Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 3.4 Released

Posted by timothy on from the new-poster-too dept.

tedu writes "We just couldn't wait another 2 days, so now you can enjoy OpenBSD 3.4 a little early and protect yourself from ghosts and goblins. More details at the OpenBSD website and official announcement. Remember to please use a mirror."

7 of 275 comments (clear)

  1. Re:A message from Theo by Krunch · · Score: 2, Interesting
    From http://openbsd.org/errata33.html
    All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is unclear whether or not this bug is exploitable.
    No exploit was publicly availiable before it has been fixed (AFAIK).
    --
    No GNU has been Hurd during the making of this comment.
  2. Thoughts on security by arvindn · · Score: 5, Interesting
    From the release notes:
    Thousands of occurrences of unsafe library calls such as strcpy(), strcat() and sprintf() have been changed to the safer alternatives strlcpy(), strlcat(), and snprintf() or asprintf() in one of the most intensive audits yet performed by the OpenBSD project. The kernel is now completely free of these functions, as is most of the userland source tree.
    That's certainly a good thing, but it raises the question of why they were there in the first place. I mean, everyone's known for ages that these are unsecure, and the manpage lists it a bug etc. Of course its a pain to keep track of the length of each string (making them fixed size is not always feasible), but I would have expected that in kernel level code convenience would take the back seat.

    Note: this is purely an academic question, it is not my intention to critisize anyone, but just to learn why these things happen, not being a very experienced programmer myself.

  3. Re:no, no, you don't understand... by Anonymous Coward · · Score: 1, Interesting

    The truth is, perfect code *should* be irrelevant to security.
    I've been working with IT-security for 6 years, and the thing is, it doesn't matter how good of a programmer you are, eventually, you will fuck up; that's why security should be in the design, not the code, mostly in the design of the OS.
    VMS is a good example of this, there where a lot of shoddy code in VMS, but it's really secure -- by design!

    First design, then langue, least important is, or if done properly at least, the code itself.

  4. Mirror Operators, Report! by Anonymous Coward · · Score: 2, Interesting

    Does anyone who runs a mirror care to describe the traffic hit that comes with the rush to download 3.4? I remember seeing the stats for the FreeBSD Walnut Creek server handling tons of traffic whenever the next version of something it was serving was released. Generally it was RedHat, ironically.

    While I order CDs to support the project, I run snapshots for many things, and being close to a mirror (OC-3 linking our sites), it takes minutes to install via ftp.

  5. TCP/IP by ndavidg · · Score: 4, Interesting

    From a University of Texas CS instructor's web site:

    The Transmission Control Protocol was first formally specified in December of 1974 by Vint Cerf, Yogen Dalal and Carl Sunshine.

    The link can be found here:

    http://www.cs.utexas.edu/users/chris/think/Early_D ays_Of_TCP/index.shtml

    And supporting documentation will be found here:

    http://www.cs.utexas.edu/users/chris/think/Early_D ays_Of_TCP/Annotated_Bibliography/index.shtml

  6. Via C3 support by Gothmolly · · Score: 3, Interesting

    1.6 Gbit/sec of AES-128? Damn, I gotta get me one of these!

    --
    I want to delete my account but Slashdot doesn't allow it.
  7. C'mon OBSD!! by devphaeton · · Score: 3, Interesting

    Can't you hurry up? Look at the front page of bsd.slashdot.org....

    Freebsd released 4.9 before your 3.4!!!

    (j/k)

    On a side note, reading the 2nd or 3rd post about trojaned obsd ISOs floating around the web is really sad and upsetting. I love the open sharing of software and source code around the internet, but i always fear that someday it will be to a point that *everything* has been tampered with, essentially creating a need to look through more source code than anyone has time for. Sure we can solve this with technology (such as with MD5 Checksums) but as we create smarter verification, the internet will create smarter shitheads. I'd hate to think that it will eventually degrade into a win-some/lose-some cat-and-mouse game.

    I actually lost some sleep few months back when the GNU folks announced that their main ftp site got compromised. I realise that servers get cracked every day, but when it's gnu/linux/bsd/oss folks it feels personal.

    I'm not well acquainted with any $krYp+ KyddI3z, cr4x0rz or know what they use, but i'll be willing to bet that their OS and many of their tools are based on software from those they are attacking.

    Assholes.

    --


    do() || do_not(); // try();