[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sun patch pulled (was Re: HP & Export of DCE)



I noticed that Sun's latest libc patch (101759-04) is empty.  Previous
versions contained the complete U.S. version of libc, including the
tres-dangerous DES and crypt functions.  In the current rev only the
README remains, presumably because:
        EXPORT INFORMATION: This patch includes code which performs
        cryptographic functions, which are subject to U.S. export
        control, and must not be exported outside the U.S. without
        prior approval of the U.S. government.  Prior export approval
        must be obtained by the user of this patch.

So, you might ask, what fixes is Sun not distributing???
    (Rev 04)
        1190985 gethostbyname() can trash an existing open file descriptor.
        1182835 portmapper silently fails with version mismatch by PC-NFS
                client
        1219835 Syslog(3) can be abused to gain root access on 4.X systems.

Yup, that's right.  The syslog hole that was so well publicized by
CERT will remain open indefinitely because the ITAR makes it illegal
for Sun to distribute the fix!

So did HP and Sun spontaneously, simultaneously develop crypto awareness,
or is some gummint dweeb whispering threats in their ear?