Slashdot Mirror
Vulnerabilities in FreeBSD
flynn_nrg writes: "O'Reilly has an interesting article about vulnerabilities in common programs found on most FreeBSD boxes. From the article: "Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
OpenSSH, Squid, Listar/Ecartis, slrnpull, and IRIX's syslogd; problems
in Sudo, MHonArc, and Mosix; and a local root hole and denial-of-service
attack vulnerability in FreeBSD.""
Hmmm. Let me consider that again. Yup. I am quite sure that it WAS a troll. Besides the overused of the bold tag, the author used the word Berzerkeley. Definitely a troll.
In any case, a few security bugs can't kill an OS. Windows would be dead a hundred times if that were true.
If tits were wings it'd be flying around.
The article covered two vulnerabilities specific to FreeBSD, a few in third party programs which apply to all platforms (the article itself makes no reference to FreeBSD), and some vulnerabilities (mosix, IRIX syslogd) which are specific to other platforms (Linux and IRIX respectively) and have nothing whatever to do with FreeBSD
So how does that make it an article on FreeBSD vulnerabilities?
what timothy forgot to mention is that the freebsd group had already released patches before posting this article. i guess he could have actually gone out and checked, but alas, this is /. ... home of editors that don't give a shit
go on, mod me down
Gee, just two FreeBSD vulnerabilities in that article.... I run several FreeBSD workstations and servers and neither of them would be affected because it's easy to workaround those problems and equally simple to track -STABLE.
Ever get into rpm hell on a redhat box? Debian might be a little better, but still, Debian is barely more than a kernel from being FreeBSD. FreeBSD is infinitely simpler to tailor to your needs and manage than any other *nix system I've tried.
This article doesn't discourage me a bit, since fixes for the mentioned vulnerabilities were available so soon after the announcements. I absolutely love FreeBSD for all me needs and encourage other to install and learn it.
only 2?
:).
Heck, I'm waiting for my Service pack 3 for win2k to apply the 14 pages of hotfix and security patch automatically to my newer systems without having to reload the windowsupdate/rebooting 3 times (explorer 5.5sp2, reboot, security roolup jan 2002, reboot and finally the critical, and that doesn't include post-sp2 hotfixes that aren't "critical").
No wonder I am considering FreeBSD for my email server, yeah it'll need maintenance and security, yes I hate the overhead and everything is so much simpler in windows, that I have to give it to microsoft, but GOD, I don't want to reboot a zillion time after applying patches every week, heck, I don't want to apply patches every week
--- Metamoderating abusive downgraders since my 300th post.
Another piece of great news hit the already prosperous *BSD community when IDC confirmed that *BSD market share has risen yet again, now up to more than of 18 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has gained more market share, this news serves to reinforce what we've known all along. *BSD is growing in complete unity, as fittingly exemplified by coming dead first in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a superb future. In fact there will be a wonderful future for *BSD because *BSD is living. Things are looking very good for *BSD. As many of us are already aware, *BSD continues to gain market share. Black ink flows like a river of cash. FreeBSD is the most successful of them all, having acquired 93% more core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 70000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 2 to 1. Therefore there are about 70000/2 = 35000 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 15000 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (70000+35000+7000)*4 = 448000 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the success of Walnut Creek, excellent sales and so on, FreeBSD became a viable business and was taken over by BSDI who sell another popular OS. Now BSDI is also growing, its success acquired by yet another software house.
All major surveys show that *BSD has steadily increased in market share. *BSD is very strong and its long term survival prospects are very good. If *BSD is to keep growing it will be among those who appreciate solid, fast and well-engineered OSes. *BSD continues to succeed. Nothing short of a miracle could kill it at this point in time. For all practical purposes, *BSD is here for good.
Fact: *BSD is living
There. I feel much safer now.
|>
Here be Dragons
Now I'm done.
(Not that I use sudo, but it's there for completeness)
|>
Here be Dragons
I used to be a big Linux advocate, unfortunately it seems that Linux has been becoming more and more unstable. The hundreds of different distributions of Linux all have their pros and cons, but there is no centralised package or ports system. Want a package for Linux ? Ok, cool - DEB, RPM? RPM? That's the most popular. But don't try using a Mandrake RPM or a SuSE RPM on RedHat.
Linux has given up its usefulness for graphical installers and Windowesque gimmicks. The code bloat is unbelievable. Unless you roll out your own distribution or use a minimalist distribution like Slackware, the default installs for RedHat, Mandrake, etc are huge, Windows-like monstrosities.
So what?, I hear you say. Linux is stable and secure. Wrong again. The Lion worm proved that Linux is not as secure as one might believe. The fact that VMs get changed in the middle of a stable release branch (2.4.x) shows bad organization.
It took Linux years to overcome its awful filesystem problems, and now journalling filesystems are available. But speedwise, compared to the FreeBSD FFS, they are slow and cumbersome, and have yet to prove as reliable. FFS Softlinks are a few generations ahead of any journalling filesystem on the market.
FreeBSD is far better organized, the ports and packages collections are better synced and more reliable, the system is more stable and easier to understand. The firewall included with FreeBSD has been proven and has a far better track record than ipchains or iptables, the latter having security problems in its first week or release, the former having no stately inspection and being a complete mess due to its shell-script bound layout.
But Linux has more software than FreeBSD!, scream the Linux die-hards. What they fail to realize is that 99% of Linux software runs under FreeBSD. I haven't encountered a Linux program that didn't run under FreeBSD. Sure, I've heard reports by trolls that certain software doesn't work, but all the software I've tried works, in fact, even faster than the native Linux versions in most cases. To the VMWare troll: Yes, VMWare does work under FreeBSD.
FreeBSD vs Linux is a debate that won't ever be settled, but people who have used both generally prefer FreeBSD for mission-critical tasks. Those who claim that FreeBSD performs worse than Linux either haven't used FreeBSD or are trolls.
I won't say that FreeBSD is the best Unix variant on the market, but the best open source Unix variant? Yes. Solaris is still tops, but in terms of Free (Open Source) systems, FreeBSD is probably the best all-rounder. NetBSD, OpenBSD and Linux all have their respective places, but overall, FreeBSD will probably take over most of the open source server market, at least in organizations with serious management.
So what?, I hear you say. Linux is stable and secure. Wrong again. The Lion worm proved that Linux is not as secure as one might believe. The fact that VMs get changed in the middle of a stable release branch (2.4.x) shows bad organization.
It took Linux years to overcome its awful filesystem problems, and now journalling filesystems are available. But speedwise, compared to the FreeBSD FFS, they are slow and cumbersome, and have yet to prove as reliable. FFS Softlinks are a few generations ahead of any journalling filesystem on the market.
FreeBSD is far better organized, the ports and packages collections are better synced and more reliable, the system is more stable and easier to understand. The firewall included with FreeBSD has been proven and has a far better track record than ipchains or iptables, the latter having security problems in its first week or release, the former having no stately inspection and being a complete mess due to its shell-script bound layout.
But Linux has more software than FreeBSD!, scream the Linux die-hards. What they fail to realize is that 99% of Linux software runs under FreeBSD. I haven't encountered a Linux program that didn't run under FreeBSD. Sure, I've heard reports by trolls that certain software doesn't work, but all the software I've tried works, in fact, even faster than the native Linux versions in most cases. To the VMWare troll: Yes, VMWare does work under FreeBSD.
FreeBSD vs Linux is a debate that won't ever be settled, but people who have used both generally prefer FreeBSD for mission-critical tasks. Those who claim that FreeBSD performs worse than Linux either haven't used FreeBSD or are trolls.
I won't say that FreeBSD is the best Unix variant on the market, but the best open source Unix variant? Yes. Solaris is still tops, but in terms of Free (Open Source) systems, FreeBSD is probably the best all-rounder. NetBSD, OpenBSD and Linux all have their respective places, but overall, FreeBSD will probably take over most of the open source server market, at least in organizations with serious management.
www.gentoo.org
The patch to fix the IRIX problem was included in the standard IRIX maintenance patches that were released 18 months ago. I would hope if someone had a system on the internet they would patch it more often than every 18 months.