[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Open letter to SUN/Cobalt
- Subject: Re: [cobalt-security] Open letter to SUN/Cobalt
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 2 May 2001 14:41:28 +0200
- Organization: Forumworld.com
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Open letter to SUN/Cobalt.
Known vulnerabilities of Cobalt RaQ's:
===========================
Since ages Qpopper 2.53 which is commonly used on all RaQs allows local users
to gain privileges via a formatting string in the From: header, which is
processed by the euidl command.
For several months now there are a couple of known vulnerabilities of ProFTPD
1.2.0rc3 which is commonly used on the RaQ's. Among those exploits are those
which allow it to root a box or to run a DOS-attack (the later vulnerability
can be fixed with a small entry in the configuration file).
For weeks it is known that all 2.2.X Kernels below 2.2.19 can be rooted by
local users by exploiting the ptrace() and sysctl() bugs.
As far as I understand it there are no patches available to close *any* of
the above mentioned vulnerabilities on a RaQ3 or RaQ4 at the present time.
The RaQ4-All-Kernel-1.0.1-2.216C24III.pkg apparently doesn't fix what it's
supposed to fix, which members of this list just recently proved.
Question:
=======
Is it safe to assume that none of the above mentioned holes will be closed in
the forseeable future?
If otherwise it would be nice to hear which holes you are planning to close
and it would be nice to get an estimate on when that will be done for which
plattform.
Personally I wouldn't expect that someone official from Cobalt steps out in
the open and says: "Sorry guys, it's your fault that bought our stuff and now
you're on your own". But somehow that seems to be the bottom line of your
intransparent upgrade and bugfix policy.
Especially the Qpopper and ProFTP vulnerabilities are starting to get an
issue these days (greetings to China) and if you (SUN/Cobalt) have no plans
to attend to them then it would be highly impractical if not suicidal if we
(customers, yours truly) stick to your upgrades instead of doing them
manually from available sources (and damn the warranty).
Just my 2 cent worth of rant for the moment. Thanks for reading.
--
Mit freundlichen Grüßen / Best regards
Michael Stauber