Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Security Patch Introduces Security Hole

Posted by CowboyNeal on from the patches-for-patches dept.

Rich0 writes "Sun is announcing that their 'Security Hardening Package' for their Cobalt RaQ 4 Linux servers allows remote users to execute arbitrary code. Ironically, the solution is to remove the package, potentially removing protection from other compromises. There's a CERT advisory, as well as an article posted on Extremetech." Yikes, one would hope there's a forthcoming patch in the works.

3 of 265 comments (clear)

  1. we cobalt owners call this par for the course by kraksmoka · · Score: 5, Informative
    as a proud owner/admin of a Cobalt Raq2, i'd like to announce that this is not the end of the world to us, no matter how bad it looks on the front page of /.

    that particular machine runs a custom rolled distro of Red Hat 6.2 and has been known to be very reliable, and have mild issues from updates. every one of the holes it covers has some sort of workaround, which those admins have probably employed already.

    i'd like to take this opportunity to complement the Cobalt Raq Users List members as well. without people like bruce timberlake, jeff lasman, steve werby (a /. contributor) and a whole host of others (can't name everyone) the raq has a vibrant community of admins willing to help even the newbiest of owners.

    my machine runs on a lovely 64-bit mipsel processor from MIPS and is one of the dutch (sun bought cobalt a while back, it started on the other side of the pond) original models. they are tremendously power efficient, quiet and dependable boxen. mine uses a dinosauric 2.0 kernel and modified red hat 5.1 , and runs php 4.1.2/mysql like a champ.

    not only that, but the cobalt raq IS a web appliance. In other words, its not really meant to do all that out of the box (back then anyway). today's raqs run a full gamut of oss and free software, and come pre-installed with everything you need as a webmaster.

    it is an oustanding machine for NT admins to learn how to switch over, with the cushion of a working system to learn from.

    yes, sun doesn't always get it right, but they put their backs into it so to speak, and it is not unusual for a Cobalt engineer to post solutions (even unofficial ones) to the list.

    for all you cobalt users out there, you know what i'm saying, and if you're not on the list, you're missing out.

    this post has voided your warranty. peace.

    --
    "You never want a serious crisis to go to waste." - Rahm Emanuel
  2. There is a patch already by lifeless · · Score: 5, Informative

    Has *anyone* actually read the SUN announcement.

    I quote:
    ===
    5. Resolution

    This issue is addressed in the following releases:

    Intel

    * http://ftp.cobalt.sun.com/pub/packages/raq4/eng/Ra Q4-en-Security-2.0.1-SHP_REM.pkg or later
    ===

    1. Re:There is a patch already by mccalli · · Score: 5, Informative
      It's not a resolution - it's a removal procedure for the flawed patch. There's no replacement in functionality for the original.

      Cheers,
      Ian
      (Raq 4 owner)