Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

[chasin () CRIMELAB COM (Scott Chasin)]

[casper () HOLLAND SUN COM wrote]:

> > Just to add my two cents to the discussion:
> >         - this is a known problem


> So why wasn't it more publically announced. Sun could easily have issued a
> new binary very publically and without saying what they had fixed.

Mark Graff relayed to me that Sun has known about this for about 2 weeks
or so.

[casper () HOLLAND SUN COM wrote]:
> >         - it is fixed in 2.5 (by using fchown, not chown, both versions of ps)

Apparently this is *NOT* fixed in the 2.5 release. At least not the copy I
have.  And I believe someone else has contested to this fact as well.

> So why didnt you tell people instead of negligently leaving them exposed

This is the old full-disclosure debate.  I don't think we should be getting
into this here.

> Otherwise known as the majority of people who are less technically clued up.
> Vendors need to improve their methods.
>
> Alan


--Scott
chasin () crimelab com