Bugtraq mailing list archives
Re: Immunity Advisory: Solaris local kernel root
From: Casper Dik <casper () holland sun com>
Date: Thu, 25 Mar 2004 17:48:52 +0100
Casper Dik wrote:I wonder why you even bother publishing this; at the time the document claims to have been written, half the listed Solaris revisions had already patches out for them; Solaris 10, which technically doesn't exist yet, had the bug already fixed in its most recent Solaris Express builds.By our math, January 22nd, 2004 is after December 2003, which is when this exploit was first made available to Vulnerability Sharing Club members. At that point there were no patches for any Solaris, as far as we were aware. We would like to think that the additional information we provided, including a working exploit, was valuable to many members of the information security community.
The Solaris 7 patch was released December 1st; the Solaris 8 patch was released November 25th; the Solaris 9 patch was released December 23rd; the delay in the Sun Alert notication was probably due to the late release date of the Solaris 9/Intel patch. Had you notified Sun, which you should have done, we would have given you this information. You see, I am very suspicious about people independently "discovering" bugs after we've posted patches or filed them to our internal bugtracking system. Or people sitting on discovered security vulnerabilities for many years. The latter people are part of the problem, not of the solution. Casper
Current thread:
- Immunity Advisory: Solaris local kernel root Dave Aitel (Mar 23)
- Re: Immunity Advisory: Solaris local kernel root Casper Dik (Mar 24)
- Re: Immunity Advisory: Solaris local kernel root Dave Aitel (Mar 25)
- Re: Immunity Advisory: Solaris local kernel root Casper Dik (Mar 25)
- Re: Immunity Advisory: Solaris local kernel root Dave Aitel (Mar 25)
- Re: Immunity Advisory: Solaris local kernel root Dave Aitel (Mar 25)
- Re: Immunity Advisory: Solaris local kernel root Casper Dik (Mar 24)