Home page logo

bugtraq logo Bugtraq mailing list archives

Re: OpenBSD Exploit
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Mon, 6 Nov 2000 14:50:40 -0500

On Mon, 6 Nov 2000, Christian Ruediger Bahls wrote:

i do understand that there are some hidden vulnerabilities in OpenBSD
but i would appreciate to get this information from OpenBSD .. and
most important: after they fixed it ..

[i am nothing more than an OpenBSD user and advocate. i do not participate
in the team.]

i have been seeing this a lot lately, a complaint that the OpenBSD team
fixes a lot of bugs without much publicity. this is often seen as hubris
by some, conniving and blind disregard for the userbase by others. in
fact, it's none of the above.

the openbsd team is continually working to improve the security, as well
as the functionality, of the code. you are welcome to participate in this
process actively or passively. you can do this through several methods:

o join a mailing list. several exist that discuss the security and general
  bugfixes, and the code itself, and are archived in several locations
  around the world. the full list and information can be found on the
  OpenBSD website at http://www.openbsd.org/mail.html. i reccomend that
  you check out the lists 'security-announce', 'tech', 'bugs',
  'source-changes'  and 'announce' to either receive or submit information
  from or to the OpenBSD team.

o the daily CVS updates. you can grab the daily CVS snapshot and have a
  look at what changed. this can be a bit time consuming, but hey, don't
  blame others for your lack of effort. please see
  http://www.openbsd.org/anoncvs.html for information about obtaining
  current code by CVS.

o don't forget, have a look at the daily changelog. this covers most of
  the important changes, both functionality and security, between the
  current formal release and -current, the development branch. please see
  http://www.openbsd.org/plus.html for information and links.

it's a lot to keep up on, yes. and it's difficult sometimes to think about
rebuilding a kernel on a key server to implement a patch that you've
noticed affects you (ie empty ESP/AH frames crashing the kernel).

still, the information is there. it just takes some effort on your part to
find it. you should be paying attention, anyhow, to any
reliability/feature/security fixes from your vendor(s) anyhow.

jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]