When I did an interview for my current job in Sun I was asked what I didn’t like about the company. Having been the sysadmin for some machines in college I hated Suns security patching policy. A vulnerability would be posted to bugtraq and the students would soon start trying to exploit the vulnerability. Some source code patch would come out for other OS’s but the best you would get from Sun was a workaround. Eventually, often weeks/months later, a patch would come out.
A couple of years back we came up with IDR’s. The initial idea was to provide a way for engineers to deliver diagnostic binaries to customers to help solve their issues in a way that would be recorded on the system. Rather than giving the customer a tarball the customer could now get a ‘patch’. IDR’s show up in ‘patchadd -p’ and also block any patches from being installed on top of them. It was quickly realised that this method solved the problem of getting quick security fixes out to customers.
On Sunday a telnet vulnerability came up on opensolaris-discus. Alan and Dan have described a bit about how the issue was fixed. The code in opensolaris was fixed within hours and posted to opensolaris-discus. By this-morning Irish time patches for Solaris 10 were submitted and ready for testing and soon afterward were pushed to the team responsible for getting them onto sunsolve. The patches are now available – 12006[89]-02.
Two things have struck me from this experience:
1) Opensolaris. Someone posted the vulnerability and a Sun engineer was online and acted on it. Having the discoverer contact Sun privately would have been preferred I guess. But once the vulnerability was out there opensolaris was ready to fix it!
2) Sun has got a hell of a lot better at patching security vulnerabilities. It’s gone from the months that I remember to 48 hours for a fully tested and supported patch. And there are probably places where a couple more hours could have been shaved off. Congrats to all involved.
ok 3 things.
3) stop using telnet. Use ssh. Then run ‘netservices limited’ ! 🙂