> Thankfully I run openssh-4.7,REV=2007.12.26_rev=p1 ( > from Blastwave.org ) > pretty much everywhere and I disable the SunSSH > entirely. It is updated too > slowly for my tastes.
Sun just finished a sync with OpenSSH. However, one of the problems is that Sun managed to piss Theo off (I'm not going into who's right and who's wrong). Long story short, Theo swore that if a vulnerability in OpenSSH is found, Sun won't be notified. This could pose a slight problem. What it means is that Solaris folk is more or less left to themselves to audit SSH; no help will come from OpenBSD/OpenSSH team. If it's a general vulenarbility, hopefully you had your eye on the bulletins; if it's a Solaris specific one, you're on your own. > Also I try to watch the > IPFilter maillists closely and > while I know that Darren Reed is a Sun guy now I > don't think that the > ipfilter in Solaris is anywhere kept up to date. > > So long as the door is slammed shut I'm safe. I hope. Hope dies last; however, all it takes is somebody uncovering the next SSH vulnerability. These are normally uncovered by professional black hats and guarded as the strictest secret, so nobody knows that a patch will be needed. A pro is very likely to go after Solaris boxes, because, unlike script kiddies, the pros know that Solaris is the workhorse where the valuable data is usually stored. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
