Re: CVE Request for illumos distributions

[Dan McDonald <danmcd () omniti com>]

Ping?

Sent from my iPhone (typos, autocorrect, and all)

> On Dec 9, 2014, at 1:43 AM, Dan McDonald <danmcd () omniti com> wrote:
>
> I believe this will be the first time the illumos project (http://www.illumos.org/) has requested a CVE number.  I 
> apologize for any newbie mistakes.  PLEASE NOTE:  We are the open-source inheritor of what was once OpenSolaris's 
> OS/Net consolidation (i.e. the kernel, system libraries, and system commands).  WE ARE NOT RELATED TO ORACLE or 
> ORACLE SOLARIS.
>
> Illumos bug #5421 - http://illumos.org/issues/5421  which is now fixed in the upstream illumos-gate, is an innocuous 
> fix to a serious problem that allows an arbitrary user in the global zone (non-global zones are not able to panic the 
> machine) to panic the machine.
>
> Illumos has various distributions from various parties.  These include, but are not limited to:
>
>    OmniOS from OmniTI
>    SmartOS from Joyent
>    NexentaStor from Nexenta
>    The OpenIndiana project
>    Coraid
>
> Because SmartOS presents non-global zones to its non-administrative users, it is not a high-priority for them.  For 
> OmniOS and OpenIndiana, it is more critical.
>
> OmniOS has updated its packaging servers for all supported releases:  r151006/LTS, r151010/old-Stable, 
> r151012/current-stable, and bloody.  Merely issuing "pkg update" and rebooting will fix the problem.  Users still on 
> r151008 should upgrade to r151012 ASAP.
>
> SmartOS has standard upgrade procedures.
>
> Other distros' contacts are Bcc:ed here.  They will contact me if they have updates.
>
> Thank you!
> Daniel L. McDonald -- Illumos RTI Advocate, and unofficial Security Coordinator