[17524] in bugtraq
Re: OpenBSD Exploit
daemon@ATHENA.MIT.EDU (Jose Nazario)
Mon Nov 6 18:40:48 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0011061440050.30191-100000@biocserver.BIOC.CWRU.Edu>
Date: Mon, 6 Nov 2000 14:50:40 -0500
Reply-To: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
From: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
X-To: Christian Ruediger Bahls <christian@IT-NETSERVICE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.21.0011061322410.2141-100000@phase2.intern.it-netservice.de>
On Mon, 6 Nov 2000, Christian Ruediger Bahls wrote:
> i do understand that there are some hidden vulnerabilities in OpenBSD
> but i would appreciate to get this information from OpenBSD .. and
> most important: after they fixed it ..
[i am nothing more than an OpenBSD user and advocate. i do not participate
in the team.]
i have been seeing this a lot lately, a complaint that the OpenBSD team
fixes a lot of bugs without much publicity. this is often seen as hubris
by some, conniving and blind disregard for the userbase by others. in
fact, it's none of the above.
the openbsd team is continually working to improve the security, as well
as the functionality, of the code. you are welcome to participate in this
process actively or passively. you can do this through several methods:
o join a mailing list. several exist that discuss the security and general
bugfixes, and the code itself, and are archived in several locations
around the world. the full list and information can be found on the
OpenBSD website at http://www.openbsd.org/mail.html. i reccomend that
you check out the lists 'security-announce', 'tech', 'bugs',
'source-changes' and 'announce' to either receive or submit information
from or to the OpenBSD team.
o the daily CVS updates. you can grab the daily CVS snapshot and have a
look at what changed. this can be a bit time consuming, but hey, don't
blame others for your lack of effort. please see
http://www.openbsd.org/anoncvs.html for information about obtaining
current code by CVS.
o don't forget, have a look at the daily changelog. this covers most of
the important changes, both functionality and security, between the
current formal release and -current, the development branch. please see
http://www.openbsd.org/plus.html for information and links.
it's a lot to keep up on, yes. and it's difficult sometimes to think about
rebuilding a kernel on a key server to implement a patch that you've
noticed affects you (ie empty ESP/AH frames crashing the kernel).
still, the information is there. it just takes some effort on your part to
find it. you should be paying attention, anyhow, to any
reliability/feature/security fixes from your vendor(s) anyhow.
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
