[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] [RaQ4] FYI: Apache & SSL Update 2.0.1
- Subject: Re: [cobalt-users] [RaQ4] FYI: Apache & SSL Update 2.0.1
- From: Travis Ogdon <togdon@xxxxxxxxxxxxxx>
- Date: Wed Oct 2 09:36:57 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Gerald Waugh wrote:
> Someone said it's using a patched openssl-0.9.2b
> Why they keep patching these old versions of software is beyond me.
> Must be that all the other cobalt specific stuff gets in the way.
>
> Waiting for confirmation!!!
That someone was wrong. They didn't even bother patching openssl. .pkg files
are nothing more than glorified .tgz files. A
tar -zxvf RaQ4-All-Security-2.0.1-2-15787.pkg
reveals that they've just packaged a Stackguarded version of apache-1.3.20
(hopefully they used the version that they patched against the Chunk
Handling Vulnerability, wouldn't want to be vulnerable to that again). We
waited a month for another band-aid that they forgot to put the sticky stuff
on.
Sun's approach to security, especially with respect to the Cobalt line, is
apalling. I've had to apologize to the NT admins for making fun of
Microsoft, at least they can be bothered to patch holes within a month.
Requests to sales reps and other contacts at Cobalt get punted around until
they are dropped. They give not only themselves but Linux as a whole a bad
name.
Anyone who is concerned with the security of the customer's data, and of
their servers should start looking elsewhere.
-- Travis