Full Disclosure mailing list archives
Solaris security patches.
From: Len Rose <len () netsys com>
Date: Wed, 1 Oct 2003 23:20:29 -0400
NOTE: These are personal opinions and as such I do not speak for any entity other than myself. I've been complaining about the slow reaction times from Sun regarding security patches lately, and I haven't seen much improvement. It actually seems that Sun security team is even slower now than when I first started noticing the "slowdown". Two recent vulnerabilities (openssh, and sendmail) come to mind. Note: Since Sun has now embedded openssh into Solaris 9 it sucks to have to rip out Sun's openssh and switch to the portable open source version. In the case of sendmail 8.12.x most people who really used Solaris for mail servers probably run something else like postfix, or at least maintains their own sendmail so no big deal. However, there are many sites that have to rely on patches alone from Sun since they may not have people who can compile new versions of software. There might be sites that will permit only "official" patches from Sun installed on their servers. Reference: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3Asecurity http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32=category%3Asecurity Initially even though the bulletins were finally released the "workaround" was to disable sendmail or to disable sshd. I'm sorry but these aren't realistic or credible. Now they've updated them to include references to T Patches that don't exist on the registered customer "private" patch archives. It's been quite a while for those who rely on ssh and sendmail, so generally everyone eventually is forced to ditch "official" versions of ssh and sendmail in favour of building these critical pieces of software from source from the open source development teams. It really makes the job of keeping Solaris servers secure very difficult in comparison to say Linux, or *BSD whose security teams are quite responsive when there is a significant new hole. Perhaps the dire financial situation that Sun is facing is to blame for this. If so, I'll volunteer to help put together an organization to publish Solaris patch packages for security-related problems if Sun will sanction same. I love Solaris and I am a dedicated sparc person -- I don't want to see people who are STILL using Solaris to be the ones to suffer. Thanks for listening Sun. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Solaris security patches. Len Rose (Oct 01)
- Re: Solaris security patches. Florian Weimer (Oct 02)