[oi-dev] Security Work

Alan Coopersmith alan.coopersmith at oracle.com
Mon Jan 24 17:50:02 UTC 2011 

On 01/24/11 09:26 AM, Alasdair Lumsden wrote:
> On 01/24/11 05:12 PM, Joerg Schilling wrote:
> 
>> If you believe thare are security issues that need to be addressed, please make
>> a bug report into the Schillix-ON Bug Tracking system:
> 
> Hi Joerg,
> 
> As we're currently using Illumos as our upstream ON, it makes sense for us to
> file and track the bugs on the Illumos bug tracker.
> 
> But we'll share info and cooperate where we can.
> 
> The issue we have at present is that Oracle's CVE reports contain virtually no
> information.
> 
> Apologies for the formatting (copy/pasted) but here's the list that came from
> Oracle's "CPU January 2011" for snv_151a:
> 
> http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
> 
> CVE-2010-2632      ONNV FTP Service    
> CVE-2010-4440     ONNV Kernel     Unspecified vulnerability - "allows local
> users to affect availability via unknown vectors"
> CVE-2010-4442     ONNV Kernel     Unspecified vulnerability - "allows local
> users to affect availability via unknown vectors"
> CVE-2010-4443     ONNV Kernel NFS     Unspecified vulnerability - "allows local
> users to affect availability via unknown vectors"
> CVE-2010-4446     ONNV Kernel RDS Infiniband     Unspecified vulnerability -
> "allows local users to affect availability via unknown vectors"
> CVE-2010-4457     ONNV Kernel CIFS     Unspecified vulnerability - "allows
> remote attackers to affect availability, related to SMB and CIFS"
> CVE-2010-4458     ONNV Kernel ZFS     Unspecified vulnerability - "allows local
> users to affect availability, related to ZFS
> CVE-2010-4459     ONNV Kernel sockfs     Unspecified vulnerability - "allows
> local users to affect availability via unknown vectors, related to SCTP and
> Kernel/sockfs
> 
> From what I've seen, they don't appear to have disclosed enough information to
> locate and fix said security issues. As an example:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2632
> 
> Completely unhelpful :-(

Unfortunately, Oracle's policies, like Sun's, are to not publish details of
security bugs.  (For instance, bugs.opensolaris.org has never shown any bug
report marked as a security bug, even after patches were available and even
if it only said "Apply upstream security fix for CVE-xxxx-xxx to open source
package libfoo.", since the Sun bug database has just a simple on/off toggle
for security issue, and no way to distinguish between public & private issues.)

You'll see many of the bugs are listed as fixed in snv_151a, since that was the
supported release/build that customers could upgrade to for those fixes, but
some landed in earlier builds, so you may have some of those fixes.   (I see
two marked as fixed in snv_147 - unfortunately, the others are all marked as
fixed in snv_148 or later.)

-- 
	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System

More information about the oi-dev mailing list