eSecurityOnline vs. Solaris
eSecurityOnline today released several security advisories related to mainly Sun Solaris problems. Problems included are from denial of service to roor compromise.
These are the advisories in question:
- Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
- CDE dtprintinfo Help search buffer overflow vulnerability
- Sun Solaris lbxproxy display name buffer overflow vulnerability
- Sun Solaris admintool media installation path buffer overflow vulnerability
- Sun Solaris cachefsd denial of service vulnerability
- Sun Solaris cachefsd mount file buffer overflow vulnerability
[ Read more ]
As these vulnerabilities were found in different time frames, Ken Williams from eSecurityOnline Research and Development Team said the following:
To help clear up any confusion about the Discovery Dates associated with the group of advisories that we are publishing today, I should explain the situation.
We are publishing our advisories in groups after each group is approved internally. With the exception of the Microsoft issues, none of the vulnerabilities have been posted or discussed in public forums or lists.
The discovery date that we list in the advisories refers to the date on which we discovered the advisory, rather than the date that we made the information public. Since none of these vulnerabilities (except for the Solaris CACHEFSD) have been actively exploited / seen in the wild, we have been patient in working with and waiting for vendors to complete vulnerability validation, and for patches to be developed and posted to vendor sites.