Slashdot Mirror

← Back to Stories (view on slashdot.org)

New FreeBSD, NetBSD Security Advisories

Posted by timothy on from the tell-everyone-why-don't-you dept.

Dan writes "FreeBSD has formally announced a security advisory entitled "OpenSSH buffer management error" for the now famous OpenSSH advisory (OpenSSH has released a new version 3.7.1 to address this issue). NetBSD has issued a similar advisory and fix for this issue. NetBSD has released two additional security advisories entitled "Kernel memory disclosure via ibcs2" and "Insufficient argument checking in sysctl(2)"."

6 of 71 comments (clear)

  1. Just Remember by rudy_wayne · · Score: 1, Insightful

    Having to fix a security flaw in a closed source program is proof than closed source is bad. Fixing a security flaw in an open source program is proof that open source is good.

  2. Re:deceit. by sirket · · Score: 2, Insightful

    This isn't a hole on OpenBSD. According to Theo this can only crash SSHD, not give access.

    -sirket

  3. Re:Patches vs. Fixes by Anonymous Coward · · Score: 4, Insightful

    If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem.

    If you ever take a look at the actual *problem*, you'll find that hey are usually just buffer overflows or other unchecked data, in which case 'some special case code' is the only appropriate course of action.

  4. Re:deceit. by Anonymous Coward · · Score: 1, Insightful

    If someone could get remote access to an OpenBSD system but the only thing they could do was shut down a service (let's say SSHD) I'd have to think that would be considered a hole.

    But if someone can just crash it remotely without even getting to a shell it's not a hole? That doesn't makes sense to me.

    I run OpenBSD on a home made firewall at home and I love it as much as the next guy, but I don't see how this can't be considered a hole.

  5. Also remember by BoomerSooner · · Score: 1, Insightful

    It is significantly easier for hackers to find exploits in programs that come with the source. This vunerability could have been exploited for 6 months or more. Being closed source has nothing to do with being able to fix security flaws. It does however mean that only the company/person who has the code can fix it.

    There are security flaws in all software (maybe with the exception of Hello, World!), this has nothing to do with the availability of the source.

  6. Re:So what? by MavEtJu · · Score: 2, Insightful

    It wasn't so much an exploit but more a denial of service.

    If there is a way for third parties to disable a service running on my computer, yes I would like to be informed by it :-)

    --
    bash$ :(){ :|:&};: