enhancements :
- the admin can control the state of one group
(multi-outlet device) as well as to
control the state of individual outlets in that group.This
results in a nicer way to control and monitor the state of the outlets
of such devices
- in the Web interface, it was implemented in a new page
called
"Multi-Outlet Control"
under IPDU Power Mgmt.
- in command line interface, when the pm command is called
without parameter, it shows the following menu (when a number is used
as
argument it will behave as it always has) :
- Exit
- Individual ipdus
- Multi-outlet devices
- Info
- IPMI Enhancements :
- removed the "ipmiutils".
- the management of IPMI devices is done
using the ipmitool 1.6.0.
- new page was implemented in the Web interface, "IPMI
Power
Mgmt" in the Applications Menu.
- the device configuration was implemented in the CLI
command.
- Web Interface - new or changed pages
- Ports Menu
- Ports Statistics - table where the colums
represents the following fields: serial port number, serial port alias,
baud rate, tx bytes (bytes sent), rx bytes (bytes received),
frame (error), parity (error),
overrun (error).
- Access Tab (Physical Ports) - the configuration of the
server
authentication was removed
- Applications Menu
- IPDU Multi-Outlet Ctrl - manager groups of outlets
(multi-outlet devices)
- IPMI Power Mgmt. - add IPMI devices and manager them.
- Connect - the pop-up window with 3.000 lines of scroll
and
with the Copy/Paste functionality
- Network Menu
- Syslog - allow the admin to configure filters by level
- PCMCIA Management in Configure Pop-up - added CDMA as
card
type
- Security Menu
- Authentication - allow the admin to configure the
authentication method for access to the box and the authentication
servers.
- Help Buttons are removed temporarily.
- CLI - new commands
- when configuring PCMCIA cards, the user can insert(load)
or
eject(unload) the cards using these commands:
- cli>config network pcmcia #card insert
- cli>config network pcmcia #card eject
- PortSlave - new protocols
- Console (telnetSSH) - allow the client to access the
serial
port using Telnet or SSH connection, ie, accepts any Telnet or SSH
connection to access the serial port.
- Bidirectional Telnet (dynamic mode) - support for “socket_server” and “login” mode. When the enter key is typed in
the terminal connected to the serial port, ACS presents the login
banner and
prompt to the user at the terminal. When in idle, the ACS accepts
Console(telnet).
- generic_dial - Generic Dial Framework will control
this
port.
- Upgrade of OpenSSL to 0.9.8
- this product is not affected by the vulnerability "SSL
2.0
Rollback (CAN-2005-2969)"
- Upgrade of OpenSSH to 4.1p1
- X.509
- support for X.509
certificates
- the SSHD keys are generated in the first boot of this
version
(the SSHD will able to accept connetions after the generation of the
keys).
- if you use PuTTY, you need to upgrade its version to 0.58
(the
PuTTY had one bug that was fixed in the current
version).
- Upgrade of OpenLDAP to 2.2.26 (see Change Log for upgrade
notes)
- Upgrade of PAM_LDAP module to 1.7.8 - fix potential
security
vulnerability
- fail to re-start TLS when following referred connections.
This
can result in credentials being sent in clear text when pam_ldap
attempt to rebind.
- Upgrade of MGETTY to 1.1.33
- Upgrade of NET-SNMP to 5.2.1.2 - This version eliminates
potential
security vulnerability :
- fixed a denial of service vulnerability when stream
sockets
have
been configured for use (E.G., TCP but not UDP).
- Upgrade of WIRELESS-TOOLS to 27
- Upgrade of ZLIB to 1.2.3 - Version 1.2.3 eliminates
potential security vulnerabilities in zlib 1.2.1 and 1.2.2
(CAN-2005-1849).
- eliminate a potential security vulnerability when
decoding
invalid compressed data
- eliminate a potential security vulnerability when
decoding
specially crafted compressed data
- Upgrade of MODULE-INIT-TOOLS to 3.1-pre6
- Kerberos - applied patch that fix potential security
vulnerability (CAN-2005-1689, VU#623332)
- Upgrade of BUSYBOX to 1.00
- contain the login utilities (the tinylogin package was
removed)
- Included support for the following PCMCIA cards :
- Xircom-XE2000 10/100 Network PC Card Adaptor
- Option Wireless-GlobeTrotter Universal Tri-band GPRS/GSM
PC-Radio Card
- Growell-iCARD800 CDMA 1XRTT GW-1031C
b) Bug fixes
- ts_menu utility :
- the ACL does not have the correct treatment (bug
#3345)
- the "-ro" option does not work in Clustering environment
(bug
#3399)
- the "-s" option does not work in Clustering environment
(bug
#3477)
- the CTRL-Z key is not sent through serial port when the
"-auth"
option is not used (bug #4246)
- SNMP
- there are two config files for snmp on our
box:/etc/snmpd.conf
and /etc/snmp/snmpd.conf
Both have the same name but different functions (bug #1216)
- Somes OID's regarding eth0 interface are wrongs (speed
and
operation status) (bug #2902)
- cySPortRemoteIP value is wrong.(bug #2930)
- WebUI :
- crash when the
LDAP is used to
do the authentication (bug #2725 and bug #4815)
- "Add User" page allows the admin enter special characters
in
the shell field (bug #2992)
- when configuring one syslog server one filter is included
in
the Syslog configuration (bug #3186)
- the firewall configuration is not saved when the client
saves
or load the configuration using the backup configuration page (bug
#3224)
- crash when Clustering is configured and the "Connect"
page is
accessed (bug #3263)
- not work when adding new users in some situations.
- the "Privileged Users" field under Multi User (Physical
Port)
do not accept spaces (bug #3980)
- customer has his LDAP Base Domain Name in the server with
60
characters. (bug #4466)
- unsaved changes light turned red even through no changes
were
made in the Physical Ports pages (bug #4090)
- firmware upgrade fails depeding on the FTP server
(bug#4728)
- WebUI - Java Apple
- it has an expired certificate (bug #2981)
- access to clustering port works fine for CAS(telnet) but
not
for CAS(SSH) (bug #3330)
- message will be showed when web-session timed out and the
client clock in Connect (bug#3989)
- TAB key is not being sent to the device when the JRE
version
is 1.5.0 (bug # 4334)
- PMD daemon no longer looks for the value assigned to
pmNumOfOutlets parameter (bug #2758)
- pmCommand wouldn't report the status of buzzer and current
protection (bug#3926)
- 2nd dialout PPP session doesn't work (bug #2957)
- syslog messages are showed after the dial-in hangup (bug
#2988)
- CAS(telnet)
- sending RFC-2217 - Notify Modem State (bug #2989)
- not relay DCD changes per RFC-2217 (bug #2986)
- when there is any sniff session opened, ACS does not
relay DCD
changes (bug #3002)
- Many CAS sessions die during a weekend stress test (under
constant data flow) (bug #3012)
- route command segmentation fault (bug #3095)
- TACACS+ authentication fallback to second server (bug #
3113)
- WIZ command accept only 1 DNS server (bug #3226)
- nsupdate generated error messages (bug # 3499)
- assigning multiple power ports no longer works (bug # 3558)
- invalid
users were included in the /etc/passwd file : problem should happen
only in the *Local / *DownLocal authtype schemes (bug
#3564)
- when using the telnet client of Windows 2003 Server to
access the
port where the IPDU is connected, the session does not work(bug #3826)
- bootconf utility allows you to select Bootp option but
when saving the config at the end, bootconf change bootp option to TFTP
(bug #4016)
- CLI : SNMP configuration was wrong. Increased the max
length of
the community name (bug # 4190)
- the CAS (SSH) does not work when sttyCmd parameter is
configured
as
"raw -echo -echoe -echok -iexten -echoctl
-echoke" in pslave.conf (bug #4351)
- ACS holds data for 10-15 seconds while it is supposed to
spit
out data at every 1 second a device attached to a serial port of our
ACS configured at 300, 8, N, 1 with no flow control. the protocol is
raw_data and half duplex (rs232_half) (bug #4403)
- Enable "ssh root access" in "Open" & "Moderate"
profile. It
should
be disabled in "secure" profile. (bug #4448)
- ACS1's serial RS232 port only works at 9600 bps in TS
profile
(bug #4470)
- the ipppd option "deldefaultroute" does not work (bug #4245)
- [ISDN callback] ipppd is brought up with wrong parameters
for
CALLBACK (bug #3800)
- instead of md5, old DES-hased passwords are used to save
password
in the shadow file (bug #4750)
- one serial port configured as CAS telnet (socket_server)
and
using data buffering, there was one delay to show data from the serial
port (bug# 4493)
- when upgrading the Firmware version of the ACS via the
WebUi can
fail depending on the FTP server you use (bug#4728)
- possible memory leak in the shared memory when using the
factory
configuration (bug# 5004)
- the command "ts_menu -s" does not show all virtual ports
configured (bug #4498)
c) Known Bugs
- The "admin" username can not be added or deleted using the
WebUI
or the CLI. The following command can be used to add one "admin" user :
- #adduser -g admin admin <enter>
- Using WebUI to edit the one slave of Virtual Ports, if the
IP
address is changed, the slave will be deleted (bug# 5005).
d) Change Log
- new directory was created : /etc/daemon.d. This directory
contains all files that are used by daemon.sh utility. The upgrade of
the old version is done by upgrade260.sh program that runs in the
first boot with the 2.6.0 version. Verify your configuration after the
first boot.
- the /etc/config_files file was changed
- some files were included (/etc/shadow, ...)
- some files were removed (/etc/TIMEZONE, /etc/getty_ttyS0,
...)
- include your changes in the /etc/config_files.save and
copy it
to /etc/config_files and save in CF.
- Upgrade of the Linux Kernel to 2.6.11
- the Compact Flash directory was changed from
"/proc/flash" to
"/mnt/flash"
- the name of the configuration file in Compact Flash was
changed
from "scripts" to "config.tgz"
- the script shell "defconf" does the reset to factory
configuration.
- the file with modules configuration was changed from
'/etc/modules.conf" to "/etc/modprobe.conf"
- included your changes in the new file and added the new
file
in the /etc/config_files
- the /etc/ipsec.conf file was changed :
- copy the /etc/ipsec.conf.save file to /etc/ipsec.conf
file
and include
your changes or
- edit your /etc/ipsec.conf file :
- include the following line : "version 2"
- comment out the plutoload and plutostart lines
- Upgrade of PAM-LDAP - change the OpenLDAP SSL configuration
:
- in /etc/ldap.conf file, at least one of the following
parameters are
required if the tls_checkpeer is "yes" :
- tls_cacertfile
- tls_cacertdir
- TIMEZONE :
- This feature uses
now the /etc/localtime file.
- The old /etc/TIMEZONE file is erased if you
configure this new feature.
- The image comes with no /etc/localtime
file, but it will be created and replace the TIMEZONE file if you use
any of the ways of configure timezone.
- Authentication Enhancement
- the /etc/pam.conf file was removed and the /etc/pam.d
directory
was
created
- the Radius and TACACS+ servers need to be reconfigured by
WebUI
or CLI (the configuration of these servers in PortSlave configuration
was removed).
- the /bin/build_DB_ramdisk shell script was changed to use
ramdisk
type "tmpfs"
instead of "ramfs" that has a problem with maxsize.
- the certificates that are used by SSHD and HTTPS are
generated
during the first boot.
- the name of the PCMCIA modem devices was changed from
"/dev/ttySxx" to "/dev/ttyMy". Two dedicated device files (ttyM1 and
ttyM2) have been created for the PCMCIA modem devices.
- if the PCMCIA modem card has already been configured, the
user
should rename the existing file /etc/ppp/options.ttySxx to
/etc/ppp/options.ttyM1
e) Warning
- In case the ACS is being managed by AlterPath Manager, the
APM
version needs to be at least 1.3.1 to be able to upload ACS firmware
2.6.0
- the PM firmware 1.7.0 has some features that are not
supported by
this ACS version.
V_2.3.1 Jul/14/2005
: (official
release;
upgrade from V_2.3.0-2)
a) New features
- LAN Bonding (Active Backup only)
- achieve redundancy on the Ethernet devices;
- the standard Ethernet interface and one PCMCIA card act
as
one
unique interface, answering for the same IP address, with the same MAC
address;
- no manual intervention is required when the primary
connection
is lost or recovered;
- the failover is transparent and all connection sessions
continue working with
no interruption.
- Security Enhancements
- more control over the services that are active at any
time;
- Pre Defined Security Profiles";
- all serial ports are disabled by default from the factory;
- Web Manager login page is redesigned to a plain vanilla
screen
with
generic username and password fields;
- a Security Advisory message alerts the root user of the
security impacts.
- Additional PCMCIA card support
- Xircom XE2000 10/100 Network PC Card Adaptor;
- Orinoco 11b Client PC Gold Card - 8410-WD.
- Shadow Password
- enhances the security of system
authentication files;
- translation from /etc/passwd to /etc/shadow is automatic
in
case previous configuration is detected.
b) Bug fixes
- the feature XML Monitor
is
not
working with syslog-ng (bug#3515).
- the OpenSSH supports the deprecated 'gssapi'
authentication
mechanism (bug#3545). The use of 'gssapi' is deprecated due to
the
presence of potential man-in-the-middle attacks. It should be noted
that this is being made available purely as a means of easing the
process of moving to the new mechanism. Any new installations are
recommended to use the 'gssapi-with-mic' mechanism. The deprecated
'gssapi' mechanism may be obtained by supplying the
'GssapiEnableMitmAttack yes' option to either the client or
server. Steps to use the deprecated 'gssapi' :
- edit the /etc/ssh/sshd_config file : include the
line "
GssapiEnableMitmAttack yes"
- save the configuration in flash : # saveconf
<enter>
- restart the SSHD daemon : # daemon.sh restart SSH
<enter>
- ipno keeps getting changed (bug#3444). The problem appeared
when
the all.ipno value was set in the shared memory.
- Kernel Oops after snmpwalk via PPP connection (bug#3610).
- Perl script for telnet fails to connect (bug#3713). The
password
was being lost in some cases.
- 1200 and 300 bps baud rates are supported via CLI but are
erased
when customer edits port through web interface (bug#3759).
c) Known Bugs
- ACS will crash when 'gateway' parameter is changed directly
under
/etc/network/interfaces (not via Web) and reloaded using 'cardctl eject
/ insert' sequence. The problem doesn't happen if
/etc/network/interfaces is changed after 'cardctl eject' and before
'cardctl insert'.
- Using the Web UI to connect to the ACS via 'Expert Mode
->
Applications -> Connect' doesn't issue a message to the user when
root access via ssh is not allowed. (Clicking on the [Custom] button in
Security Profile page it is possible to enable/disable "root access via
ssh").
d) Change Log
- The files "cert.pem" and "server.pem" were moved to
"/etc/CA".
So, in case old "/new_web/Locale/cert.pem" or
"/new_web/Locale/server.pem" were added to the "/etc/config_files", the
files itself (cert.pem and server.pem) must be copied to the new
location (/etc/CA) and config_files must be corrected to remove the old
references and include the new ones (/etc/CA/cert.pem and
/etc/CA/server.pem).
- The driver xirc2ps_cs is configured to make pcmcia card
Xircom
XE2000 10/100 Network PC Card Adaptor work in 100Mbps. This
configuration was made in /etc/modules.conf file by the following
line: options xirc2ps_cs if_port=4
- '/etc/bonding.opts' was created to hold bonding
configuration.
- '/etc/shadow' was added to /etc/config_files
- '/etc/security.opts' is dynamically created (and put in
/etc/config_files) to keep some security parameters not covered in
other configuration files.
e) Warning
- In case the ACS is being managed by AlterPath Manager, the
APM
version needs to be at least 1.3.0-2 to be able to upload ACS firmware
2.3.1
V_2.3.0-2 Mar/09/05
: (official
release;
upgrade from V_2.3.0-1)
a) Bug fixes
- Crash of Web User Interface when there are virtual ports
configured and the user clicks in Applications option.
- Web User Interface - connect to the virtual ports using SSH
protocol.
- ts_menu : ssh session to Box and ts_menu to
access the serial port using SSH protocol. And the user does not enter
the password, it was blocking others ssh sessions to Box or to serial
port.
- ts_menu : group authorization was not checked
- ts_menu : 10 sec to establish one session to serial
port
(authentication type as NONE)
- ts_menu : not establish session to serial port when
the
protocol is RAW
c) Known Bugs
- ts_menu can ask the password to access the serial port when
the
access to Box was done using ssh.
- ts_menu : the option read-only is not working to access
Virtual
Ports (clustering).
V_2.3.0-1
Dec/16/04
: (official
release;
upgrade from V_2.3.0)
a) Bug fixes
- CAS session, ACS did not send the RFC2217 notify modem
state.
V_2.3.0 Dec/13/04
: (official
release;
upgrade from V_2.2.0-3)
a) New features
- CLI redesign
- ts_menu redesign
- new syslog messages to allow the
admin to
monitor the ACS
- Upgrade of OpenSSH to 3.8.1p1.
- This version
uses the authentication method "gssapi-with-mic" to accept
Kerberos TGT and the old version used "gssapi". The ssh kerberized
client need to have support to the method "gssapi-with-mic".
- The
OpenSSH requires a local user "sshd"
in order to perform the authentication. If NIS authentication is used,
please, insert the sshd user and sshd group in NIS database and
configure the parameter UseLogin as yes in the sshd_config file.
- Example of the line in
passwd :
"
sshd:*:xxx:yyy:sshd privsep:/var/empty:/bin/false"
- Example of the line in group
:
"sshd::yyy:"
- Upgrade of Zlib to 1.2.1
- Upgrade of Kerberos to 1.3.5
- Upgrade of OpenLdap to 2.2.15
- Save and Load configuration to/from
the
PCMCIA Compact Flash or IDE
- Billing Wizard
- Enhancement for the integration with
Cyclades IPDU - Cyclades PM family
- allow user to access the pmCommand
utility by ssh or telnet session to the serial port when the PM is
connected.
- allow regular user to access the PM
utilities (pm and pmCommand).
- the user that is a member of
"admin" group is one admin user to pm and pmCommand utilities.
- new syslog messages
- the number of Outlets of the PM is
detected, so the configuration of this parameter was removed.
- Enhancement for the Web Interface
- allow user to connect to the box by
Applications->Connect
- allow regular user to change his
password
- new page with Physical Ports Status
- the
previous port-specific parameters will not be discarded when the
"Modify all ports" option is selected, only the parameters
modified will be copied to all ports.
- included the parameter "DCD state"
in
Physical Ports -> General.
b) Bug fixes
- TACACS+ authentication works when a user
tries to
connect to the ACS box with ssh version 2.
- Some problem in the Web Interface
- ssh client using the option -T (disable
pseudo-tty
allocation) and accessing the serial port, will have the session closed
by ACS.
c) Known Bugs
- TACACS+ authentication does not work when a user tries to
connect to the ACS box with ssh version 1.
- Web Interface - user management allows the admin to manager
200
users in the local database
- Sometimes the "hama" Compact Flash card (64Mb) is not
detected
on
boot time in ACS-16/32/48.
d) Change Log
- The file /etc/snmpd.conf was renamed to /etc/snmpd.sh. If
you
had modified /etc/snmpd.conf, apply the same changes to /etc/snmpd.sh.
- The file /etc/config_files was changed, some files were
included.If you had run "saveconf" with release 2.2.0, your
/etc/config_files is loaded from the flash and you will not have the
latest list. Please edit /etc/config_files, rename the file,
/etc/snmpd.conf, to /etc/snmpd.sh and run "saveconf".
- The pmusers group has removed. The file /etc/rc.sysinit
was
changed .If there is one saved in flash it must be replaced/merged with
/etc/rc.sysinit.save. The file /etc/group was changed. If the file was
not changed just replace it with the file /etc/group.save.
- This version does not have support to Sentry's IPDU nor
RPC's
IPDU. The files /etc/pm.sentry and /etc/pm.rpc22 were deleted. The file
/etc/pmd.sh was changed. If there is one saved in flash it must
be edit : old line - ConfigFiles="/etc/pm.cyclades /etc/pm.rpc22
/etc/pm.sentry" and the new line - ConfigFiles="/etc/pm.cyclades".
V_2.2.0-3
Aug/13/04
: (official
release;
upgrade from V_2.2.0-1)
a) Bug fixes
- Memory leak in the WebUI
- TCP socket error not properly handled by WebUI
- WebUI logs out when accidentally hit an enter key while
entering
some info for group name
- users configured in a group via the WebUI are not
being
displayed after a log out
V_2.2.0-1 Jun/11/04
: (official
release;
upgrade from V_2.2.0)
a) Bug fixes
- Invalid error code returned by scp/ssh
V_2.2.0 May/28/04
:
(official
release;
upgrade from V_2.1.6)
a) New features
- WEB redesign
- Physical Ports - the previous
Port-specific
parameters will be discarded when the admin clicks in the "Modify All
Ports" in expert mode or when
the admin clicks in the "Port Profile" or "Data Buffering" in the
wizard menu.
- WEB session inactivity timeout
implemented
- Upgrade of OpenSSL to 0.9.7d
- Kerberos ticket support (SSH to box
and
to
serial ports; Telnet and rlogin to box)
- PM in daisy chain FW upgrade support
(should be used along with PM 1.2.2 and later)
- New Integration Power Management and
Console
Management.
I) CAS access using pmkey :
- if pmusers of the port is
configured as
"all", the ACS allows the user to access the outlets of the server.
- the user access
verification
is
done by
"pmd", so CAS(telnet/ssh) shows the PM menu and only when user type a
command the check is done.
II) regular users that are members of "pmusers" group
can
manage only outlets that they have permission to access.
- adduser
command has the option "-G <group name>" that allows the admin to
configure list of supplementary groups which the user is also a member
of.
b) Bug fixes
- Kernel with all security patches to bring it
to
the
level of 2.4.25
- User could not access ACS/TS with empty password
through
ssh/telnet
- When using ssh and idle timeout, session is closed by idle
timeout
even if user is using it.
- sshd doesn't work with public key auth when key is stored
at
users
home and user ssh to port
c) Change Log
- openssh will look in the home directory by
default if public key
is used
- The startPmFwUpgrade and pmFWUpgrade programs were removed.
The
new program for PM firmware upgrade is pmfwupgrade.
- Power Management: regular users that are members of
"pmusers"
group can manage only outlets
that they have permission to access. (adduser accepts -G as parameter).
- List of vulnerabilities fixed
# CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device
drivers do not pad frames with null bytes, which allows remote attackers
to obtain information from previous packets or kernel memory by using
malformed packets
# CAN-2003-0127: The kernel module loader allows local users to gain
root
privileges by using ptrace to attach to a child process that is spawned
by
the kernel
# CAN-2003-0244: The route cache implementation in Linux 2.4, and the
Netfilter IP conntrack module, allows remote attackers to cause a denial
of service (CPU consumption) via packets with forged source addresses
that
cause a large number of hash table collisions related to the PREROUTING
chain
# CAN-2003-0247: vulnerability in the TTY layer of the Linux kernel 2.4
allows attackers to cause a denial of service ("kernel oops")
# CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux
kernel 2.4 allows remote attackers to cause a denial of service (CPU
consumption) via certain packets that cause a large number of hash table
collisions
# CAN-2003-0018 Linux kernel 2.4.10 through 2.4.21-pre4 does not
properly
handle the O_DIRECT feature, which allows local attackers with write
privileges to read portions of previously deleted files, or cause file
system corruption.
# CAN-2002-0499 The d_path function in Linux kernel 2.2.20 and earlier,
and 2.4.18 and earlier, truncates long pathnames without generating an
error, which could allow local users to force programs to perform
inappropriate operations on the wrong directories.
# CAN-2003-0619 Integer signedness error in the decode_fh function of
nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to
cause a
denial of service (kernel panic) via a negative size value within XDR
data
of an NFSv3 procedure call.
# CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
# CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
# CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
# CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
# CAN-2004-0077: The do_mremap function for the mremap in Linux 2.2 to
2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the
return value from the do_munmap function when the maximum number of VMA
descriptors is exceeded, which allows local users to gain root
privileges,
a different vulnerability than CAN-2003-0985.
# CAN-2003-0985: The mremap system call (do_mremap) in Linux kernel 2.4
and 2.6 does not properly perform bounds checks, which allows local
users
to cause a denial of service and possibly gain privileges by causing a
remapping of a virtual memory area (VMA) to create a zero length VMA, a
different vulnerability than CAN-2004-0077.
V_2.1.6 Feb/09/04
:
(official
release;
upgrade from V_2.1.5.1)
a) New features
- IPMI over LAN support
- menush support through WEB
- LPD support
- Data Buffer logging
(connection/disconnection time stamp)
- PM field upgrade (no chain) support
- SNMP Proxy to access the PM
- Billing allowed in all ports and
platforms
- Sniff session notification
- Upgrade of OpenSSH (from 3.6.1p2 to
3.7.1p2)
b) Bug fixes
c) Known Bugs
d) Change Log
-
patch in mremap.c file
- The file /etc/TIMEZONE was changed. If there is one saved
in
flash it must be replaced/merged with /etc/TIMEZONE.save
- The sshd program was upgraded to version 3.7.1p2 and it
needs a
new configuration file. If the file /etc/ssh/sshd_config was not
changed just replace it
with the file /etc/ssh/sshd_config.save. Otherwise the user
should
merge these files.
This OpenSSH version uses these
following authentication methods when the parameter UsePAM is
configured as "yes" :
- TIS or
CryptoCard authentication in SSH-1
-
"keyboard-interactive" authentication in SSH-2.
Please, pay attention in ssh client configuration to accept
these authentication methods.
- The file /etc/rc.sysinit was changed.If there is one saved
in
flash
it must be replaced/merged with /etc/rc.sysinit.save.
- The file /etc/group was changed. It was included the group
"pam"
and
"pmusers".If the file was not changed just replace it with the
file
/etc/group.save.
Otherwise the user need to do the following commands :
#addgroup pam <enter>
#addgroup pmusers <enter>
#chgrp pmusers /bin/pm
<enter>
V_2.1.5.1 Dec/09/03
: (official
release;
upgrade from V_2.1.5)
a) New features
b) Bug fixes
- Critical
security bug has been discovered
in the Linux kernel within do_brk() function that may lead to full
compromise of vulnerable system. Successful exploitation of do_brk()
leads to full compromise of vulnerable system, including gaining full
uid 0 privileges (CAN-2003-0961)
c) Change Log
V_2.1.5 Oct/15/03
:
(official
release;
upgrade from V_2.1.4.1)
a) New features
- AlterPath BIO support
- Compact flash and IDE PCMCIA cards
support
- Support to WLAN Linksys WPC11
b) Bug fixes
- rfc2217 commands were not being
properly
handled
by socket when no data buffering or sniffing was enabled
- CrossTalk in bad console cables
would
halt a
normal
boot
- Command "updatefiles" was failing
when
the
files
under /tmp/upd/<pathname> had subdirectories
- When user logged into the ACS using
SecureCRT, telnet,
or SSH and disconnected after the login prompt they would get the
following
error
pam_authenticate : Error in service module- Removed message due to /etc/motd
- crontab -e was not working
- "Password" in the pm utility was
not
working
correctly
- ts_menu with different Escape char
was
not
working
- ports do not release when connecting to LDAP server
c) Change Log
- /etc/motd removed from ACS
- "Existent feature (syslog) -> the configuration file
(/etc/syslog-ng.conf) was changed.
The f_kernel and f_alerts in /etc/syslog-ng/syslog-ng.conf were
changed."
- Comments for parameter all.sttyCmd in
/etc/portslave/pslave.conf
might let user think that it was valid only for TS profile because of
the
expression "terminal port", and it was not true. Changed the comments.
- /etc/pm.cyclades had the AlterPath PM
prompt changed from "pm8>" to "pm>". If that file was NOT
included in /etc/config_files by the user in an earlier FW version, the
ACS FW upgrade will force the user to either upgrade the AlterPath PM
boxes to the newest FW or to edit the /etc/pm.cyclades file in the ACS,
change the prompt back to "pm8>", to include that file in
/etc/config_files, to restart pmd process and to run saveconf to have
the ACS communicating with the AlterPath PM again.
PM versions before 1.0.9 have the "prompt pm8>"
PM versions after that have prompt "pm>"
/etc/pm.cyclades defines the prompt as "pm8>" for all ACS versions before V_2.1.3. It defines as "pm>" for V_2.1.4 and later
V_2.1.4.1 Sep/18/03 : (official
release;
upgrade from V_2.1.4)
a) New features
b) Bug fixes
- Applied latest patches until
openssh
3.7.1
c) Change Log
- The patch is a fix to buffer.c in openssh. The patch
updates
3.6.1p2 to
the current code level (3.7.1)
V_2.1.4 Aug/11/03 : (official
release;
upgrade from V_2.1.3)
a) New features
- SSL V2 reenabled in the FW (it was
disabled
in previous
FW version) and made configurable. This way, IE can work with SSL3 or
SSL2
whereas the existent buggy Netscape and Mozila can work with SSL2.
- Hardened the code through disabling
services
daytime
and time and rejecting time stamp
b) Bug fixes
- saveconf was very slow to save configuration files in flash
and
was
generating
R/W temp files before saving them into flash
- RFC2217 not working when user did not configure data
buffering
or
sniffing
for a given serial port
- WEB would cap in 40 characters the users field before
copying
the
field
to the proper configuration file (pslave.conf). Now the limit is 256
characters.
- CrossTalk in bad console cables made the unit not boot if
the
console
cable
did not have console hooked up
- Socket CAS was handling telnet command NOP as data
- pam was generating a deceiving error saying "unable to set
group
membership
for user (err=-1)". It was a incompatibility between sshd (set_creds)
and
pam_groups (set_creds). The
pam_groups issue a system call that requires root privilege but sshd
already change the privilege to the user just logged in. Removed the
module
pam_groups from the sshd service (pam.conf).
c) Change Log
- SSL2 enabled or disabled through configuration file
(/etc/ssl_version.conf).
The user will choose between SSLv2, SSLv3, and SSLv23 (default).
V_2.1.3 Jun/30/03 : (official
release;
upgrade from V_2.1.2)
a) New features
- Upgrade of OpenSSH (from 3.5.p1 to
3.6.1p1)
- Upgrade of Openssl to 0.9.7b
- Upgrade of net-snmp (from 5.0.7 to
5.0.8)
- Windows 2003 support
- Enhanced Clustering (allows
encrypted
path
between
master and slave at lower CPU cost, authentication between master and
slave)
- Allows Radius Server to specify the
serial
ports
the user can access
- tstest with chat string support
- Enabled pam_tally module
- Support to NIS
- Support to LDAPDownLocal
authentication
- Support to NISDownLocal
authentication
- Support to KerberosDownLocal
authentication
- SSH-2 break extension support
- performance improvement (transfer
rate
over
serial
ports). This feature affects the meaning of the parameters
all.DTR_reset, all.auto_answer_output,
and all.auto_answer_input
- support to change and control (FW
and
Configuration)
to work with new Cyclades product
b) Bug fixes
- Radius and callback was not working properly (no call back)
- "W" command showing a wrong pid for ports TS profile
- Radius was sending a wrong NAS-Port-Id to Radius Server
- Changed DHCP client to keep trying to get an IP address
forever
if
configured
as "1"
- If a user belongs to more than one group he can not access
ACS
serial
port
properly
c) Change Log
- Windows 2003 support: new
parameters in
/etc/portslave/pslave.conf
(s<nn>.translation xterm, s<nn>.web_WinEMS,
s<nn>l.xml_monitor),
added file /webs/web/appl/utf8key.conf, added web interface for Win EMS
via java applet), New macros available in /etc/syslog-ng/syslog-ng.conf:
- added /webs/web/appl/close.gif,
/webs/web/appl/refresh.gif,
/webs/web/appl/colorSet.conf
- java applet now pops up when you
connect.
There
is a refresh and close icon that users can click on. The refresh button
is used to reconnect to the server. The close icon is used to close the
window of the popup. - Enhanced
Clustering: new parameter in
/etc/portslave/pslave.conf
(conf.nat_clustering)
- NIS:
. change in
/etc/nsswitch.conf
(inserted commented lines about NIS)
. change in
/etc/pam.conf
(changed module pam_unix.so to module pam_unix2.so).
. created new file
yp.conf
(NIS server configuration) and domainname.conf (NIS domain name)
. created new program
/bin/domainame
(to configure the domain name)
. new lib
/lib/libnss_nis-2.2.3.so
and /lib/security/pam_unix2.so - LdapDownLocal:
. change in
/etc/portslave/pslave.conf
. changed WEB
interface to
support new value to authentication type parameter
. changed snmpd to
support
new value to authentication type parameter
. change din
/etc/pam.conf
(added new service ldapdownlocal) - KerberosDownLocal:
. change in
/etc/portslave/pslave.conf
. changed WEB
interface to
support new value to authentication type parameter
. changed snmpd to
support
new value to authentication type parameter
. change in
/etc/pam.conf
(add new service kerberosdownlocal)
- SSH-2 break extension: (support to
"Session
Channel
Break Extension - draft-ietf-secsh-break-00.txt")
. implemented client
and
server.
. break interval ->
change
in /etc/portslave/pslave.conf (added parameter all.break_interval)
- performance improvement
. change in /etc/portslave/pslave.conf
(included
new value to all.sniff_mode) - support
to change and control (FW and
Configuration)
. saveconf and restoreconf -> have
more
options
. adduser -> allow to add user with
root
privileges - existent feature (DHCP
client) -> the
following files
were changed : /bin/handle_dhcp (now this script shell does the
ifconfig
commands to set the IP address to eth0) and /etc/network/dhcpcd_cmd.
- existent feaute (default route)
->
the
/etc/network/st_routes
was changed. The option "metric 3" was inserted in the definition of
the
default route.
V_2.1.2 Mar/21/03 : (official
release;
upgrade from V_2.1.1)
a) New features
- Power Management. Allows users
connect
IPDUs
(Inteligent
Power Distribution Unit) from Cyclades and some other vendors (Baytech
and Sentry) to Cyclades' Console Servers and manage the outlets used to
power the Servers.
- Upgrade of OpenSSL to 0.9.7a
- Upgrade of net-snmp to version 5.0.7
- Upgrade of Busybox to 0.60.5.
(include
support to
"top" command).
- Upgrade of DHCP to 1.3.22
- Dynamic DNS update support
- Dynamic serial port allocation
(hunting
group; pool
of serial ports) support
b) Bug fixes
Telnet/SSH connections with Data Buffering are
locked
after NFS server
goes down
Protocol socket_server ignores the [more] data buffer menu
command over
telnet
Wizard for DB is setting the parameter *.data_buffering
wrongly
when
the
value has more than 5 digits
PPP connection from a Windows 2000 would not be established
unless
cb_script
line was commented out in pslave.conf
c) Change Log
- New feature (Power Management):
New directory/files:
- pmd/
- pmd/*
- cyclades/etc/init.d/pmd
Files changed:
- cyclades/etc/inittab
New parameters were added in webs
configuration,
serial ports section : Protocol (the ipdu protocol was included), IPDU
type, PM users, PM number of outlets, PM outlets and PM hotkey.
- The same parameters above were added
in
the
Cyclades MIBs.
- The process pmd was included in the
webs
administration
to restart processes.
- The Link Administration > Power
Management
was created to manage the IPDU's outlets.
- Created a script to change
persmission of
pppd during
bootup /bin/chmod_pppd
- Added that script (commented out)
from
users_script
(/etc/users_scripts)
- Existent feature (telnet client)
->
/bin/telnet moved
to /usr/bin/telnet. (see upgrade notes); /etc/portslave/pslace.conf was
changed (conf.telnet parameter).
- The nsupdate application was added
in
the
ACS
to
allow the dhcpcd performing the DDNS updates when the dhcp server does
not perform them. The nsupdate can be called from the shell script
"handle_dhcp"
using the data received from the dhcp server that were written
into
the file "/etc/dhcpc/dhcpcd-eth0.info".
- A new command line option was added
to
the
tstest
program: the "-I <initchat>".
So, the command to do port conversation without
navigating in the menu should be:
tstest -l <#port> -s
<baudrate>
-I <initchat_string>
The command "tstest -?" will display
all
options
available:
-l #port
-
Serial
port number [1 to 32]
-s speed -
Baud
rate
-p parity -
Parity
even,
odd, none
-f
flow -
Flow control hard, soft, none
-d DataLength - Number of bits from 5 to 8
-b
- Send break 0.25 to 0.5 seconds long
-B interval - Send break
[1-5]
seconds
long
-T interval - Toggle DTR
[1-5]
seconds
long
-t
- Toggle DTR forever
-R interval - Toggle RTS
[1-5]
seconds
long
-r
- Toggle RTS forever
-i
- Port conversation
-I <initchat> - Port conversation
-c
- doesn't change tty configuration/signals on open
-C
- doesn't restore tty configuration/signals on close
- Java applet has changed. Now to ssh
to
the
port chosen,
users can just type the username and his/her password rather than
typing
username:portnumber and then his/her password.
- Existent feature (CallBack in
Dial-In
profile) ->
/bin/chat was moved to /usr/local/sbin/chat, so the
/etc/portslave/cb_script
was changed (included the path "/usr/local/sbin" to "chat").
- Existent feature (Dial-In profile)
->
change in /etc/portslave/pslave.conf
(removed the callback from the default of the pppoptions parameter).
- Existent feature (busybox) ->
upgrade
version 0.60.2
to version 0.60.5 (included support to the "top" command and the
"ps" shows new columns). The /etc/inittab file was changed because the
order to start the process was changed in the new busybox.
- Existent feature
(/bin/build_DB_ramdisk)
-> change
to not show the messages from /etc/mke2fs and /etc/mount.
- Existent feature (cyclades MIB) ->
change to support
new PortSlave parameters and fixed some problems with object
definitions.
- Included Note about CHAP
authentication
(Chapter
3, section Authentication)
- New feature (hunting group) ->
added
some
new parameters
in /etc/portslave/pslave.conf (all.pool_ipno, all.pool_serverfarm,
all.pool_socket_port)
V_2.1.1 Jan/10/03 : (official
release;
upgrade from V_2.1.0)
a) New features
- Upgrade of the WEB server (goahead
v2.1.4)
- The WEB logic for access limit has
changed.
There
will be 4 priority levels: user, monitor, administrator and full
(root).
Each page will have a priority level associated with it; if the page
has
monitor priority, all the users with privilege monitor, administrator
or
full will have access to the page. The default user groups will be root
(full), admin (administrator), monitor (monitor) and user (user). Also,
the link list will be grouped according to the user privilege. The
common
user, for now, will be able to logout and to connect to serial ports,
nothing
more. In order to make it effective, it's necessary to change the file
/etc/websum.conf with the one in the new zImage.
- Run Configuration implemented in
WEB. A
link
was
created in the Administration section and, in the page, the
administrator
can reload the portslave, the IPSEC, the snmp and the syslog-ng
configuration.
The signal_ras script was changed to fit this feature.
- Added a link called SNMP in the
Configuration
section.
This configuration is done in the same way as syslog-ng; by editing the
file.
- Changed the syslog-ng.conf file.
The
new
configuration
allows syslog-ng to receive syslog messages from the Kernel.
- Implemented a new PortSlave
parameter
"all.telnet_client_mode".
This parameters allows the user to choose text or binary mode for
automatic
telnet client.
- ISDN BRI PCMCIA card supported
- Implemented a new PorstSlave
parameter
"all.lf_suppress"
to allow some Windows telnet client to access Unix servers and not
receive
double prompt.
- Implemented two new PortSlave
parameters
"all.auto_answer_input"
and "all.auto_answer_output" to allow PowerEdge Servers to display
BIOS'
output when there's no connection (ssh or telnet) to that serial port
(given
data buffering is active).
- Enhanced sniffer feature by
allowing
presenting or
not the sniffer menu
b) Bug fixes
- A problem in syslog data buffering
was
fixed.
That
would appear when the parameter data_buffering is not enabled and the
parameter
time stamp is enabled.
- When changing serial port
configuration
parameter
like "sttyCmd" and issuing the "signal_ras hup" command the serial port
parameter is not being reconfigured.
- If slave entries for all 48 ports
of a
ACS
are added
to the pslave.conf file in the master the following message appears
when
the slave is selected on the ts_menu first screen.
"Caution: You have exceeded the number of slaves
allowed. You may be invading your system's memory therefore affecting
the
performance of this application..." - ACS -
SNMP
Fixed problem with to save configuration
and
to restart PortSlave by SNMP set. - New
Cyclades Logo replacing the old one
- Changed the banner to show
AlterPath ACS
c) Change Log
- new feature (Access Limit by
priority)
->
change
in /etc/websum.conf (reconfigured user groups and access limits
according
to the priority and added some more access list entried)
- new feature (Common Users access
only
application
pages) -> files web/read/{*.jar, *.conf, sportConnect.asp,
connectPorts.asp}
moved to web/appl.
- new feature (complete Run
Configuration)
-> Link
"Run Configuration" inserted in the Administration section, in
the Web Server Menu - new feature (SNMP configuration) -> Link
"SNMP" inserted
in the Configuration section, in the Web Server
Menu - new
feature (Define the text/binary mode in
automatic
telnet client) -> change in /etc/portslave/pslave.conf (added the
parameter
all.telnet_client_mode)
- new feature (LF suppression) ->
change
in
/etc/portslave/pslave.conf
(allows suppressing the last LF from the CRLF sent by a Windows telnet
client to avoid having double prompt on screen when user accesses a
Unix
server through the CAS' serial port)
- new feature (Probing mechanism)
->
change
in /etc/portslave/pslave.conf
(if a server probes the serial port by sending a string the CAS answer
with other string so BIOS can start displaying. Input and output
strings
are configurable)
- existent feature (session sniffing)
->
change in
/etc/portslave/pslave.conf (all.multiple_sessions can be configured to
present or not the sniffer menu)
- existent feature (syslog-ng
receives
syslog
message
from kernel) -> change the syslog-ng.conf file (see the upgrade
notes),
change in upgrade_110 file
- the command "w" is changed. The
original
version
was renamed to "w_ori". "w_cas" is a new command and it shows the
information
about CAS sessions. The command "w" calls w_ori and w_cas.
- Files changed due to ISDN BRI:
- Inclusion of isdn4k-utils package.
- Changes in the linux/drivers/isdn and
linux/drivers/isdn/hisax
files.
- Changes in the tslinux_mv21/Makefile to
generate
isdn4k-utils tools and support modules_install (CDK).
- Changes in
tslinux_mv21/linux/Makefile.cyc
to support modules_install (CDK).
- Changes in
tslinux_mv21/linux/.config.tsxk
to support isdn subsystem and ppp as loadable module (CDK).
- Inclusion of cyclades/etc/ppp files to
support
synchronous ppp.
- Changes in build_extra to create isdn
devices
under /dev (CDK).
- Changes in
cyclades/lib/modules/<version>/
files to support isdn.
- Changes in /etc/config_files to save
/etc/ppp/pap-secrets
and /etc/ppp/chap-secrets in flash. - ACS
MIB for SNMP management
Included new PortSlave Parameters in the
ACS
MIB. - The configuration of the snmpd
(/etc/snmp/snmpd.conf
file) was changed. The upgrade has to be done in two steps:
. First step.
.. Save the file /etc/snmp/snmpd.conf, if
it
was changed.
.. Edit the file /etc/config_files and
remove
the line related to snmp.
.. Execute the command "saveconf" and
reboot
the TS.
. Second step.
.. if the file /etc/snmp/snmpd.conf was
changed
the user should make his own
changes again.
V_2.1.0 Nov/01/02 : (official
release;
first release)
a) New features
- Linux Kernel 2.4.17
- PAM Support (LDAP, Kerberos,
TACACS+,
Radius,
Local
authentication)
- SSH 1/2, telnet, ftp, PPP and SLIP,
10/100BT
- Spurious Break Eliminator
- PCMCIA support (modem card,
Ethernet
and
Wireless
initially)
- Extended wizard configuration
- Java Applet to allow serial
connection
using
browser
(telnet or ssh sessions)
- IPSec support
- All features supported by
Cyclades-TS
family
b) Bug fixes