[oi-dev] Security Work

[Alasdair Lumsden]

On 01/24/11 05:12 PM, Joerg Schilling wrote:

> If you believe thare are security issues that need to be addressed, please make
> a bug report into the Schillix-ON Bug Tracking system:

Hi Joerg,

As we're currently using Illumos as our upstream ON, it makes sense for 
us to file and track the bugs on the Illumos bug tracker.

But we'll share info and cooperate where we can.

The issue we have at present is that Oracle's CVE reports contain 
virtually no information.

Apologies for the formatting (copy/pasted) but here's the list that came 
from Oracle's "CPU January 2011" for snv_151a:

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

CVE-2010-2632 	 ONNV FTP Service 	
CVE-2010-4440 	ONNV Kernel 	Unspecified vulnerability - "allows local 
users to affect availability via unknown vectors"
CVE-2010-4442 	ONNV Kernel 	Unspecified vulnerability - "allows local 
users to affect availability via unknown vectors"
CVE-2010-4443 	ONNV Kernel NFS 	Unspecified vulnerability - "allows 
local users to affect availability via unknown vectors"
CVE-2010-4446 	ONNV Kernel RDS Infiniband 	Unspecified vulnerability - 
"allows local users to affect availability via unknown vectors"
CVE-2010-4457 	ONNV Kernel CIFS 	Unspecified vulnerability - "allows 
remote attackers to affect availability, related to SMB and CIFS"
CVE-2010-4458 	ONNV Kernel ZFS 	Unspecified vulnerability - "allows 
local users to affect availability, related to ZFS
CVE-2010-4459 	ONNV Kernel sockfs 	Unspecified vulnerability - "allows 
local users to affect availability via unknown vectors, related to SCTP 
and Kernel/sockfs

 From what I've seen, they don't appear to have disclosed enough 
information to locate and fix said security issues. As an example:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2632

Completely unhelpful :-(

Regards,

Alasdair