Re: Sun Patches timetable
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubert@uumail.gov.bc.ca)Date: 10/24/01
- Previous message: Joseph Tam: "Re: chroot and BIND"
- Maybe in reply to: SecLists: "Sun Patches timetable"
- Next in thread: Scot Bellis: "RE: Sun Patches timetable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110241431.f9OEVLe45857@cwsys.cwsent.com> From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Matt Collins <matt@clues.com> Subject: Re: Sun Patches timetable Date: Wed, 24 Oct 2001 07:31:00 -0700
In message <20011024150113.A62833@sherlock.clues.com>, Matt Collins
writes:
> On Tue, Oct 23, 2001 at 06:05:46AM -0700, Cy Schubert - ITSD Open Systems Gro
> up wrote:
> > In message <Pine.BSO.4.40.0110221353080.13904-100000@secure.stargate.net
> > >, SecL
> > ists writes:
> > > hello all...
> > >
> > > I am just wondering if any of you have a decent system / timetable for
> > > installing the latest patch clusters from Sun. They seem to be updated
> > > twice a month but I don't think it is necessarily possible to down all of
> > > our production boxes twice a month... not to mention the number of boxes
> > > we have... we would finish and then have to start all over again...
> >
> > My team applies patches each quarter. As patches can only be applied
> > Sunday mornings, the process does take a couple of months before we're
> > done, starting with less critical systems and completing with the most
> > mission critical systems, so by the time the most critical systems have
> > patches applied, they've been fully tested on less critical systems.
> >
> > Why each quarter? It's something I'd been doing for 19 years on the
> > mainframe environment, so when I came over the the UNIX environment 9
> > years ago, it seemed second nature to continue the schedule. IMO this
> > strategy has saved many days or even weeks that would have been spent
>
> That would also seem to imply that your most mission critical servers
> are the most vulnerable to malicious attack as well, though, no? Especially
> given the speed of Vulnerability -> Attack compared to Vulnerability -> Patch
>
Actually, I watch the various security mailing lists. Point patches
are applied promptly, usually complete in one or two Sunday change
windows. Additionally we use IP Filter and router based firewalls as a
first line of defence.
>
> Is there anyone out there who applies patches solely on the basis of
> Suns in house QA testing? Is that proceedure documented anywhere? Can
> we find out what sun explicitly check for to evaluate whether that conforms
> to our requirements?
We're quite proactive. In the case of the telnetd remote exploit,
we've had the patch about 2-3 weeks after reporting the problem to Sun
(immediately after it was announced on BUGTRAQ), prior to Sun QA
testing it. It was installed on all of our Sun systems in a day.
A lot depends on the criticality of the bug.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
- Previous message: Joseph Tam: "Re: chroot and BIND"
- Maybe in reply to: SecLists: "Sun Patches timetable"
- Next in thread: Scot Bellis: "RE: Sun Patches timetable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
