Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: OpenBSD 2.9,2.8 local root compromise
From: Andreas Haugsnes <andreas () haugsnes no>
Date: Fri, 15 Jun 2001 19:58:42 +0200

If my opinions were missunderstod, I'll apologize for that.

I am currently a 'eager and happy user' of OpenBSD.
Used it for a couple of years, and I must say that
it has been among the better operatingsystems.
At the side I use FreeBSD, for servers aswell as desktops.
The reason that I reacted was that normally, fixes for
'more trivial' errors are corrected -by day-.
The coders of OpenBSD are among the better, and up to now
have delivered patches/fixes -fast-, aswell as informing users (see you/me) about it.

(If you in any sence of way feel that this discussion is taking a 'useless turn',
just say so. In the deep end, we're both users and enjoying every minute of it. :) )

Now, going back to your answer here.

The reason I reacted the way I did was not because I think "microsoft is
better". I have a very neutral opinion for OS', and some users may
prefer the ones easier to use.
The only reason is that a fix wasn't posted on errata. No information
reguarding such a -important- event.
How about all the users that use OpenBSD on important servers?
No information on the subject was posted before the exploit, and
that's what scares me.


Do you do this every time an exploit comes out for any Linux vendor, or
Microsoft? You must have a sweaty forehead.

<ironi quotation mark, end>
And I have -never- claimed that this is bad contra other systems.
But this is not a "match OS issue", please stick to the real issue.


I'd like to know what method of notification Georgi used. Did he file a
confidential bug report, or did he just send an email to Theo? He could
have also sent an email to one of the mail lists, stating that he had
discovered a problem and could someone "in the know" contact him.

Ofcourse, this could be the situation. If it's "that explainable", I
recall all my remarks.

What's up with people acting like the sky is falling when any type of
exploit is released for OpenBSD? I'd be interested to see a graph of
released exploits for Operating Systems. Where do you think OpenBSD
would be on that chart in relation to others?


The difference between "gettings bugs" and "telling people about it".
It's -not- good policy to let the public know about the bugs / exploits
before it has been posted / fixed by the vendor.


The reality is that the OpenBSD development team is small, and busy. And
yes this is a problem, and yes they were notified, and yes no officially
responded to this BUGTRAQ post and they did not have a patch ready to
go. Most of these developers are people just like you and me who have
jobs and work on OpenBSD because they enjoy it, and like the ideals
behind OpenBSD. No one is getting rich on doing this, believe me.


I don't doubt that in a second, -but-.
This is a -critical- bug. It gives -root comprimise-.
Think of the damage it causes if no one gets to know about the fixes in
time? We're talking -heavy- financial losses.

 
If what you desire is someone to be there for you night and day, to
have patch right away, you should probably be running another OS. I'm
not just saying that to be rude or refute the problem with a "go away"
attitude. I'm serious. 


Night/day, no. But what I expect, aswell as in any other -good coding environment-,
is information about -critical- issues as this.
If no one gives the information in time, what's the point of even reading
the news/maillist/webpages?


In conclusion, OpenBSD never claimed that they were never going to be
vulnerable to security issues, and they promised that they would be able
to fix everything in a timely manner. But when I look at the
alternatives, for some reason I still prefer it. Go figure...


Partially agree, but also a "big issue here", if no one is there to
"complain" or "say that things weren't handled good", then who
will take their time to fix it ?
"Why fix something that isn't broke".
People -need- to get things like this pointed out, people NEED to
see that security is a growing issue, and at the least, people
NEED to: INFORM THE USERS. (excuse the caps.)

btw.. if you made it through my rant here is your reward:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c

Revision 1.49 / (download) - annotate - [select for diffs] , Fri Jun 15 11:10:18 2001 UTC (6 hours, 38 minutes ago) by 
art 
Yes, and do you it's coincidence that it's only 6 hours old?
No, here proving my point earlier mentioned.
Now that the people have been informed (not in the best way, but still), a fix
has been made. But. 6 days has passed, and no one exterior from the OpenBSD team
has been informed. That's -not good-. (Which is the -only- point i'm trying to make
here. :-) )


In the end, I would like to thank the developers of OpenBSD.
The operatingsystem is really good, and I hope to see more
of it. Just to point out that I still prefer OpenBSD as a
"more secure alternative".



Your annoyance,
 Andreas Haugsnes



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]