Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[scott () Disclosure COM (Scott Barman)]

On Mon, 18 Sep 1995, Goetz von Escher wrote:

> I just called local Sun support. They don't know anything about this
> hole and they don't accept the 8lgm advisory as problem report as we
> cannot prove that the bug exists on *our* SunOS host. Outch! I cannot
> believe that nobody else has opened a service call or bug fix request
> (or whatever Sun calls this) at Sun Microsystems. They referred me to
> patch 100909-03 which fixed a hole in syslogd for SunOS 4.1.3...

Sun is usually a little slow in responding to these reports.  I think
they look at them with caution, which may be a good thing, before
issuing their own "statement."  However, if Sun said they had "a" fix
for one hole in syslogd, then you may want to check it out.

NOTE: I am not saying it is bad that Sun takes their time to respond.  I
would rather see them analyze the problem and react properly than
hastily (but they should respond in a timely manner).

As for me... I replaced my syslog with the one from NetBSD with no
major hastles.

> My questions are:
>
> -  Is there an official patch from Sun and what's the patch-ID?

If they gave you the above patch number, that's all they have at this
time.

> -  Has anybody talked to Sun about this problem?

I talk to Sun about a lot of things... mainly to friends who work there
and they're getting tired of hearing from me!  :-)

When you talk to Sun about any problem with SunOS (or Solaris 1.1 as
they'd rather call it) and you'll get the corporate response:
"upgrade" to Solaris 2.  Sources tell me that by mid-96, SunOS will be
treated like a leper child similar to the way they treat the old
MC68K-based systems.  Sun is no longer doing development on SunOS and
that even security patches will stop at that time.

If you can, you may want to look into replacing SunOS with NetBSD.  I
think that is my next step (I am not a fan of Solaris 2).

> -  Is Sun working on a patch?

Probably.  If it makes these groups (BUGTRAQ and Firewalls, usually)
they may move quicker.

Sun's patch archive for non-contract customers is available via ftp at
sunsolve1.sun.com:/pub/patches.  They do have a Web page, but I use
ncftp and find it easier just to deal with their ftp site.

scott barman
--
scott barman                  DISCLAIMER: I speak to anyone who will listen,
scott () disclosure com                      and I speak only for myself.
barman () ix netcom com
  "Micro$oft and Windoze/NT will be the cause of the de-evolution of
   network security just as the original PC and BASIC was the cause of
   the de-evolution of programming."