Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Are public security patches available for Solaris 10?
137 views
Skip to first unread message
Jeffery Small
Apr 10, 2014, 5:34:14 PM4/10/14
to
Does Oracle make security patches available for systems not covered under
one of their maintenance contracts? In particular, is there any way to
patch for the SSL vulnerability recently reported?
Thanks.
John D Groenveld
Apr 10, 2014, 8:55:25 PM4/10/14
to
In article <n3u3x...@cjsa.com>, Jeffery Small <je...@cjsa.com> wrote:
>Does Oracle make security patches available for systems not covered under
>one of their maintenance contracts? In particular, is there any way to
No.
>Does Oracle make security patches available for systems not covered under
>one of their maintenance contracts? In particular, is there any way to
>patch for the SSL vulnerability recently reported?
on OpenSSL 0.9.7 and not vulnerable to the Heartbleed attack.
<URL:http://www.us-cert.gov/ncas/alerts/TA14-098A>
John
groe...@acm.org
Doug McIntyre
Apr 11, 2014, 1:25:20 AM4/11/14
to
groe...@cse.psu.edu (John D Groenveld) writes:
>Oracle's SUNWopenssl packages for Solaris 10 are based
>on OpenSSL 0.9.7 and not vulnerable to the Heartbleed attack.
><URL:http://www.us-cert.gov/ncas/alerts/TA14-098A>
I'm not quite sure the sequence of what I've had access to or not,
>Oracle's SUNWopenssl packages for Solaris 10 are based
>on OpenSSL 0.9.7 and not vulnerable to the Heartbleed attack.
><URL:http://www.us-cert.gov/ncas/alerts/TA14-098A>
but I believe Solaris 11.1 shipped with OpenSSL v1.0.0j (ie. not the
vulnerable train, which starts at 1.0.1).
But a system with patch access did have a version of 1.0.1c installed.
Presumably, the patch access system will get a newer version at some point.
But, the only way to have got a version that is vulnerable is to have
patch access in the first place I believe. Or to put it there
yourself, which you can just redo yourself as you wish as well.
--
Doug McIntyre
do...@themcintyres.us
Casper H.S. Dik
Apr 11, 2014, 3:21:03 AM4/11/14
to
Doug McIntyre <mer...@dork.geeks.org> writes:
>But a system with patch access did have a version of 1.0.1c installed.
>Presumably, the patch access system will get a newer version at some point.
That is not a version shipped with a Solaris patch, not for
>But a system with patch access did have a version of 1.0.1c installed.
>Presumably, the patch access system will get a newer version at some point.
Solaris 11.1 or any of the earlier releases.
The most recent version shipped in Solaris 11.1 is: (11.1 SRU 17.5)
OpenSSL 1.0.0k 5 Feb 2013
>But, the only way to have got a version that is vulnerable is to have
>patch access in the first place I believe. Or to put it there
>yourself, which you can just redo yourself as you wish as well.
of a patch.
Casper
Doug McIntyre
Apr 11, 2014, 9:01:53 AM4/11/14
to
Casper H.S. Dik <Caspe...@OrSPaMcle.COM> writes:
>Doug McIntyre <mer...@dork.geeks.org> writes:
>>But a system with patch access did have a version of 1.0.1c installed.
>>Presumably, the patch access system will get a newer version at some point.
>That is not a version shipped with a Solaris patch, not for
>Solaris 11.1 or any of the earlier releases.
Ah, you are right, that was 3rd party installed. Should have reset my
>Doug McIntyre <mer...@dork.geeks.org> writes:
>>But a system with patch access did have a version of 1.0.1c installed.
>>Presumably, the patch access system will get a newer version at some point.
>That is not a version shipped with a Solaris patch, not for
>Solaris 11.1 or any of the earlier releases.
path before I checked.
The system installed version on that one was OpenSSL 1.0.0h, so
Solaris 11.x doesn't ship with a vulnerable version of OpenSSL.
--
Doug McIntyre
do...@themcintyres.us
0 new messages