Tuesday Aug 03, 2010

Mapping between CVE numbers and Solaris patches for CPU July 2010

Oracle updated the July 2010 Critical Patch Update documentation to provide the mapping between CVE numbers and Solaris patches. This mapping is also provided in the table below.

We encourage customers to contact secalert_us@oracle.com to ensure that Oracle's updated documentation meets the needs of its customers, particularly as they relate to the CVE to patch mapping.

Your feedback will help Oracle understand the specific requirements of your organization, and for example, will help determine if such mapping should be included in all CPU advisories. Below is the mapping table between CVE numbers and Solaris patches. This information will also be available in the updated patch availability document referenced in the Critical Patch Update.

You can find the July 2010 Critical Patch Update at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html.

CVE # Component Solaris 8 Solaris 9 Solaris 10
CVE-2010-0083 ToolTalk 110286-17 110287-17 112808-11 113797-09 143733-01 143734-01
CVE-2008-4247 FTP Server 111606-08 111607-08 114564-15 114565-15 140399-03 140400-03
CVE-2010-0916 rdist 140159-03 140160-03
CVE-2010-2392 ZFS 142900-12 142901-12
CVE-2010-2386 GigaSwift Ethernet Driver 111883-37 112817-33 117714-17 118777-14 118778-12
CVE-2010-2394 TCP/IP 142900-12 142901-12
CVE-2010-2399 Kernel/VM 142900-07 142901-07
CVE-2010-2400 Kernel/Filesystem 122300-50 122301-50 142900-08 142901-08
CVE-2010-2393 Kernel/RPC 144254-01 144255-01
CVE-2010-2376 Solaris Management Console 113749-04 113750-04 114503-17 114504-17 119315-21 119316-21
CVE-2010-2382 Install Software 109318-40 109319-39 113434-38 114196-36 119534-19 119535-19
CVE-2010-2383 NFS 119819-03 119820-03 122300-53 122301-52 144106-01 144107-01
CVE-2010-2384 Solaris Management Console 144323-01 144324-01 144325-01 144326-01

Note: Releases or platforms where there is no patch listed are not vulnerable to corresponding issue.

Wednesday Dec 02, 2009

Solaris 10 Security Essentials by Sun Microsystems Security Engineers published in Paperback

Prentice Hall has published the book Solaris 10 Security Essentials which describes the various security technologies contained in the Solaris operating system. This is now available at Amazon.com or Safari

"Solaris™ 10 Security Essentials describes the various security technologies contained in the Solaris operating system. The book describes how to make installations secure and how to configure the OS to the particular needs of your environment, whether your systems are on the edge of the Internet or running a data center. The authors present the material in a straightforward way that makes a seemingly arcane subject accessible to system administrators at all levels.

"The strengths of the Solaris operating system’s security model are its scalability and its adaptability. It can protect a single user with login authentication or multiple users with Internet and intranet configurations requiring user-rights management, authentication, encryption, IP security, key management, and more. This book is written for users who need to secure their laptops, network administrators who must secure an entire company, and everyone in between."

Authors include Glenn Brunette, Hai-May Chao, Martin Englund, Glenn Faden, Mark Fenwick, Valerie Anne Fenwick, Wyllys Ingersoll, Wolfgang Ley, Darren Moffat, Pravas Kumar Panda, Jan Pechanec, Mark Phalan, Darren Reed, Scott Rotondo, Christoph Schuba, Sharon Read Veach, Joep Vesseur, and Paul Wernau.

Solaris 10 Security Essentials; Sun Microsystems Security Engineers; Prentice Hall PTR; November 23, 2009; ISBN 978-0137012336

Thursday Jun 25, 2009

Solaris not impacted by CVE-2009-0159

CVE-2009-0159 describes a security issue in the ntpq(1M) daemon which could allow remote NTP servers to crash the ntpq program or to execute arbitrary code when ntpq is used to query them.

Sun has examined the implementation of the ntpq(1M) command that is shipped with Solaris and has determined that although the affected code is present and has been fixed as Sun bug ID 6831824, it is not possible to exploit this issue on Solaris to execute arbitrary code or to crash the ntpq command.

Monday Jul 28, 2008

ISRs available for BIND DNS vulnerability VU#800113

Interim Security Reliefs (ISR) that fix CVE-2008-1447 (VU#800113) in Solaris 8 and 9 are available from http://sunsolve.sun.com/tpatches for the following releases:

SPARC Platform

  • Solaris 9 IDR138950-02 (MD5 = bdbe15fedd50858fbfbbe457867d731c)
  • Solaris 8 IDR138951-01 (MD5 = aca3c968346c05baabea9cf4bda941a9)
x86 Platform
  • Solaris 8 IDR138959-01 (MD5 = 92679afe992097f0b863b78fd5935cba)
  • Solaris 9 IDR138958-02 (MD5 = c55025147410880848d611d0b2c50754)

These ISRs deliver BIND 9 with the fix for CVE-2008-1447. Solaris 8 and 9 use BIND version 8. In that version it is not possible to implement needed fix because of design of this fix. Also, BIND 8 is already end of life (EOL) according ISC.

Sun is currently working on a patch to release the fixed BIND version 9 for Solaris 8 and 9 (replacing the EOL BIND 8 there). Changing the release from BIND 8 to BIND 9 is not a trivial task and therefore the patches to address these are still in progress.

Users MUST completely re-configure BIND as per instructions in /usr/lib/dns/migration.txt in order to use the new BIND 9 and the fixes that these patches deliver. This migration document is shipped as part of the IDRs at SUNWcsu/reloc/usr/lib/dns/migration.txt

Please refer to Sun Alert 239392 "Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning", Sun Alert 240048 Update to Sun Alert 239392 and US-CERT Vulnerability Note VU#800113 for more details on this vulnerability.

NOTE: Interim Security Relief (ISRs) are designed to address the concerns identified herein. Sun has limited experience with these (ISRs) due to their interim nature. As such, you should only install the ISRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.

Tuesday Jul 22, 2008

Solaris 10 11/06 achives Common Criteria EAL4+ CAPP/RBACPP/LSPP

Solaris 10 11/06 now has a Common Criteria EAL4+ certification for CAPP/RBACPP/LSPP. For full details see the press release. Details of all Solaris Common Criteria certifications are available on the security certifications page.

- Darren

Thursday Sep 06, 2007

Beginning of the End for separate Solaris Data Encryption Kit (SUNWcry)

The removal of the Solaris Data Encryption Kit has been quite a difficult and long process for us, we are taking a different approach for Solaris 10 and for OpenSolaris. Valerie Bubb has info on how it has been done for Solaris 10 and is also currently running codereview for the OpenSolaris variant which is the full fix for this. - Darren

Monday Jul 30, 2007

Trusted Extensions now open and core

Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.

  • First the packages are no longer extra and are always installed. Turning on Trusted Extensions is now just a matter of starting the labeling service: 'svcadm enable labeld'. This architecture change is discussed in PSARC/2006/254.
  • Secondly the source code to what was previously called the "TLC" gate migrated into the ON gate. Most of this is in usr/src - ie it is open and under the CDDL license. However there is one part that ended up in usr/closed and that is labeld. The information on how to call labeld is open so in theory other distros could create their own replacement daemon.
This is just the first part, the corresponding changes need to happen for the TX supplementary code for the other consolidations including JDS.

- Darren

Tuesday Jun 12, 2007

SPOTD: Eine Kleine SicherheitGeekMusik

As mentioned I was visiting the USA last week, and stopped-in on my former colleague and friend Keith Watson, who introduced me to the delights of MCPlus+ ("EmCeePlusPlus") - a nerdcore / geek-rap act who sing about cryptography and maths.

Cryppies will want to listen to track 4 off the album 'Algorhythms', viz Alice and Bo b.


SLOTD: A couple of security podcasts

A couple of podcasts on various security topics can be found on sun.com/security

The Systemic Security recording is of Hal Stern talking to Glenn Brunette about what we're building, documenting and sharing to (help) make everything that gets deployed more secure.

In the Solaris podcast they are joined by Darren Moffatt, and chat about what security features we have in Solaris (crypto, Trusted Extensions, RBAC...) and what will be coming in the future.

Ellyptic Curve Cryptography is the topic of the third podcast, this time with Hal discussing matters withVipul Gupta. After an overview of what ECC is, they look at the interoperability aspects of these algorithms.

Update: To hear another voice -- Joel Weise's -- on one of the topics Hal raised in those podcasts there's the systemic security "Net Talk" programme.


Thursday May 17, 2007

reference security videos

This is a posting in the Security Community 'Reference' Category ; the function of postings that are placed in this category is to aggregate links to other, useful postings in a single meta-posting which can be referenced via a link in the Security Community Blog sidebar, and which will be re-posted on the blog each time it is refreshed by a member of the security community.

This posting is a list of security video blogs which have been posted to the community.


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« August 2016