Re: 8LGM & Solaris 2.5

[casper () holland Sun COM (Casper Dik)]

> > On the Sun User Group Technology Conference in Munich this Wednesday, Sun
> > announced that Solaris 2.5 has no security holes up to now.
>
> None they know about :) There are a number of bugs that have survuved from
> 2.3 FCS all the way through to 2.5 FCS. I expect them to last much longer
> considering the care taken to shield their functionality. (And dont waste
> your time or mine by asking). I was slightly annoyed to see Casper get
> the telnet one three weeks before 2.5 code freeze :) We were waiting for
> them to toss that gimme out there.


If you have any that survived through 2.5, by all means send them in
and we will get them fixed.  We can't fix what we don't know about
(if we find one we'll fix them, if someone outside Sun finds one, we
would very much like them to tell us).

If you get 2.5 and you find "geez, they still haven't fixed that bug",
please drop me a note.  It could very well be that we never heard about it.

A lot of security bugs have been fixed in 2.5 because they have been reported
to us by only a handfull of customers, some of these bugs date back to
SunOS 4.x even, others have been in Solaris 2.x since the inception.
But they didn't appear in the bugs database, so they weren't reported or
didn't make it past the person they were reported to.  If it doesn't have
a bug id, there's no mechanism to get it fixed.  (I you think that
that's bureaucratic, remember that post-it notes don't scale too well)

BTW, it wasn't me who found the telnetd bug in Solaris 2.5 beta.


Casper