[9072] in bugtraq
Re: Checking for most recent Solaris Security Patches
daemon@ATHENA.MIT.EDU (Jon Ross)
Fri Jan 15 12:26:08 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG, Linux Mailing Lists <linux@AIIND.UPV.ES>
Date: Fri, 15 Jan 1999 09:00:12 +0100
Reply-To: Jon Ross <jonr@SDATA.NO>
From: Jon Ross <jonr@SDATA.NO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990113212013.718A-100000@andercheran.aiind.upv.es>; from Linux Mailing Lists on Wed,
Jan 13, 1999 at 09:26:51PM +0100
On Wed, Jan 13, 1999 at 09:26:51PM +0100, Linux Mailing Lists wrote:
> Hello,
>
> > Or use the automated email patch status robot at pogostick.net.
> > See http://pogostick.net/~pdiag/english.html
> > (or http://pogostick.net/~pdiag/ if you want it in norwegian)
> > for more info.
>
> Doesn't sound very good to send the configuration of your machine over the
> internet by email. What if someone gets it and use that information to
> know the vulnerabilities of your server? Using your service he would know:
Our (my) service makes no pretence of being a service that extremely
vulnerable machines should use. But then again, the mail you send
doesn't need to identify _which_ machine the showrev output is from.
Just take the showrev/pkginfo from one machine, put it into a file,
email it from anothe machine (with correct subject).
So any eavsdropper would only know that somewhere (in the world) there
is a Sun/Solaris machine with this software/patchlevel.
> * Which Software you have installed in your server
> * Which patches you have applied (and what's more interesting, which
> patches you *haven't* applied)
> * The OS version, platform, etc...
> * Your server's name
>
> Mmmmmmm... Just the information someone would need to hack your system :)
>
> What about making public the program you use, to run it locally?
>
> (showrev -p ; pkginfo -l)|yourniceprog
The program is just an email wrapper around suns patchdiag (currently v 1.0.2).
Many other nice people have submitted programs to this (bugtraq) mailinglist
that lets you do this locally.
>
> Greetings,
> Sergio
>
> PS: Who knows who is really receiving your information at
> pdiag@pogostick.net ;)
I do!
--
Jon Ross, Ark Norge AS - Divisjon Skrivervik Data,
P.B. 3885 U.S., N-0805 OSLO, NORWAY
Phone +47 2218 5891, Cellular +47 915 35 708, Fax +47 2218 5998
