Sun Security Blog
Security
|
A security vulnerability in the TLS protocol (TLS 1.0 or later and SSLv3) may allow an unauthenticated, remote attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow one to decrypt the intercepted network communication. This issue is referenced in CVE-2009-3555 Exact nature of the impact depends on the application making use of the TLS facility. Applications which use Network Security Services (NSS), Java Secure Socket Extensions (JSSE), OpenSSL or GnuTLS libraries may be affected. Sun is evaluating the impact of the issue on various products which make use of the TLS libraries. We are working to fix the TLS implementations according to the TLS protocol standard extensions currently being developed. Solaris Kernel SSL proxy module KSSL does not support client renegotiation or rehandshake. It ignores the rehandshake message which is an allowed behavior by the SSL/TLS specification. Hence it is not vulnerable to this issue. KSSL (see ksslcfg(1M)) is available in Solaris 10 and OpenSolaris. It may be used to workaround the described issue. tags: gnutls jsse nss openssl security tls vulnerability Permalink |
On November 3, 2009, Sun will release the following security updates:
Permalink | Comments [1]
On August 4, 2009, Sun will release the following security updates:
Permalink |
14 Jul 2009
US-CERT Vulnerability Note VU#466161 - XML signature HMAC truncation authentication bypass
US-CERT Vulnerability Note VU#466161 describes a security vulnerability with verifying HMAC-based XML digital signatures.
The XML Digital Signature implementation included with the Java Runtime Environment is affected and may allow authentication to be bypassed. Applications that validate HMAC-based XML digital signatures may be vulnerable to this type of attack. This vulnerability cannot be exploited by an untrusted applet or Java Web Start application. This issue can occur in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux:
This issue will be addressed with our upcoming Java SE security updates which are targeted to be released in late July 2009. Permalink | CVE-2009-0159 describes a security issue in the ntpq(1M) daemon which could allow remote NTP servers to crash the ntpq program or to execute arbitrary code when ntpq is used to query them. Sun has examined the implementation of the ntpq(1M) command that is shipped with Solaris and has determined that although the affected code is present and has been fixed as Sun bug ID 6831824, it is not possible to exploit this issue on Solaris to execute arbitrary code or to crash the ntpq command. tags: security solaris vulnerability Permalink |The slides and other supporting material from Scott Rotondo's CommunityOne talk on Secure Programming are now available from the OpenSolaris security community library pages. The talk includes how OpenSolaris uses lint extensions to detect problems using static analysis at build time as well as a new tool from Sun Labs called Parfait. - Darrentags: communityone opensolaris programming security Permalink |
On March 24, 2009, Sun will release the following security updates:
Permalink |
On December 2, 2008, Sun will release the following security updates:
Permalink | Interim Security Reliefs (ISR) that fix CVE-2008-1447 (VU#800113) in Solaris 8 and 9 are available from http://sunsolve.sun.com/tpatches for the following releases: SPARC Platform
These ISRs deliver BIND 9 with the fix for CVE-2008-1447. Solaris 8 and 9 use BIND version 8. In that version it is not possible to implement needed fix because of design of this fix. Also, BIND 8 is already end of life (EOL) according ISC. Sun is currently working on a patch to release the fixed BIND version 9 for Solaris 8 and 9 (replacing the EOL BIND 8 there). Changing the release from BIND 8 to BIND 9 is not a trivial task and therefore the patches to address these are still in progress. Users MUST completely re-configure BIND as per instructions in /usr/lib/dns/migration.txt in order to use the new BIND 9 and the fixes that these patches deliver. This migration document is shipped as part of the IDRs at SUNWcsu/reloc/usr/lib/dns/migration.txt Please refer to Sun Alert 239392 "Security Vulnerability in the DNS Protocol may lead to DNS Cache Poisoning", Sun Alert 240048 Update to Sun Alert 239392 and US-CERT Vulnerability Note VU#800113 for more details on this vulnerability. NOTE: Interim Security Relief (ISRs) are designed to address the concerns identified herein. Sun has limited experience with these (ISRs) due to their interim nature. As such, you should only install the ISRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch. tags: alert bind cve-2008-1447 security solaris vu#800113 Permalink | Comments [0]
On July 8, 2008, Sun will release the following security updates:
Permalink | Comments [2] Sun UK is running a morning briefing on End to End to Security. The event is on Thursday 5th June in the London Customer Briefing Center (for LOSUG people this is the same place we meet). Details and registration information can be found here. Dave Walker and I are among the speakers. -- Darren Permalink | Comments [1]
On March 4, 2008, Sun will release the following security updates:
As we had announced in September 2007, this is the first set of synchronized releases for Java SE. We need to note though that prior to our announcement last year, we had already fixed a few vulnerabilities in certain release families. These issues will be addressed in a synchronized fashion for all remaining release families through our synchronized security updates and will be noted accordingly in our Sun Alerts. Permalink | Comments [2]
Sun recently announced two new security response enhancements for Java
SE. They include our plans for the synchronized release of Java SE
security fixes, and advance customer notification of security updates.
These new features are designed to complement Sun's existing
Sun Alert notifications,
as well as the built-in Java Auto Update tool for Microsoft Windows
users. Details are available here.
The following is our first advance notification of security updates for Java SE. On the week of October 1, 2007, Sun will be releasing security updates with JDK and JRE 6 Update 3, JDK and JRE 5.0 Update 13, and SDK and JRE 1.4.2_16. This will be followed by the release of SDK and JRE 1.3.1_21 on the second week of October 2007. This is Sun's first step towards the simultaneous release of security fixes across all supported Java SE release families. Sun expects to fully synchronize the release of security fixes across all supported releases, including J2SE 1.3.1 in 2008. Note that J2SE 1.3.1 has completed the Sun "End of Life" (EOL) process and is only supported for the Solaris Operating Environment and customers on Sun's Vintage Support Offering. Permalink | Comments [3] Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.
- Darren tags: opensolaris security solaris trusted Permalink | Comments [0]A few months ago, blogs.sun.com/security started off in a new direction. The goal was to provide a large and highly visible stage for anyone within Sun who wanted to share their thoughts about security. Per the announcement:
If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice? The answer, now, is here, blogs.sun.com/security. The goal of this effort was simple. It enabled Sun's security community to:
provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web. A lot of great content has been shared in this forum and across blogs.sun.com since that posting. In addition, the announcement said that:
Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security. Well, it was more than just a few weeks, but it is certainly in this spirit that I am happy to announce the newly updated security landing page at www.sun.com/security. This page has been revamped by real Sun people with real interest in security and this is just the beginning. We will be bringing you fresh news and content on a regular basis, will be working to update the rest of the security pages in the very near future, and will be working towards even closer integration with blogs.sun.com/security. For Sun employees, if you want your security postings to be visible on www.sun.com/security, you need only to tag your blog posting with the keyword security. Check it out and let us know what you think! Permalink | Comments [0] |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
