Solaris fix-it firm offers free BASH patch for legacy Oracle kit
Sets up camp on moral high ground as lawsuit rages on
A Solaris fix-it-firm being sued by Oracle over copyrighted code says it has stepped in to defend customers not protected by Larry Ellison's firm from BASH attacks.
Terix has released a BASH fix for Solaris on SPARC and x86 that it claims goes further than Oracle’s own recent BASH patch.
BASH, vulnerability CCE-2014-7169, lets hackers execute code remotely on Solaris systems.
The Terix patch works for Solaris versions 6 and 7, in addition to 8, 9 and 10, with the code released to all under the GNU General Public License. A version for Solaris 11 is under development and will be released “shortly”, Terix promised.
A 26 September Bash patch from Oracle covers recent versions of Solaris – namely 8, 9, 10 and 11.
Terix says its move affords coverage to those whose legacy Solaris systems have fallen out of support or those who had decided against paying Oracle for support on newer systems.
The firm estimates developing and releasing its patch under open source would help fill a “critical gap” for Solaris customers lacking active support contracts or running versions of Solaris that missed Oracle’s patch.
With regard to the ongoing legal issues, Terix argues the licences customers receive when they purchase Solaris servers grant them the right to "perpetual" support of both the hardware and the OS – including the right to seek support from third parties once their original support contracts with Oracle run out.
According to Oracle’s filing at the time: “While a customer may engage a third party – instead of Oracle – to provide support services on Oracle hardware, neither the third party nor the customer can access Oracle’s support web site to support that hardware.
Oracle's filing went on to allege: “Defendants ignored these fundamental rules and restrictions as part of their own support services for Oracle hardware to customers that need access to Oracle’s proprietary patches and updates."
The case is Oracle America, Inc. v. Terix Computer Company, Inc, et al and is continuing. ®