[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031002032029.GB29899@netsys.com>
From: len at netsys.com (Len Rose)
Subject: Solaris security patches.
NOTE: These are personal opinions and as such I do not speak
for any entity other than myself.
I've been complaining about the slow reaction times from Sun
regarding security patches lately, and I haven't seen much
improvement. It actually seems that Sun security team is even
slower now than when I first started noticing the "slowdown".
Two recent vulnerabilities (openssh, and sendmail) come to
mind.
Note: Since Sun has now embedded openssh into Solaris 9 it sucks
to have to rip out Sun's openssh and switch to the portable
open source version.
In the case of sendmail 8.12.x most people who really used
Solaris for mail servers probably run something else like
postfix, or at least maintains their own sendmail so no big deal.
However, there are many sites that have to rely on patches
alone from Sun since they may not have people who can compile new
versions of software. There might be sites that will permit only
"official" patches from Sun installed on their servers.
Reference:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3Asecurity
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32=category%3Asecurity
Initially even though the bulletins were finally released
the "workaround" was to disable sendmail or to disable sshd.
I'm sorry but these aren't realistic or credible.
Now they've updated them to include references to T Patches
that don't exist on the registered customer "private" patch
archives.
It's been quite a while for those who rely on ssh and sendmail,
so generally everyone eventually is forced to ditch "official"
versions of ssh and sendmail in favour of building these critical
pieces of software from source from the open source development
teams.
It really makes the job of keeping Solaris servers secure very
difficult in comparison to say Linux, or *BSD whose security
teams are quite responsive when there is a significant new
hole.
Perhaps the dire financial situation that Sun is facing is to
blame for this. If so, I'll volunteer to help put together an
organization to publish Solaris patch packages for security-related
problems if Sun will sanction same.
I love Solaris and I am a dedicated sparc person -- I don't
want to see people who are STILL using Solaris to be the ones to
suffer.
Thanks for listening Sun.
Powered by blists - more mailing lists