[17287] in bugtraq
Re: Solaris libc locale format string exploit
daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Fri Oct 20 20:32:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39F06AA4.A1753C04@nodc.noaa.gov>
Date: Fri, 20 Oct 2000 11:54:12 -0400
Reply-To: Jefferson Ogata <jogata@NODC.NOAA.GOV>
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
To: BUGTRAQ@SECURITYFOCUS.COM
Atro Tossavainen wrote:
>
> My local Sun rep told me on Oct 3 that they have fixes ready for all
> supported software releases and platforms and that evaluation patches
> would be sent to customers in a few days.
>
> Obviously not.
>
> I asked him again yesterday, with the response that the kernel update
> process for all supported software releases and platforms is rather
> tedious and lengthy, and that's why it's taking so long.
>
> I'm not happy, and the people I work for are even less so, but it's
> better than not hearing back from them at all.
If Sun is doing things right, a libc update means rebuilding any statically
linked executables as well, and regression testing them, along with rigorous
testing of the patch installation procedure. Then there's obviously potential
impact on all dynamically linked executables. This is a lot hairier than the
periodic patch to ufsrestore. ;^)
No excuse for giving a date and not keeping it, though.
--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
