On Mon, 18 Sep 1995, Goetz von Escher wrote: > I just called local Sun support. They don't know anything about this > hole and they don't accept the 8lgm advisory as problem report as we > cannot prove that the bug exists on *our* SunOS host. Outch! I cannot > believe that nobody else has opened a service call or bug fix request > (or whatever Sun calls this) at Sun Microsystems. They referred me to > patch 100909-03 which fixed a hole in syslogd for SunOS 4.1.3... Sun is usually a little slow in responding to these reports. I think they look at them with caution, which may be a good thing, before issuing their own "statement." However, if Sun said they had "a" fix for one hole in syslogd, then you may want to check it out. NOTE: I am not saying it is bad that Sun takes their time to respond. I would rather see them analyze the problem and react properly than hastily (but they should respond in a timely manner). As for me... I replaced my syslog with the one from NetBSD with no major hastles. > My questions are: > > - Is there an official patch from Sun and what's the patch-ID? If they gave you the above patch number, that's all they have at this time. > - Has anybody talked to Sun about this problem? I talk to Sun about a lot of things... mainly to friends who work there and they're getting tired of hearing from me! :-) When you talk to Sun about any problem with SunOS (or Solaris 1.1 as they'd rather call it) and you'll get the corporate response: "upgrade" to Solaris 2. Sources tell me that by mid-96, SunOS will be treated like a leper child similar to the way they treat the old MC68K-based systems. Sun is no longer doing development on SunOS and that even security patches will stop at that time. If you can, you may want to look into replacing SunOS with NetBSD. I think that is my next step (I am not a fan of Solaris 2). > - Is Sun working on a patch? Probably. If it makes these groups (BUGTRAQ and Firewalls, usually) they may move quicker. Sun's patch archive for non-contract customers is available via ftp at sunsolve1.sun.com:/pub/patches. They do have a Web page, but I use ncftp and find it easier just to deal with their ftp site. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott@disclosure.com and I speak only for myself. barman@ix.netcom.com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming."