lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031002032029.GB29899@netsys.com>
From: len at netsys.com (Len Rose)
Subject: Solaris security patches.

NOTE: These are personal opinions and as such I do not speak 
for any entity other than myself.


I've been complaining about the slow reaction times from Sun 
regarding security patches lately, and I haven't seen much
improvement. It actually seems that Sun security team is even
slower now than when I first started noticing the "slowdown".

Two recent vulnerabilities (openssh, and sendmail) come to
mind.

Note: Since Sun has now embedded openssh into Solaris 9 it sucks
to have to rip out Sun's openssh and switch to the portable
open source version. 

In the case of sendmail 8.12.x most people who really used
Solaris for mail servers probably run something else like
postfix, or at least maintains their own sendmail so no big deal. 

However, there are many sites that have to rely on patches
alone from Sun since they may not have people who can compile new 
versions of software. There might be sites that will permit only 
"official" patches from Sun installed on their servers. 

Reference: 

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3Asecurity
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32=category%3Asecurity


Initially even though the bulletins were finally released 
the "workaround" was to disable sendmail or to disable sshd. 
I'm sorry but these aren't realistic or credible.

Now they've updated them to include references to T Patches
that don't exist on the registered customer "private" patch
archives.

It's been quite a while for those who rely on ssh and sendmail,
so generally everyone eventually is forced to ditch "official"
versions of ssh and sendmail in favour of building these critical
pieces of software from source from the open source development
teams.

It really makes the job of keeping Solaris servers secure very
difficult in comparison to say Linux, or *BSD whose security
teams are quite responsive when there is a significant new
hole.

Perhaps the dire financial situation that Sun is facing is to
blame for this. If so, I'll volunteer to help put together an
organization to publish Solaris patch packages for security-related 
problems if Sun will sanction same.

I love Solaris and I am a dedicated sparc person -- I don't 
want to see people who are STILL using Solaris to be the ones to 
suffer.

Thanks for listening Sun.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ