Thursday Jun 25, 2009

Solaris not impacted by CVE-2009-0159

CVE-2009-0159 describes a security issue in the ntpq(1M) daemon which could allow remote NTP servers to crash the ntpq program or to execute arbitrary code when ntpq is used to query them.

Sun has examined the implementation of the ntpq(1M) command that is shipped with Solaris and has determined that although the affected code is present and has been fixed as Sun bug ID 6831824, it is not possible to exploit this issue on Solaris to execute arbitrary code or to crash the ntpq command.

Tuesday Jun 02, 2009

CommunityOne Secure Programming slides

The slides and other supporting material from Scott Rotondo's CommunityOne talk on Secure Programming are now available from the OpenSolaris security community library pages. The talk includes how OpenSolaris uses lint extensions to detect problems using static analysis at build time as well as a new tool from Sun Labs called Parfait.

- Darren

Monday Mar 23, 2009

Advance notification of Security Updates for Java SE

On March 24, 2009, Sun will release the following security updates:
  • JDK and JRE 6 Update 13
  • JDK and JRE 5.0 Update 18
  • SDK and JRE 1.4.2_20
  • SDK and JRE 1.3.1_25
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

Monday Dec 01, 2008

Advance notification of Security Updates for Java SE

On December 2, 2008, Sun will release the following security updates:
  • JDK and JRE 6 Update 11
  • JDK and JRE 5.0 Update 17
  • SDK and JRE 1.4.2_19
  • SDK and JRE 1.3.1_24
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

Monday Jul 28, 2008

ISRs available for BIND DNS vulnerability VU#800113

Interim Security Reliefs (ISR) that fix CVE-2008-1447 (VU#800113) in Solaris 8 and 9 are available from http://sunsolve.sun.com/tpatches for the following releases:

SPARC Platform

  • Solaris 9 IDR138950-02 (MD5 = bdbe15fedd50858fbfbbe457867d731c)
  • Solaris 8 IDR138951-01 (MD5 = aca3c968346c05baabea9cf4bda941a9)
x86 Platform
  • Solaris 8 IDR138959-01 (MD5 = 92679afe992097f0b863b78fd5935cba)
  • Solaris 9 IDR138958-02 (MD5 = c55025147410880848d611d0b2c50754)

These ISRs deliver BIND 9 with the fix for CVE-2008-1447. Solaris 8 and 9 use BIND version 8. In that version it is not possible to implement needed fix because of design of this fix. Also, BIND 8 is already end of life (EOL) according ISC.

Sun is currently working on a patch to release the fixed BIND version 9 for Solaris 8 and 9 (replacing the EOL BIND 8 there). Changing the release from BIND 8 to BIND 9 is not a trivial task and therefore the patches to address these are still in progress.

Users MUST completely re-configure BIND as per instructions in /usr/lib/dns/migration.txt in order to use the new BIND 9 and the fixes that these patches deliver. This migration document is shipped as part of the IDRs at SUNWcsu/reloc/usr/lib/dns/migration.txt

Please refer to Sun Alert 239392 "Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning", Sun Alert 240048 Update to Sun Alert 239392 and US-CERT Vulnerability Note VU#800113 for more details on this vulnerability.

NOTE: Interim Security Relief (ISRs) are designed to address the concerns identified herein. Sun has limited experience with these (ISRs) due to their interim nature. As such, you should only install the ISRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.

Monday Jul 07, 2008

Advance Notification of Security Updates for Java SE

On July 8, 2008, Sun will release the following security updates:
  • JDK and JRE 6 Update 7
  • JDK and JRE 5.0 Update 16
  • SDK and JRE 1.4.2_18
  • SDK and JRE 1.3.1_23
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

Monday May 19, 2008

Sun UK End to End Data Security briefing

Sun UK is running a morning briefing on End to End to Security. The event is on Thursday 5th June in the London Customer Briefing Center (for LOSUG people this is the same place we meet). Details and registration information can be found here. Dave Walker and I are among the speakers.

-- Darren

Monday Mar 03, 2008

Advance notification of Security Updates for Java SE

On March 4, 2008, Sun will release the following security updates:
  • JDK and JRE 6 Update 5
  • JDK and JRE 5.0 Update 15
  • SDK and JRE 1.4.2_17
  • SDK and JRE 1.3.1_22
The following Sun Alerts corresponding to these updates will be released following the availability of these updates.
As we had announced in September 2007, this is the first set of synchronized releases for Java SE. We need to note though that prior to our announcement last year, we had already fixed a few vulnerabilities in certain release families. These issues will be addressed in a synchronized fashion for all remaining release families through our synchronized security updates and will be noted accordingly in our Sun Alerts.

Friday Sep 28, 2007

Advance Notification of Security Updates for Java SE

Sun recently announced two new security response enhancements for Java SE. They include our plans for the synchronized release of Java SE security fixes, and advance customer notification of security updates. These new features are designed to complement Sun's existing Sun Alert notifications, as well as the built-in Java Auto Update tool for Microsoft Windows users. Details are available here.

The following is our first advance notification of security updates for Java SE.

On the week of October 1, 2007, Sun will be releasing security updates with JDK and JRE 6 Update 3, JDK and JRE 5.0 Update 13, and SDK and JRE 1.4.2_16. This will be followed by the release of SDK and JRE 1.3.1_21 on the second week of October 2007.

This is Sun's first step towards the simultaneous release of security fixes across all supported Java SE release families. Sun expects to fully synchronize the release of security fixes across all supported releases, including J2SE 1.3.1 in 2008. Note that J2SE 1.3.1 has completed the Sun "End of Life" (EOL) process and is only supported for the Solaris Operating Environment and customers on Sun's Vintage Support Offering.

Monday Jul 30, 2007

Trusted Extensions now open and core

Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.

  • First the packages are no longer extra and are always installed. Turning on Trusted Extensions is now just a matter of starting the labeling service: 'svcadm enable labeld'. This architecture change is discussed in PSARC/2006/254.
  • Secondly the source code to what was previously called the "TLC" gate migrated into the ON gate. Most of this is in usr/src - ie it is open and under the CDDL license. However there is one part that ended up in usr/closed and that is labeld. The information on how to call labeld is open so in theory other distros could create their own replacement daemon.
This is just the first part, the corresponding changes need to happen for the TX supplementary code for the other consolidations including JDS.

- Darren

About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today