It was with great interest I watched the events related to the remote telnet exploit (102802) on Sunday.
I've put down a timeline (in PST/GMT-8) of the events, so you can follow how quickly people reacted:
- Feb 11, 2007 09:35
Link to the exploit posted in the security-discuss forum. - Feb 11, 2007 11:45
Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum. - Feb 11, 2007 15:03
First fix available internally - Feb 11, 2007 15:54
Code review performed - Feb 11, 2007 16:46
Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER. - Feb 11, 2007 16:51
RTI draft created - Feb 11, 2007 18:25
RTI submitted - Feb 11, 2007 18:31
RTI approved - Feb 11, 2007 18:33
Fix integrated into Nevada
From report to integrated fix in 9 hours - not bad! Especially since this was on a Sunday. Lots of people were involved in this, but the one how deserve the most praise is Dan McDonald.
Apart from this, the event resulted in a spree of emails on how we can improve - everything from the bug/development/rti process, to the external communication. I think we handled this first OpenSolaris fire drill very well, but it is far from perfect. We can certainly do better on the communications part - one should always strive to better oneself!
If you have feedback and/or suggestions on what we can/should improve in this process, let us know by posting here.
[Technorati Tags: OpenSolaris Security ]
Posted by Dalibor Topic on February 16, 2007 at 05:02 AM PST #