[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] OT brief note on: CERT Advisory CA-2003-25Buffer Overflow in Sendmail

Subject: Re: [cobalt-users] OT brief note on: CERT Advisory CA-2003-25Buffer Overflow in Sendmail
From: Anders <andersb@xxxxxxxxxxx>
Date: Fri Sep 19 00:38:48 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Zeffie wrote:
>> that Mike and pkgmaster and others at least release patches that don't
>> require a patch to the patch.

> now "solar spammer" over there is just building the current version of ssh
> as needed...  they are not patches...  There are problems with that...  like
> some things might not work as expected...  it's fun to build the most
> current versions of everything and play with the new things they will do...
> I run a bussiness and I don't need the latest version of everything... I
> need one I can count on to continue to work in the manner it has been
> working in...  while I have not tested or looked at solar spammers openssh,
> the whole concept of taking software from  "some guy (I think) in europe (I
> think)...  is about as stupid as it gets...  it's openssh folks.. not rocket
> science!

Maybe you should test their OpenSSH package before knocking it ?

The SolarSpeed company home page is located at
http://www.solarspeed.net/company/index.php

If you don't trust us Europeans, doesn't that cause you problems ?

>> They also seem to beat Sun on patches by a
>> week to months!

> in most cases they didn't patch anything... they just make the new version
> and if it connects... it's good to go...
> 
> companies like sun and redhat like to look at the source code and how the
> software builds for it's format and they actually read a lot of code it
> seems....  and they have a lot of people helping find and fix errors...  I
> can TRUST them!  I can't trust "some guy (I think) in europe (I think)..."

Red Hat had patches out for both OpenSSH and Sendmail *the same day*.
Quite a difference!

Sun hasn't even issued a security bulletin yet, and they usually do Solaris
first. Like someone else suggested, they are probably relying on Stackguard
catching the buffer overflows while they prepare updates, in a month or so.

Then again, they haven't updated the version for Sun Linux 5.0 either ?
(which doesn't have any stackguard. Fortunately Red Hat RPMS work there)

I'm not more fond of advertising than the next guy, and I do wish that
more people released their sources/patches (including us too, that is)
but you can't really blame anyone for trying? Just Sun, for not trying.

--anders

Blacksun, Inc.
http://www.blacksun.ca

Follow-Ups:
- Re: [cobalt-users] OT brief note on: CERT AdvisoryCA-2003-25Buffer Overflow in Sendmail
  - From: Zeffie

References:
- Re: [cobalt-users] OT brief note on: CERT Advisory CA-2003-25Buffer Overflow in Sendmail
  - From: Zeffie

Prev by Date: RE: [cobalt-users] MRTG on a RaQ2
Next by Date: Re: [cobalt-users] Setting Time on RAQ4
Previous by thread: Re: [cobalt-users] OT brief note on: CERT Advisory CA-2003-25Buffer Overflow in Sendmail
Next by thread: Re: [cobalt-users] OT brief note on: CERT AdvisoryCA-2003-25Buffer Overflow in Sendmail

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index