[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LACC: Sun patch pulled (was Re: HP & Export of DCE)



The syslog problem is fixed in baseline SunOS 5.5.

Sun and HP are apparently doing what the stupid law mandates - and they
should do so, whether someone at NSA (or whatever) is on their case or
not.  :)  They should also have someone in their respective legal
departments bucking ITAR very hard.

"tres-dangerous" must have been typed with a snear, no?

ECafe Anonymous Remailer wrote:
> 
> I noticed that Sun's latest libc patch (101759-04) is empty.  Previous
> versions contained the complete U.S. version of libc, including the
> tres-dangerous DES and crypt functions.  In the current rev only the
> README remains, presumably because:
>         EXPORT INFORMATION: This patch includes code which performs
>         cryptographic functions, which are subject to U.S. export
>         control, and must not be exported outside the U.S. without
>         prior approval of the U.S. government.  Prior export approval
>         must be obtained by the user of this patch.
> 
> So, you might ask, what fixes is Sun not distributing???
>     (Rev 04)
>         1190985 gethostbyname() can trash an existing open file descriptor.
>         1182835 portmapper silently fails with version mismatch by PC-NFS
>                 client
>         1219835 Syslog(3) can be abused to gain root access on 4.X systems.
> 
> Yup, that's right.  The syslog hole that was so well publicized by
> CERT will remain open indefinitely because the ITAR makes it illegal
> for Sun to distribute the fix!
> 
> So did HP and Sun spontaneously, simultaneously develop crypto awareness,
> or is some gummint dweeb whispering threats in their ear?