* * * READ ME * * * * * * Symantec Cluster Server 6.2.1 * * * * * * Patch 1100 * * * Patch Date: 2019-08-26 This document provides the following information: * PATCH NAME * OPERATING SYSTEMS SUPPORTED BY THE PATCH * PACKAGES AFFECTED BY THE PATCH * BASE PRODUCT VERSIONS FOR THE PATCH * SUMMARY OF INCIDENTS FIXED BY THE PATCH * DETAILS OF INCIDENTS FIXED BY THE PATCH * INSTALLATION PRE-REQUISITES * INSTALLING THE PATCH * REMOVING THE PATCH PATCH NAME ---------- Symantec Cluster Server 6.2.1 Patch 1100 OPERATING SYSTEMS SUPPORTED BY THE PATCH ---------------------------------------- Solaris 11 SPARC PACKAGES AFFECTED BY THE PATCH ------------------------------ VRTSvcs BASE PRODUCT VERSIONS FOR THE PATCH ----------------------------------- * Symantec Cluster Server 6.2 * Symantec Storage Foundation Cluster File System HA 6.2 * Symantec Storage Foundation for Oracle RAC 6.2 * Symantec Storage Foundation HA 6.2 SUMMARY OF INCIDENTS FIXED BY THE PATCH --------------------------------------- Patch ID: 6.2.1.1100 * 3982203 (3981992) A potentially critical security vulnerability in VCS needs to be addressed. DETAILS OF INCIDENTS FIXED BY THE PATCH --------------------------------------- This patch fixes the following incidents: Patch ID: 6.2.1.1100 * 3982203 (Tracking ID: 3981992) SYMPTOM: A potentially critical security vulnerability in VCS needs to be addressed. DESCRIPTION: A potentially critical security vulnerability in VCS needs to be addressed. RESOLUTION: This hotfix addresses the security vulnerability. For details, refer to the security advisory at: https://www.veritas.com/content/support/en_US/security/VTS19-003.html INSTALLING THE PATCH -------------------- Run the Installer script to automatically install the patch: ----------------------------------------------------------- Please be noted that the installation of this P-Patch will cause downtime. To install the patch perform the following steps on at least one node in the cluster: 1. Copy the patch vcs-sol11_sparc-Patch-6.2.1.1100.tar.gz to /tmp 2. Untar vcs-sol11_sparc-Patch-6.2.1.1100.tar.gz to /tmp/hf # mkdir /tmp/hf # cd /tmp/hf # gunzip /tmp/vcs-sol11_sparc-Patch-6.2.1.1100.tar.gz # tar xf /tmp/vcs-sol11_sparc-Patch-6.2.1.1100.tar 3. Install the hotfix(Please be noted that the installation of this P-Patch will cause downtime.) # pwd /tmp/hf # ./installVRTSvcs621P11 [ ...] You can also install this patch together with 6.2.1 maintenance release using Install Bundles 1. Download this patch and extract it to a directory 2. Change to the Veritas InfoScale 6.2.1 directory and invoke the installmr script with -patch_path option where -patch_path should point to the patch directory # ./installmr -patch_path [] [ ...] Install the patch manually: -------------------------- To apply the patch perform the following steps on all nodes in the VCS cluster: 1. Stop VCS on the cluster node. 2. Install the patch. 3. Restart VCS on the node. To stop VCS on the cluster node: 1. Ensure that the "/opt/VRTSvcs/bin" directory is included in your PATH environment variable so that you can execute all the VCS commands. For more information, refer to the Veritas Cluster Server Installation Guide. 2. Verify that the base version of VRTSvcs is 6.2.1 3. Persistently freeze all the service groups: # haconf -makerw # hagrp -freeze [group] -persistent # haconf -dump -makero 4. Stop the cluster on all nodes. On any node, run the following command to stop the cluster: # hastop -all -force 5. Verify that the cluster is stopped on all nodes: # hasys -state 6. On all nodes, make sure that both the had and hashadow processes are stopped. 7. Stop the VCS CmdServer on all nodes: # /opt/VRTSvcs/bin/CmdServer -stop 8. Copy the /etc/VRTSvcs/conf/config/types.cf file to /etc/VRTSvcs/conf/config/types.cf.orig as a backup. 9. Copy the /etc/VRTSvcs/conf/config/main.cf file to /etc/VRTSvcs/conf/config/main.cf.orig as a backup. Installing the patch -------------------- To install the patch: 1. Log in as superuser on the system where you are installing the patch. 2. Uncompress the patch that you downloaded from Veritas. 3. Change the directory to the uncompressed patch location. 4. Apply the patch by issuing the following commands a. Unset Symantec or any invalid publisher e.g: #pkg unset-publisher Symantec b. Set the publisher # pkg set-publisher -g Veritas e.g: # pkg set-publisher -g /patch_dir/patches/VRTSvcs.p5p Veritas c. Install the package # pkg install --accept --no-backup-be VRTSvcs 5. After the installation completes, verify that the package is installed. # pkg info VRTSvcs 6. Unset the publisher # pkg unset-publisher Veritas 7. Start VCS: # hastart 8. Start the VCS CmdServer on all nodes # /opt/VRTSvcs/bin/CmdServer REMOVING THE PATCH ------------------ Note: Uninstalling this patch will remove the entire VRTSvcs package. If you need an earlier version of the package, re-install it from original source media ( ref step 3 below ). Run the following steps on all the nodes in the VCS cluster: 1. Stop VCS: # haconf -dump -makero # hastop -local -force 2. Stop the VCS CmdServer #/opt/VRTSvcs/bin/CmdServer -stop 3. Uninstall the VRTSvcs package: a. If you have local zones on the system, uninstall the VRTSvcs package and its dependent packages from all local zones in which it is present (repeat with set to each local zone in which VRTSvcsag is installed): # zlogin pkg uninstall VRTSvcsag VRTSvcswiz VRTSvcs b. Once the package is uninstalled from all local zones, uninstall the VRTSvcs package and its dependent packages from the global zone: # pkg uninstall VRTSvcsag VRTSvcswiz VRTSvcs 4. (optional) Install the previous version of the VRTSvcs package and its dependent packages from original source media to revert your system to pre-patch conditions. 5. Start VCS: # hastart 6. Start the VCS CmdServer on all nodes # /opt/VRTSvcs/bin/CmdServer SPECIAL INSTRUCTIONS -------------------- If a local zone is in 'configured' state while the VRTSvcs package is being updated, then the package is not updated in local zone. To update packages inside a local zone, set the publisher on the global zone and execute the below command (repeat per zone as needed): # zoneadm -z attach -u OTHERS ------ NONE