On 01/24/11 05:12 PM, Joerg Schilling wrote:
If you believe thare are security issues that need to be addressed, please make
a bug report into the Schillix-ON Bug Tracking system:
Hi Joerg,
As we're currently using Illumos as our upstream ON, it makes sense for
us to file and track the bugs on the Illumos bug tracker.
But we'll share info and cooperate where we can.
The issue we have at present is that Oracle's CVE reports contain
virtually no information.
Apologies for the formatting (copy/pasted) but here's the list that came
from Oracle's "CPU January 2011" for snv_151a:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
CVE-2010-2632 ONNV FTP Service
CVE-2010-4440 ONNV Kernel Unspecified vulnerability - "allows local
users to affect availability via unknown vectors"
CVE-2010-4442 ONNV Kernel Unspecified vulnerability - "allows local
users to affect availability via unknown vectors"
CVE-2010-4443 ONNV Kernel NFS Unspecified vulnerability - "allows
local users to affect availability via unknown vectors"
CVE-2010-4446 ONNV Kernel RDS Infiniband Unspecified vulnerability -
"allows local users to affect availability via unknown vectors"
CVE-2010-4457 ONNV Kernel CIFS Unspecified vulnerability - "allows
remote attackers to affect availability, related to SMB and CIFS"
CVE-2010-4458 ONNV Kernel ZFS Unspecified vulnerability - "allows
local users to affect availability, related to ZFS
CVE-2010-4459 ONNV Kernel sockfs Unspecified vulnerability - "allows
local users to affect availability via unknown vectors, related to SCTP
and Kernel/sockfs
From what I've seen, they don't appear to have disclosed enough
information to locate and fix said security issues. As an example:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2632
Completely unhelpful :-(
Regards,
Alasdair
_______________________________________________
oi-dev mailing list
[email protected]
http://openindiana.org/mailman/listinfo/oi-dev
