OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Sun Security Bulletin #00195 (fwd)
From: Alan J Rosenthal (flapsDGP.TORONTO.EDU)
Date: Wed Aug 02 2000 - 19:29:46 CDT

> Vulnerable: SunOS 5.7, 5.7_x86, 5.6, and 5.6_x86
> Not vulnerable: All other supported versions of SunOS.

by gum, I HATE these. Is solaris 2.5 vulnerable? Is solaris 2.5.1
vulnerable? Inquiring minds want to know! If some of those aren't supported,
fine, don't answer... but does the above refuse to answer for 2.5.1 or does
it assert that it's not vulnerable? Greater men than you or I have gone
to their graves without knowing.

I mean, there aren't so many other supported versions of SunOS that they
couldn't list them. Also, in a few months' time it will be harder when
reading this advisory to determine which versions of SunOS were supported
*then*, when the advisory was *written*, as opposed to at the time the
advisory is being *read*. I'm sure I'm not the only person on this mailing
list who frequently has the task of bringing some poorly configured obscure
version of some OS up to date on security patches. One doesn't always have
the luxury of having followed these matters as they evolved. But that's
not all; I truly don't know whether or not solaris 2.5.1 is still supported
and it would take some checking to find out (using web pages which may or
may not be up to date), whereas the people writing the advisory surely must
know whether or not they are claiming that 2.5.1 isn't vulnerable.

(fortunately I removed set[ug]id bits from /usr/lib/lp/bin/netpr and
/usr/bin/lpset quite a long time ago, so it doesn't have to matter to me,
which is one of the few things which keeps me sane [funny John Cleese face])