We want to proceed with the o/s

Per Security Team

All --

This is covered under exisiting policies. I would refer you here:

http://security.fnal.gov/policies/cpolicy.html

(see the section on "Unsupported and obsolete operating systems")

and here:

http://security.fnal.gov/Baselines/

I can't imagine that a system which hasn't (by March) been patched in nearly
six months meets the description "recent and supported versions of operating
systems". All the more so because this is an important database server.

So to comply with the policy, CDF (the users) "must document the
reasons why the system cannot be brought up to date and must document how
the system is patched and configured to provide the same level of security
as provided in baseline configurations."

Btw, according to the SunSolve web site, there were over 500 patches
released for Solaris in '05.

http://sunsolve.sun.com/search/document.do?assetkey=1-34-10-1

Mark K.

================================= Per Joe K

And see this article from the Director:
http://security.fnal.gov/dir-patching.html

Thanks,
Joe

================================= per Nelly Stanfield

We want to proceed with the o/s patch on Feb 9.
Per the security team we are required to move
quickly and we cannot post-pone this patch to March.

The machine has been up for 118 days and the last
patched applied was pulled from the Sun site
Sept 26 and applied Nov 16.

We did not use our maintenance window in December
nor January and it is important for us to proceed
with the February 9 maintenance window.

Below is the list of the o/s patches that will
be applied and Steve has stated that he finds
these patches to be critical.

Unfortunately, Oracle's quarterly patch has
a conflict & we are not hopeful that the merge
patch will be available by this date. Regardless,
of the Oracle quarterly patch schedule we have to
proceed with the February slot to get the o/s patched.

Please approve a 2 hour slot on Feb 9 allowing
Steve to proceed with the o/s patched as listed below.

-Nelly

Here's the OS patch list:

117067-01 SunOS 5.9: awk nawk oawk Patch
112964-14 SunOS 5.9: /usr/bin/ksh Patch
113713-21 SunOS 5.9: pkginstall Patch
112951-12 SunOS 5.9: patchadd and patchrm Patch
114008-01 SunOS 5.9: cachefsd Patch
112998-03 SunOS 5.9: patch /usr/sbin/syslogd
112875-01 SunOS 5.9: patch /usr/lib/netsvc/rwall/rpc.rwalld
113146-06 SunOS 5.9: Apache Security Patch
112233-12 SunOS 5.9: Kernel Patch
113068-06 SunOS 5.9: hpc3130 patch
113273-10 SunOS 5.9: /usr/lib/ssh/sshd Patch
113279-01 SunOS 5.9: klmmod Patch
113023-01 SunOS 5.9: Broken preremove scripts in S9 ALC packages
113033-05 SunOS 5.9: patch /kernel/drv/isp and /kernel/drv/sparcv9/isp
112601-09 SunOS 5.9: PGX32 Graphics
113923-02 X11 6.6.1: security font server patch
113718-02 SunOS 5.9: usr/lib/utmp_update Patch
114135-03 SunOS 5.9: at utility Patch
114133-02 SunOS 5.9: mail Patch
114153-01 SunOS 5.9: Japanese SunOS 4.x Binary Compatibility(BCP) patch
113575-05 SunOS 5.9: sendmail Patch
114636-03 SunOS 5.9: KCMS security fix
114713-02 SunOS 5.9: newtask Patch
113240-11 CDE 1.5: dtsession patch
114684-03 SunOS 5.9: samba Patch
114861-01 SunOS 5.9: /usr/sbin/wall
114729-01 SunOS 5.9: usr/sbin/in.telnetd Patch
114482-04 SunOS 5.9: Product Registry CLI Revision
114571-02 SunOS 5.9: libc.so.*.9/bcp Patch
114569-02 SunOS 5.9: libdbm.so.1 Patch
112907-06 SunOS 5.9: libgss Patch
112908-23 SunOS 5.9: krb5 shared object Patch
112922-02 SunOS 5.9: krb5 lib Patch
114129-02 SunOS 5.9: multi-terabyte disk support -libuuid patch
114127-03 SunOS 5.9: abi_libefi.so.1 and fmthard Patch
115754-02 SunOS 5.9: zlib security Patch
114495-01 CDE 1.5: dtprintinfo patch
113073-14 SunOS 5.9: ufs and fsck patch
115172-01 SunOS 5.9: kernel/drv/le Patch
114971-02 SunOS 5.9: usr/kernel/fs/namefs Patch
112923-03 SunOS 5.9: krb5 usr/lib Patch
112617-02 CDE 1.5: rpc.cmsd patch
114016-01 tomcat security patch
114049-12 SunOS 5.9: NSPR 4.1.6 / NSS 3.3.4.5
114125-01 SunOS 5.9: IKE config.sample patch
114361-01 SunOS 5.9: /kernel/drv/lofi Patch
114875-01 SunOS 5.9: XML library source patch
116237-01 SunOS 5.9: pfexec Patch
116247-01 SunOS 5.9: audit_warn Patch
116308-01 CDE 1.5: libDtHelp patch
116245-01 SunOS 5.9: uncompress Patch
113226-05 SunOS 5.9: hme Driver Patch
113482-02 SunOS 5.9: sbin/sulogin Patch
117071-01 SunOS 5.9: memory leak in llc1_ioctl()
117171-17 SunOS 5.9: Kernel Patch
117114-02 CDE 1.5: sdtwebclient patch
115683-03 SunOS 5.9: Header files Patch
116453-02 SunOS 5.9: sadmind patch
112810-06 CDE 1.5: dtmail patch
116538-03 SunOS 5.9: SUNW_disk_link.so Patch
112926-06 SunOS 5.9: smartcard Patch
116774-03 SunOS 5.9: ping patch
117455-01 SunOS 5.9: in.rwhod Patch
113096-03 X11 6.6.1: OWconfig patch
112834-06 SunOS 5.9: patch scsi
116105-04 X11 6.6.1: Freetype patch
117203-05 X11 6.6.1: fontconfig patch
112912-01 SunOS 5.9: libinetcfg Patch
116532-03 SunOS 5.9: mpt Patch
112963-25 SunOS 5.9: linker Patch
112785-52 X11 6.6.1: Xsun patch
112874-32 SunOS 5.9: lgroup API libc Patch
117201-09 X11 6.6.1: st patch
113319-22 SunOS 5.9: libnsl nispasswdd Patch
117459-01 SunOS 5.9: routing socket module Patch
112661-08 SunOS 5.9: IIIM and X Input & Output Method patch
112954-13 SunOS 5.9: uata Driver Patch
114332-23 SunOS 5.9: c2audit & *libbsm.so.1 Patch
113579-08 SunOS 5.9: ypserv/ypxfrd patch
118300-02 X11 6.6.1: libXpm patch
118335-04 SunOS 5.9: sockfs Patch
112811-02 OpenWindows 3.7.0: Xview Patch
117445-01 SunOS 5.9: newgrp patch
119433-01 SunOS 5.9: telnet
117485-01 SunOS 5.9: fn_ctx_x500.so.1 Patch
112965-05 SunOS 5.9: patch /kernel/drv/sparcv9/eri
112921-07 SunOS 5.9: libkadm5 Patch
112817-25 SunOS 5.9: Sun GigaSwift Ethernet 1.0 driver patch
112925-06 SunOS 5.9: ktutil kdb5_util kadmin kadmin.local kadmind Patch
114219-11 CDE 1.5: sdtimage patch
113329-15 SunOS 5.9: lp Patch
114014-10 SunOS 5.9: libxml, libxslt and Freeware man pages Patch
114363-03 SunOS 5.9: sort Patch
113280-06 SunOS 5.9: patch /usr/bin/cpio
113798-02 CDE 1.5: libDtSvc patch
113277-36 SunOS 5.9: sd and ssd Patch
116489-01 SunOS 5.9: ttymux Patch
116494-01 SunOS 5.9: libdevice Patch
116559-01 SunOS 5.9: powerd pmconfig patch
117162-01 SunOS 5.9: patch usr/src/uts/common/sys/cpc_impl.h
117477-01 SunOS 5.9: vol Patch
114128-02 SunOS 5.9: sd_lun patch
117418-01 SunOS 5.9: consms patch
114356-06 SunOS 5.9: /usr/bin/ssh Patch
119449-01 SunOS 5.9: Perl Patch
111711-15 SunOS 5.9: 32-bit Shared library patch for C++
114503-14 SunOS 5.9: usr/sadm/lib/usermgr/VUserMgr.jar Patch
113318-22 SunOS 5.9: NFS Patch
116807-02 SunOS 5.9: /usr/sadm/lib/smc/lib/preload/jsdk21.jar patch
113077-15 SunOS 5.9: /platform/sun4u/kernel/drv/su Patch
119211-05 SunOS 5.9: NSPR 4.5.2 / NSS 3.10.1 / JSS 4.1
111712-15 SunOS 5.9: 64-Bit Shared library patch for C++
114564-08 SunOS 5.9: /usr/sbin/in.ftpd Patch
112808-08 CDE1.5: Tooltalk patch
112970-09 SunOS 5.9: patch libresolv
118558-20 SunOS 5.9: Kernel Patch
114555-29 SunOS 5.9: Sun XVR-1200 and Sun XVR-600 Graphics Accelerator
Patch
112764-08 SunOS 5.9: Sun Quad FastEthernet qfe driver
115158-10 X11 6.6.1: xscreensaver patch
112540-26 SunOS 5.9: Expert3D IFB Graphics Patch
113278-12 SunOS 5.9: NFS Daemon, rpcmod Patch
112945-40 SunOS 5.9: wbem Patch
112960-33 SunOS 5.9: libldap and pam patch
120464-03 SunOS 5.9: ifconfig, in.routed, ipmp patch
112807-17 CDE 1.5: dtlogin patch
116669-12 SunOS 5.9: md Patch
116548-05 SunOS 5.9: ufsboot Patch
114344-16 SunOS 5.9: arp, dlcosmk, ip, and ipgpc Patch
118305-06 SunOS 5.9: tcp Patch
116561-12 SunOS 5.9: platmod Patch
113451-10 SunOS 5.9: IKE Patch
115553-20 SunOS 5.9: USB Drivers and Framework Patch
113322-03 SunOS 5.9: uucp patch

Steven Kovich

----- Original Message -----
From: "Petar Maksimovic" <petar@jhu.edu>
To: "Nelly Stanfield" <nelly@fnal.gov>; "Anil Kumar" <akumar@fnal.gov>
Cc: "Krzysztof Genser" <genser@fnal.gov>; "Doug Benjamin"
<dbenjamin@fnal.gov>
Sent: Monday, January 30, 2006 9:15 AM
Subject: Downtime for ora4

> Hi Nelly and Anil,
>
> could you please remind me when you wanted to do the
> required security updates on ora4? How long it would
> take and how long can you postpone it for?
>
> I'm cc-ing Krzysztof and Doug since it would be nice
> to know how long a downtime can be absorbed by the
> SAM servers.
>
> Once we know the facts, we could put the issue to the
> CDF offline SPL council for debate and executive decision.
>
> (As a disclaimer, I'm not advocating either option since
> as a user I will suffer from SAM downtime as much as
> everybody else...)
>
> Thanks,
>
> Petar
>
>
>
>