3 Replies Latest reply on Jun 27, 2012 3:57 AM by gnpf

    release notes and install instructions for Patch 8.2.1P01

      Hello,

       

      I cant find release notes and install instructions for patch 8.2.1P01.

      Just only the changelog for the package is available.

       

      I need the instructions for our failover HA systems.

       

      thx,

      Tom

       

      Nachricht geändert durch gnpf on 27.06.12 03:29:30 CDT
        • 1. Re: release notes and install instructions for Patch 8.2.1P01
          PhilM

          Tom,

           

          Unless you are ever instructed otherwise by McAfee support, you can install any/all patches through the Admin Console or, if you are willing, the command line.

           

          Patching HA systems used to be more delicate, but I believe that it isn't that much of a problem any more. The cluster will continue to function, but during the time where the appliances are running different versions, configuration changes will not be shared.

           

          Personally, I'd install the package to the standby appliance first. Then I'd re-boot the active appliance, so that the standby takes over. I'd run it for a while to make sure that everything is OK. If it is I'd then update the other appliance (which is now the standby). If the new package causes a problem, you can then opt to re-boot it (to bring the original active unit back into play) and then do whatever is necessary to get the updated appliance back the to the original version (rollback, boot to alternative slice or even re-build and re-join to the cluster).

           

          With regards to the lack of release notes, I agree. I've looked through the KB and can't find a, 8.2.1P01 release note entry.

           

          -Phil.

          • 2. Re: release notes and install instructions for Patch 8.2.1P01
            PhilM

            Hold on - I've just noticed that there's a readme section for this package which can be accessed in the Admin Console.

             

            This is what it has to say for itself:-

             

            For a fast path connection, fast path socket lock is released during

            TCP connection drop with a reset.

             

            Resolve an issue in PIM/SM multicast routing where receipt of PIM protocol

            Register packet can cause system kernel to crash.

             

            This patch adds more diagnostic data to be printed to system console when

            kernel crashes. The new panic screen format is not active until explicitly

            enabled via syctl or tunnable variable:

                debug.scc_trace_on_panic=1

             

            Resolve an issue with the ipfilter session sharing code where a race condition

            could sometimes cause a kernel panic under rare circumstances.

             

            Prevent a potential crash in BPF.

             

            Resolves a synchronization issue in IPSec VPNs that could lead to

            kernel panics.

             

            Resolves an issue that could lead to kernel panics when using IPS

            on certain proxied traffic.

             

            Resolves an issue where turning IPS scanning on for UDP traffic could

            impact application scanning on that data.

             

            Resolves a kernel issue where, with some policy configurations, the firewall

            would delay HTTP requests for several seconds.

             

            Improve session synchronization between members of an HA cluster

            to avoid situations where the initial session packets can be processed

            by the wrong node.

             

            Fix IP Filter Locking issue.

             

            UDP handle race between packet reception and socket close.

             

            Disables default transmit chksum offload capability for loopback

            interfaces, resolving issues where packets are sent through loopback.

             

             

            HTTP PROXY:

            Correct an issue in the HTTP proxy when processing traffic related

            to virus scanning.

             

            Resolve an issue where the HTTP proxy could crash while performing

            SSL decryption.

             

            Add support for the "1/n-1 record splitting" technique used to protect

            against the BEAST attack on SSL/TLS.

             

            Resolve an issue where sfredirectp could crash when a non-transparent

            HTTP request is made to it directly.

             

            Correct an issue where httpp with IPS enabled would cause the /secureos

            partition fill with unnecessary files.

             

             

            OTHER COMPONENTS:

            Improve the stability of the password warder and the H.323 proxy.

             

            Update auditbotd to be resilient in processing audit w/out attack zone.

             

            Relax validation constraints so that rules allowing generic traffic

            (non-decrypted SSL, non-HTTP, or non-smart proxy traffic) only need to

            ensure that the generic app defenses are similar in those cases where

            the rules use different app defenses while using overlapping endpoints

            and late binding applications.

             

            Integrate OpenSSL updates for CVE-2011-4576, CVE-2011-4619,

            CVE-2012-2110, and CVE-2012-2131.

             

            Fix communication errors with the entrelayd daemon.

             

            Update policy logic which drives whether or not v6 AAAA queries are

            generated by the firewall, so that v6 queries will only be made if

            a v6 interface is enabled.

             

            Perform additional validation on ACL queries to ensure that the

            acl daemon will not become unresponsive due to a bad value in the query.

             

            Correct an issue whereby the SNMP proxy can generate an invalid ACL query

            and cause the connection to fail as a result.

             

            COMPONENTS:

            /boot/kernel_ops/kernel

            /boot/kernel_ops_smp/kernel

            /lib/libcrypto.so.6

            /usr/lib/libcrypto.so

            /usr/lib/libssl.so.6

            /lib32/libcrypto.so.6

            /usr/lib32/libssl.so.6

            /usr/contrib/lib/python2.4/site-packages/swacl/swaclquery.pyc

            /usr/sbin/auditbotd

            /usr/contrib/lib/python2.4/site-packages/cf/cf_acl.pyc

            /usr/contrib/lib/python2.4/site-packages/cf/cf_florets_and_matching_rules.pyc

            /usr/contrib/lib/python2.4/site-packages/cf/cf_host.pyc

            /usr/contrib/lib/python2.4/site-packages/cf/cf_area_registry.pyc

            /usr/libexec/entrelayd

            /usr/libexec/httpp

            /usr/libexec/snmpp

            /usr/libexec/changepw

            /usr/libexec/h323p

            /usr/libexec/login_sidewinder

            /usr/libexec/pasw

             

            -Phil.

            • 3. Re: release notes and install instructions for Patch 8.2.1P01

              Phil,

               

              thx for your answer.


              Your second post, is what I mean with changelog. which comes always directly with the package.


              You descibed the usal way for HA, which I normaly do too.

              But I run sometimes in trouble with patching a HA cluster, so I ask here before. (Cluster wont sync after patching, so a complete reinstall of one node was necessary)

              Under 7.x there was always a pdf document for the patches available.

              However, we will see, what happen next weekend.

               

              regards,

              Tom