==========================================================================
The checksum's (found through sum -r) of the files that you have received
(other than this README) are as follows:

11186      3 patchSG0004458.idb
01038      2 patchSG0004458
24113     23 patchSG0004458.ip_enterprise_sw
==========================================================================



				  - 1 -



       1.  Patch_SG0004458_Release_Note

       This release note describes patch SG0004458, a security
       patch for the iPlanet Web Server	4.1.4 on IRIX.

       1.1  Supported_Software_Platforms

       This patch contains bug fixes for iPlanet Enterprise Server
       (4.14).	It cannot be installed on other	configurations.

       1.2  Bugs_Fixed_by_Patch_SG0004458

       This patch contains fixes for the following bugs

	    Fixes:
	      Bug #828002-Buffer Overflow in iPlanet 4.X


       1.3  Subsystems_Included_in_Patch_SG0004458

       This patch release includes these subsystems:

	  o patchSG0004458.ip_enterprise_sw

	  o patchSG0004458.ip_enterprise_sw.server


       1.4  Background

       Please see the advisory titled "iPlanet Web Server
       Enterprise Edition 4.0, 4.1 Response Header Overflow", at
       http://www.atstake.com/research/advisories/2001/a041601-
       1.txt


       1.5  Applicability


       This NSAPI is provided for users	of iPlanet Web Server
       Enterprise Edition (iWS)	on IRIX, version 4.14.



       1.6  What_it_does


       This NSAPI examines incoming requests to	iWS. When it
       detects a malformed HTTP	Host: header it	will reject the
       request.	This prevents a	potential data compromise.













				  - 2 -



       1.7  What_it_doesn't_do_-_Caveat


       While this NSAPI	will wholly mitigate the risk of data
       compromise due to the "Response Header Overflow"
       vulnerability, using it may incur a performance penalty.	It
       is recommended that you upgrade to a later version of the
       web server on IRIX as soon as it	becomes	available.


       1.8  What's_included


       Files included in the patch:

	  o sgi-readme - A summary of the most important portions
	    of this document

	  o lib/bounds_check.so	- The NSAPI module that	implements
	    the	security fix

	  o src/bounds_check.c - The source code for the NSAPI
	    module.





       1.9  Further_information



	  o http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16b.html

	  o http://www.kb.cert.org/vuls/id/276767

	  o http://www.atstake.com/research/advisories/2001/a041601-
	    1.txt




       1.10  Installation_Instructions:_Part_1_-_The_automated_part


       NOTE: This patch	has a three-part installation process.	The
       first part is automated,	the second and third parts are
       manual.	The second part	of the installation is done
       manually	because	the original web server	installation for
       iWS 4.14	was done in two	parts and allowed some flexibility
       in the location where the server	would finally be installed.











				  - 3 -



       Because you will	want to	install	only the patches for
       problems	you have encountered, SGI patch	software is not
       installed by default.  After reading the	description and
       details of the bug fixed	in this	patch (see Section 1.2-1.9
       above), determine if the	patch meets your specific needs.

       If, after reading Sections 1.1 of these release notes, you
       are unsure whether your software	meet the requirements for
       installing this,	or any other patch, run	inst.  The inst
       program does not	allow you to install patches that are
       incompatible with your hardware or software.

       Patch software is installed like	any other Silicon Graphics
       software	product.  Follow the instructions in your Software
       Installation Administrator's Guide to bring up the miniroot
       form of the software installation tools.

       Follow these steps to select a patch for	installation:

	 1.  At	the Inst> prompt, type

	     install patchSGxxxxxxx

	     where xxxxxxx is the patch	number.

	 2.  Initiate the installation sequence. Type

	     Inst> go

	 3.  You may find that two patches have	been marked as
	     incompatible.  (The installation tools reject an
	     installation request if an	incompatibility	is
	     detected.)	 If this occurs, you must deselect one of
	     the patches.

	     Inst> keep	patchSGxxxxxxx

	     where xxxxxxx is the patch	number.

	 4.  After completing the installation process,	exit the
	     inst program by typing

	     Inst> quit



















				  - 4 -



       1.11  Installation_Instructions:_Part_2_-_The_manual_part


       NOTE: To	complete the patch installation, you will need to
       complete	the steps detailed in the remainder of this section
       and all of the next section, "How to configure the server".
       Failure to do so	will mean that the patch will not be
       applied to the server in	spite of what inst shows you.

       You can find the	files installed	in the previous	section	in
       the directory /var/netscape/es414/patch4458.

       We recommend that you copy the DSO (Dynamic Shared Object)
       for the patch (the file,	bounds_check.so) to the	plugins/lib
       directory under the directory where the server was
       installed.

       Once copied there, change both the ownership and	group
       membership to nobody so the server can use it. Then set the
       permissions so it can be	executed:

	   chown nobody.nobody plugins/lib/bounds_check.so
	   chmod a+r+x plugins/lib/bounds_check.so



       1.12  Installation Instructions:	Part 3 - How to	configure
	     the server


       The following edits will	have to	be made	to the obj.conf	for
       each server instance you've created.  Any to which the
       change is not made will not be protected	from the header
       overflow	exploit.


       In [server-root]/[server-instance]/config/obj.conf:

	...
	Init fn="load-modules" shlib="[path to libs]/bounds_check.so" funcs="bounds_check"
	...
	<Object	name=default>
	NameTrans fn=bounds_check
	...

       NOTE: It	is essential that this NameTrans be the	first
       called in the default object.















				  - 5 -



       1.12.1  Example_configuration  Assume that iWS is installed
       in /usr/iplanet/server4 and you have an instance	directory
       called https-www.sgi.com.

       Place bounds_check.so in	/usr/iplanet/server4/plugins/lib,
       then edit /usr/iplanet/server4/https-
       www.sgi.com/config/obj.conf:

	...
	Init fn="load-modules" shlib="/usr/iplanet/server4/plugins/lib/bounds_check.so"	funcs="bounds_check"
	 ...
	 <Object name=default>
	NameTrans fn=bounds_check
	 ...



       1.13  Patch_Removal_Instructions

       Removal of this patch is	a two-step process.  The first part
       is manual, necessitated by the way that the patch was
       applied.	 The second part is automated and is much the same
       as the removal process for most any other patch that SGI
       distributes.

       For the first portion of	the removal, you'll have to
       manually	remove the bounds_check.so file	from the
       plugins/lib directory under the web server installation
       directory.  Then	you'll need to manually	backout	the edits
       that were applied to the	obj.conf for each server instance
       you've created.

       To remove a patch, use the versions remove command as you
       would for any other software subsystem.	The removal process
       reinstates the original version of software unless you have
       specifically removed the	patch history from your	system.

       versions	remove patchSGxxxxxxx

       where xxxxxxx is	the patch number.

       To keep a patch but increase your disk space, use the
       versions	removehist command to remove the patch history.

       versions	removehist patchSGxxxxxxx

       where xxxxxxx is	the patch number.












