Rapid response

It was with great interest I watched the events related to the remote telnet exploit (102802) on Sunday.

I've put down a timeline (in PST/GMT-8) of the events, so you can follow how quickly people reacted:

  • Feb 11, 2007 09:35
    Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45
    Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03
    First fix available internally
  • Feb 11, 2007 15:54
    Code review performed
  • Feb 11, 2007 16:46
    Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51
    RTI draft created
  • Feb 11, 2007 18:25
    RTI submitted
  • Feb 11, 2007 18:31
    RTI approved
  • Feb 11, 2007 18:33
    Fix integrated into Nevada

From report to integrated fix in 9 hours - not bad! Especially since this was on a Sunday. Lots of people were involved in this, but the one how deserve the most praise is Dan McDonald.

Apart from this, the event resulted in a spree of emails on how we can improve - everything from the bug/development/rti process, to the external communication. I think we handled this first OpenSolaris fire drill very well, but it is far from perfect. We can certainly do better on the communications part - one should always strive to better oneself!

If you have feedback and/or suggestions on what we can/should improve in this process, let us know by posting here.

[Technorati Tags: ]

Comments:

FWIW, Fefe and Ilja joked about that telnetd exploit back at 23C3's comedy session, ~ 50 minutes into the avi. Why it took so long to surface on solaris mailing lists, no idea.

Posted by Dalibor Topic on February 15, 2007 at 09:02 PM PST #

Post a Comment:
Comments are closed for this entry.
About

martin

Search

Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today