Solaris is usually used as a server operating system. I tried pkginfo i command but it gives all of the packages installed. That is, theres one set of patches for solaris 8, a separate set of patches for solaris 9, and another set of patches for solaris 10. This post is for the system admins who still wants to use the traditional method of patching for whatever reason they want to. The solaris patch manager tool, a fullfeatured patch management tool, also provides details regarding patches. Thanked 0 times in 0 posts list of patches and date installed.
Security vulnerability in the authentication mechanism for. Patches are binary code modifications that affect the way sunsupplied software operates. The inetd nf file from securing and optimizing linux by gerhard mourani old red hat inetd configuration is like solaris. Use the service management facility smf to modify the standard internet services or to have additional services started by the inetd daemon use the following smf commands to manage services started by inetd. Solaris 9 now includes the tcp wrappers distribution as part of the operating system. To avoid these bugs, apply the available patches that fix the bugs.
Comments or proposed revisions to this document should be sent via email to the following address. I have a doubts on step 8 specially can someone clear my step 8 doubts or if. Cde tooltalk database server multiple vulnerabilities. In solaris 11, oracle removed the word called patches from their dictionary. The solaris enterprise authentication mechanism server and client is included in the solaris 9 os to provide single signon capabilities for servers and applications. The solaris 10 release notes documents important installation and runtime issues and bugs. Solaris 10 container deployed from solaris 10 global zone to solaris 11 global zone.
Solaris 10 os patching using liveupgrade unixarena. Because of this, you want to make sure that you shut the system down as gracefully as possible to ensure there isnt any data loss. To determine if sadmind1m is enabled on the system, the following command can be run. We no need to bring down the server to single user mode if you are using live upgrade method during pathing and before choosing live upgrade,make sure you are using zfs as a root filesystem. The resulting new nf file may reenable services that were previously disabled e. Many inetd services must be mapped to a specific port number. Sun solaris 8 sun solaris 9 sun solaris 10 operating system multiple tcpip and icmp implementations allow remote attackers to cause a denial of service network throughput reduction for tcp connections via a blind throughputreduction attack using spoofed source quench packets, aka the icmp source quench attack. Patches contains sun recommended and security patch. Send the inetd 1m process a hangup signal sighup to that inetd will reread the inetd. Appendix a solaris 9 905 hw operating system patch list solaris. Building a secure sun jumpstart environment using the solaris. Cve20040790, cve20040791, and cve20041060 have been split based. Md5 the md5 software is not needed for systems running the solaris 10 os, because the digest1m command now includes md5 functionality. This article is going to explain that how to update the solaris 11.
The inetd daemon starts up internet standard services when a system boots, and can restart a service while a system is running. There were a total of 24 solaris 10 patches, including kernel updates, and 4 patchsets released on mos. Solaris operating system service management facility how to. Like many others, i am a big fan of live upgrade when it comes to upgradingpatching solaris. Kerberosenabled versions of telnet, r commands, and more are available as a free download from the sun download center. Scott lynn put together a very informative blog on solaris 10. The sun solaris sadmind daemon is included in the solstice adminsuite of tools and is used to manage distributed systems an attacker may submit malicious rpc requests to forge a new client identity.
I installed patch manager but in its read me file i found out that its only for solaris 8 and there is some update manager for solaris 9. Sun microsystems will next month launch a utility to make it easier to manage security patches issued for its solaris 9 operating system. A supported release means that someone will answer the phone, and that patches for problems are available. They can be released by sun because of previously identified bugs which have been fixed, or because a security exploit has been discovered in a piece of software, and a simple workaround is inadequate to prevent intrusion or disruption of normal system activity. Openssh installing openssh is not needed on solaris 9 or 10.
On almost all servers, the rpc services in etc inetd. There is also a replacement for inetd, called xinetd that includes builtin tcp wrapper functionality. The service management facility smf is a core component of the new predictive selfhealing set of technologies introduced in solaris 10. Sun solaris sadmind arbitrary command execution vulnerability. Solaris 10 extended support will run thru january 2021. Sgi has released patches and update information at the following ftp links. Solaris 10, start inetd in a zone not working unix and linux forums.
The solaris system automated security enhancement tool aset configurable parameters in the asetenv file must be correct. Now i need to know how to check latest kernel version in solaris 10 container. Administrators are advised to inspect the etcnf file to determine if the rpc. Another tool, sun patch check, can be run to obtain a listing of available patches, but provides little diagnostic capabilities. However, popular packages are updated frequently and by subscriber request, more up to date packages may be also be present for other versions of solaris. Does anyone know the easiestquickest way to search all the available solaris 9 patches to find out if they update a certain library or not. Before i install it, my task is to find out what os patches have already installed on the box. Sun solaris 7, 8 and 9, and trusted solaris 7, 8 and 9 default installations of the sadmind daemon may allow a local or remote attacker to execute code with elevated privileges on the system. A guide for system administrators february 2006 international technical support organization sg24718600.
I need to check latest kernel version in solaris 10 container. These release notes also include endofsoftware support statements, documentation issues, and a list of integrated patches. Verify the root password on this system is set correctly. I can ssh into all of them if i ran ssh from a box that has ssh client. If this service is present and enabled, the system is vulnerable. Patch manager is aimed at easing problems faced by users. A sample etcservices file, shown below, defines port numbers for most of the commonly used services tcpmux 1tcp echo 7tcp echo 7udp discard 9 tcp sink null discard 9 udp sink null systat 11tcp users daytime tcp daytime udp netstat 15tcp chargen 19tcp ttytst source chargen 19udp ttytst source ftpdata. Now that some of the systems i have to regularly patch are solaris 10 ones, i have to get used to the new patch return codes which one can see when applying one of the suns recommended patchsets. Theres general information about securing solaris, patches to know about, tools to use. Once youve decided exactly which pieces of the operating system you wish to. Solaris os patching has been moved far away from the traditional methods from solaris 10 onwards.
For you information,from solaris 11 onward,zfs will be the default root filesystem. Solaris 9 oe implements an etcdefaultinetd to control the use of tcp. Solaris 8 patch 11028609 solaris 9 patch 11280802 intel solaris 2. You have more than one command option that you can use. Sol chapter 9 9 securing solaris, linux, and apache 338 introduction default. Securing network services solaris operating environment. Jul 03, 2012 solaris os patching has been moved far away from the traditional methods from solaris 10 onwards. Hi, i have a solaris 10 device which has quite a dated version of kerberos 5 installed. Many applications that use rpc services add entries to the etc inetd. Solaris operating system service management facility how. We discuss considerations for installation, patching the os, and the basics for.
Each marketing release of solaris has its own set of patches. The tftpd daemon is configured in nf and called by the. Solaris 9 can be installed with tcp wrappers in the default installation. Solaris init scripts dont recognise restart, you have to do a stop and start if you really want to stopstart inetd without effecting other services do. After that, therell be no new solaris 8 or solaris 9 patches created. With smf, system administrators can use simple command line utilities to easily identify, observe, and manage both the services provided by the system and the system itself. A sample etcservices file, shown below, defines port numbers for most of the commonly used services tcpmux 1tcp echo 7tcp echo 7udp discard 9tcp sink null discard 9udp sink null systat 11tcp users daytime tcp daytime udp netstat 15tcp chargen 19tcp ttytst source chargen 19udp ttytst source ftpdata. The following applies to core solaris packages and patches. However it appears you dont need solaris 10 patches since youre running solaris express. Hi unix experts, im told to install websphere mq on sun 5. The solaris 9 sparc security technical implementation guide stig is published as a tool to improve the security of department of defense dod information systems.
There are three workarounds that are advised until patches are. After examining the possible client ftp commands and server response codes, lets see how this transactional system actually works in practice on solaris. Use the service management facility smf to modify the standard internet services or to have additional services started by the inetd daemon. It contains entries for the most commonly used internet services. Many applications that use rpc services add entries to the etcnf in addition to using one of the rpcbased daemons. Solaris security today and tomorrow penn state college. Dec, 2006 for every application that is installed on your server, you should make sure that you have the correct scripts in etcrc x. With smf, system administrators can use simple command line utilities to easily identify, observe, and manage both the services provided by.
One of the most useful guides to the currently available patches for solaris 9 is the sunsolve patch report. Some of the latest patches released for solaris 9 include the following. Sun has released updated patches at the following links. Its similar to the solaris 89 patchset installation codes, but there are more codes added to the list. If settings in the asetenv file have been modified, then system vulnerabilities may not be detected. List of patches and date installed my understanding is that showrev p would show patches but not the date they were installed. Id like to upgrade the version of kerberos to a more recent version, but was unsure whether updates to kerberos are provided by applying a solaris patch or whether i would need to go to the mit website. You can even run solaris 10 guest domains under a solaris 11 control domain and run solaris 8 and solaris 9 branded zones in your solaris 10 guest domains if you really want to. Say something like clean up save folders for patch rev obsolete patches after patch is two revisions ahead. So you could clean the save directory for 10966704 when 109667 hits say rev 07.
The first step is to make a connection to a remote host from the local system by using the standard client. Edna has put together a handy document on patching solaris using. Latest solaris 10 patch bundles i dont know if its just my own ignorance or oracle purposely obfuscating the latest patch bundles for solaris but i recently had a hell of a time finding the january 2017 patch bundle for solaris 10. Sun blade 100150 flash prom update 11129217 obsoleted by. For solaris 79 releases, refer to the man pages for instructions on. Note the oracle solaris 10 910 software contains scriptspecial patches which do not deliver bug fixes or new features, but deliver changes that are required as a result of issues with the creation of the update image. We no need to bring down the server to single user mode if you are using live upgrade method during pathing and b efore choosing live upgrade,make sure you are using zfs as a root filesystem. Solaris fingerprint database companion and solaris fingerprint database sidekick. How can i stop the telnet service in solaris 8 and 9. If youre using solaris 7 or solaris 8 in 64bit mode, ipfilter can be relatively difficult to compile correctly. Package names that are nonbold andor with no version number, are not currently available for this version of solaris. What are the solaris 9 patches needed for oracle 8i 8.
Solaris patches installation error codes solaris blog. Apply patches at least download and install suns recommended patch cluster also check patch report file for additional security patches patches must be maintained on an ongoing basis. Solaris 9 without patch 11645401 sites which have sadmind1m enabled in inetd. For a very secure system, replace the standard nf with one that just. The nf file tells inetd which ports to listen to and what server to start for each port the first thing to look at as soon as you put your linux. Solaris 9 oe no longer installs a fully populated etc inetd. Most of the solaris administrators will search for solaris 11 os patch bundle like how we use to get for solaris 10 but you wont get it.
Solaris security today and tomorrow technical deep dive updated for solaris 10 0509, solaris next, and solaris furure. I am planning to do solaris 11 global zone patching having solaris 10 branded zone. Solaris security today and tomorrow technical deep dive updated for solaris 10 0509, solaris next, and solaris furure dr. Security issue involving the solaris sadmind1m daemon oracle. May 19, 2009 solaris 10 patch return codes may 19, 2009 by gleb reys 4 comments now that some of the systems i have to regularly patch are solaris 10 ones, i have to get used to the new patch return codes which one can see when applying one of the suns recommended patchsets. The sun solaris sadmind daemon is included in the solstice adminsuite of tools and is used to manage distributed systems. The following is a list of questions that are frequently asked about solaris 2. Solaris 9 oe no longer installs a fully populated etcnf. There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.
Patches are a separate software change control mechanism distinct from package versions in solaris. Correct, its not possible to get solaris 10 patches with out a valid support contract. Solaris 9 exiting extended support period oracle solaris. It does not necessarily apply to some applications embedded in solaris, such as staroffice. On almost all servers, the rpc services in etcnf can be removed.