Re: Information disclosure with SMC webserver on Solaris 9

From: Jon Hart (warchild_at_spoofed.org)
Date: 10/23/03 

Date: Thu, 23 Oct 2003 08:43:55 -0400
To: focus-sun@securityfocus.com

On Wed, Oct 22, 2003 at 09:38:24AM -0500, Wheeler, Randy wrote:
> Jon
>
> I have had the same problems with SMC and have determined that Sun does not
> put many resources into the SMC software(from the grapevine)
 
That is unfortunate, especially because, from what I've seen, SMC ships
on by default. Sure, it might depend on what type of install you do,
but if some large percentage of Solaris machines out there are running
some buggy piece of software that gets little or no attention from its
owners, thats a Bad Thing.
 
> If you have a Plantinum/Gold etc contract with Sun and SMC is under
> support at your company.I would escalate this with the district manager..
> This usually gets results..
>
> Remember though that if it is not under software support with Sun they
> are
> not obligated to support.
 
No contract here. This is an unfortunate trend I've been seeing. Just
because I don't have a contract or support option on a given product
doesn't mean I should be ignored or jerked around when it comes to
security matters. If a user does the responsible thing and contacts the
vendor before making a security issue public, then I would like to think
that the vendor would have the common courtesy to acknowledge this and
act appropriately.
                                                                                                                                             
At the same time I understand how things can fall through the cracks or
not get escalated properly. In the case of Sun, however, since
security-alerts@sun.com is apparently the place to send security related
discoveries, perhaps they should take a look at why this fell through.
                                                                                                                                             
-jon

Relevant Pages

  • SUMMARY: 3rd party Sun Maintenance providers
    ... > providers such as carefactor. ... > our Silver Sun Spectrum contracts. ... Consider moving your older Sun hardware to 3rd parties. ... Sun said they would only support Sun branded parts. ...
    (SunManagers)
  • Re: OpenVMS.org: Marvel article and HPs press release for Marveland Alpha Retain Trust Alpha Retain
    ... Entirely necessary to support your argument. ... >> latency is higher than the 8400 minimum memory latency. ... and that includes Sun. ... Look you claimed that the GS320 was the worlds fastest server. ...
    (comp.os.vms)
  • Re: Ten Reasons To *NOT* Use ZFS:
    ... As Solaris still has a few down-sides, ... In response the Josenildo Marques' message regarding Sun Microsystems' ... Hmm, NTFS is proprietary, and we still have it in Linux. ... to mind right now that are available on Linux and still don't support ...
    (Fedora)
  • Re: Linux Advocates Fear Solaris 10.
    ... Alan Hargreaves - Product Technical Support wrote: ... > comes very close to accusing Sun of breaking the GPL. ... Well, they /were/ interested in all those nice drivers, but lost ...
    (comp.unix.solaris)
  • Re: nforce3 / amd64 support?
    ... I know Sun mentions it supports Opteron, ... Current support for nVidia nForceX chipsets isn't stellar; ... > of Solaris 10) can boot with ACPI enabled. ...
    (comp.unix.solaris)