By martin on Feb 13, 2007
It was with great interest I watched the events related to the remote telnet exploit (102802) on Sunday.
I've put down a timeline (in PST/GMT-8) of the events, so you can follow how quickly people reacted:
- Feb 11, 2007 09:35
Link to the exploit posted in the security-discuss forum.
- Feb 11, 2007 11:45
Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
- Feb 11, 2007 15:03
First fix available internally
- Feb 11, 2007 15:54
Code review performed
- Feb 11, 2007 16:46
Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
- Feb 11, 2007 16:51
RTI draft created
- Feb 11, 2007 18:25
- Feb 11, 2007 18:31
- Feb 11, 2007 18:33
Fix integrated into Nevada
From report to integrated fix in 9 hours - not bad! Especially since this was on a Sunday. Lots of people were involved in this, but the one how deserve the most praise is Dan McDonald.
Apart from this, the event resulted in a spree of emails on how we can improve - everything from the bug/development/rti process, to the external communication. I think we handled this first OpenSolaris fire drill very well, but it is far from perfect. We can certainly do better on the communications part - one should always strive to better oneself!
If you have feedback and/or suggestions on what we can/should improve in this process, let us know by posting here.