Bugtraq mailing list archives

Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

From: paul () argo demon co uk (Paul Ashton)
Date: Fri, 18 Aug 1995 23:03:00 BST

Mark Graff:
Yup. I also thought I sent a note out to this list, on August 14th.
I'll attach that message.

Our general policy is not to announce a problem until we have a fix.
Since Scott disclosed the hole here I responded (or tried to respond)
with the information that we knew about the problem and were testing
fixes. Sorry if it didn't get out for some reason!

On this bug the update is that I expect to release the patches and a
corresponding bulletin next week, perhaps as early as Wednesday.

BTW we have been working on a patch (for all affected platforms) since
July. (We got a second report on August 1, but it turns out the fix was
already in the works.) The traffic on this list, including Scott's
disclosure and followup exploitation script, has had no effect on our
schedule.  We were already in the final stages of testing when he
acted.


Maybe I can help a bit. I reported this problem at the end of May,
along with several others initially to Mark Graff but without reply
and then to somebody else concerned with security in Sun who responded
to another message that I had sent to bugtraq. I additionally reported
the problems to CERT because they asked me. Mr Sun (who is brilliant
and deserves a medal) responded instantly to all my concerns and initiated
fixes for them. However, getting a patch is a different step altogether.
If you report a security problem to Sun support they will say thank you
and update their database and forget about it, even though these problems
are security problems and, believe me, the ps problem is so obvious to
anyone who spends 10 minutes looking for holes, Sun will not fix them
without either a bugtraq type disclosure or an escalation. I received
a patch T102711-01 at the beginning of August evaluated it and accepted
it due to escalating it. The bug is fixed in 2.5 because it was reported
and was important enough to go in. It was after the beta release though,
that is why it is still visible.
As my client wishes to provide Sun with ample opportunity to fix the
problems before trying more radical alternatives, I am obliged not to
release the details. Their opinion of Sun's seriousness in fixing
security problems is not really rising very quickly, though... Or rather,
they will fix them but only put them out in the next release without
pressure to do otherwise.

Mark Graff relayed to me that Sun has known about this for about 2 weeks
or so.

Since May.

Cheers,
Paul

Current thread:

Re: BUGTRAQ ALERT: Solaris 2.x vulnerability, (continued)
- - - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Patrick Hess (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Nathan Lawson (Aug 16)
  - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Darren Reed (Aug 17)
  - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Casper Dik (Aug 17)
    - BUGTRAQ ALERT: Solaris 2.x Arve Kjoelen (Aug 18)
    - Re: BUGTRAQ ALERT: Solaris 2.x vulnerability System Administrator (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability David Rukshin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Mark Graff (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Paul Ashton (Aug 18)