Bugtraq mailing list archives
Re: Checking for most recent Solaris Security Patches
From: jonr () SDATA NO (Jon Ross)
Date: Fri, 15 Jan 1999 09:00:12 +0100
On Wed, Jan 13, 1999 at 09:26:51PM +0100, Linux Mailing Lists wrote:
Hello,Or use the automated email patch status robot at pogostick.net. See http://pogostick.net/~pdiag/english.html (or http://pogostick.net/~pdiag/ if you want it in norwegian) for more info.Doesn't sound very good to send the configuration of your machine over the internet by email. What if someone gets it and use that information to know the vulnerabilities of your server? Using your service he would know:
Our (my) service makes no pretence of being a service that extremely vulnerable machines should use. But then again, the mail you send doesn't need to identify _which_ machine the showrev output is from. Just take the showrev/pkginfo from one machine, put it into a file, email it from anothe machine (with correct subject). So any eavsdropper would only know that somewhere (in the world) there is a Sun/Solaris machine with this software/patchlevel.
* Which Software you have installed in your server * Which patches you have applied (and what's more interesting, which patches you *haven't* applied) * The OS version, platform, etc... * Your server's name Mmmmmmm... Just the information someone would need to hack your system :) What about making public the program you use, to run it locally? (showrev -p ; pkginfo -l)|yourniceprog
The program is just an email wrapper around suns patchdiag (currently v 1.0.2). Many other nice people have submitted programs to this (bugtraq) mailinglist that lets you do this locally.
Greetings, Sergio PS: Who knows who is really receiving your information at pdiag () pogostick net ;)
I do! -- Jon Ross, Ark Norge AS - Divisjon Skrivervik Data, P.B. 3885 U.S., N-0805 OSLO, NORWAY Phone +47 2218 5891, Cellular +47 915 35 708, Fax +47 2218 5998
Current thread:
- Re: Wiping out setuid programs, (continued)
- Re: Wiping out setuid programs Darren Reed (Jan 06)
- Re: Wiping out setuid programs Illuminatus Primus (Jan 06)
- Re: Wiping out setuid programs Thamer Al-Herbish (Jan 06)
- Checking for most recent Solaris Security Patches spamhater () GRYMOIRE COM (Jan 06)
- Re: Checking for most recent Solaris Security Patches Ronan Waide (Jan 07)
- NFR Version 2.0.2 Research Now Available Deborah A. Greenberg (Jan 07)
- Re: Checking for most recent Solaris Security Patches Paul Brunk (Jan 08)
- Re: Checking for most recent Solaris Security Patches John D Groenveld (Jan 08)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 12)
- Re: Checking for most recent Solaris Security Patches Linux Mailing Lists (Jan 13)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 15)
- Lotus Notes SMTP Server bug Siva Sankar Adiraju (Jan 15)
- Re: Checking for most recent Solaris Security Patches //Stany (Jan 15)
- Re: Anonymous Qmail Denial of Service Perry E. Metzger (Jan 08)
- White Paper Annoucement NSS FIST (Jan 09)
- Re: Anonymous Qmail Denial of Service Snob Art Genre (Jan 10)
- Buffer overflow in www.boutell.com cgic library Jon Ribbens (Jan 10)
- Sekure SDI Advisory: mSQL Remote Bug (fwd) Sekure SDI SSC (Jan 10)
- nmap udp scan kills Neware (ex-HDS) X-terminals. Andrew V. Kovalev (Jan 11)
- Re: nmap udp scan kills Neware (ex-HDS) X-terminals. Adam Shostack (Jan 12)
- Cisco Security Notice: Cisco IOS Syslog Crash security-alert () cisco com (Jan 11)