NetBSD 2.0.2 Released

← Back to Stories (view on slashdot.org)

Posted by CowboyNeal on Thursday April 14, 2005 @09:59PM from the dreamcasts-rejoice dept.

jschauma writes "James Chacon of the NetBSD Release Engineering team has announced that update 2.0.2 of the NetBSD operating system is now available. NetBSD 2.0.2 is the second security/critical update of the NetBSD 2.0 release branch. This represents a selected subset of fixes deemed critical in nature for stability or security reasons. More details are available in the NetBSD 2.0.2 Release Announcement."

36 comments

Min score:

Reason:

Sort:

I wonder... by 0x461FAB0BD7D2 · 2005-04-14 22:03 · Score: 5, Funny

if NetBSD 2 SP2 breaks compatibility with Halo.
1. Re:I wonder... by Anonymous Coward · 2005-04-14 23:05 · Score: 4, Informative
  
  I don't know what Halo is, but NetBSD security upgrades (2.0.x), and even minor upgrades (2.x), normally are 100% backward compatible.
  
  Backward compatibility across major versions (for 1.5, 1.6. ...) can be enabled in the kernel, using e.g. the COMPAT_16 option.
2. Re:I wonder... by Anonymous Coward · 2005-04-14 23:11 · Score: 3, Funny
  
  Whoosh! Whoosh! Whoosh! He made a funny. WinXP SP2 breaks Halo (the game).
3. Re:I wonder... by quamaretto · 2005-04-15 03:31 · Score: 1
  
  Speaking of which, I guess they haven't made an ending for BSD, either...
  
  --
  *is run over by rotten tomatoes*
So, speaking of security, by hey! · 2005-04-15 01:26 · Score: 5, Interesting

whatever happened to kernel privilege elevation, which was supposed to allow daemons in BSD to run as unprivileged accounts, but still do things like bind to certain low number IP ports? Supposedly, by making the ability to do certain privileged things fine grained, it reduced the impact of things like buffer overflows.

Is this just part of the BSD landscape now? Did the idea pan out, and is BSD now relatively immune to a large class of security vulnerabilities?

OT, I know, but I remember thinking that if this worked as well as it sounded, it was a good reason to move my Linux servers over to BSD.

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
1. Re:So, speaking of security, by Anonymous Coward · 2005-04-15 01:50 · Score: 4, Informative
  
  You may be thinking of systrace.
2. Re:So, speaking of security, by Anonymous Coward · 2005-04-15 02:19 · Score: 3, Informative
  
  On all BSD's you can set the lowest "unprivileged bindable" port by means of a sysctl.
3. Re:So, speaking of security, by Anonymous Coward · 2005-04-15 02:29 · Score: 2, Informative
  
  or, you can redirect the port to a higher number by using NAT.
4. Re:So, speaking of security, by hey! · 2005-04-15 03:02 · Score: 3, Interesting
  
  Yes, that's it.
  
  So, what's the consensus been about the experience with this. Has it proven to be a huge improvement in security?
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
5. Re:So, speaking of security, by Homology · 2005-04-15 04:59 · Score: 4, Informative
  
  So, what's the consensus been about the experience with this. Has it proven to be a huge improvement in security?
  Writing systrace policies are alot of work, and requires much testing in order not to break the application. In addition you need knowledge of the system calls involved (pass/deny).
  As an example "mv a /b" involves different system calls depending on a is on same filesystem as /b.
6. Re:So, speaking of security, by hey! · 2005-04-15 05:07 · Score: 1, Troll
  
  So, we're in the same old situation: you can secure your system, but its so much trouble most people won't?
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
7. Re:So, speaking of security, by Anonymous Coward · 2005-04-15 05:12 · Score: 1, Interesting
  
  Most people wont do the whole system, but individual daemons are not too much work.
  
  I do this with my servers which run a modified postgresql, though I use OpenBSD.
8. Re:So, speaking of security, by setagllib · 2005-04-15 05:12 · Score: 4, Insightful
  
  Well, it all depends how much security you WANT, short of not having a system at all. You can systrace everything and have a crack team of trusted, indoctrinated people constantly watching all traffic and analysing it for signs of attempted intrusion or investigation. Or you can trust the software quality and 'general practice' recommendations even outlined in the BSD handbooks.
  
  It's definitely a fun job though (one I wouldn't mind having), as long as the software is good. The BSDs are good in this regard, and so is Linux with the right patches and tools. But then sometimes a bug will come up nobody expected and it's all for naught :(
  
  --
  Sam ty sig.
9. Re:So, speaking of security, by hey! · 2005-04-15 06:47 · Score: 2, Insightful
  
  Well, sure, but that doesn't to squat for security -- it just makes things more insecure.
  
  So now an unprivileged app can masquerade as a apache or imapd.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
10. Re:So, speaking of security, by Homology · 2005-04-15 07:02 · Score: 4, Interesting
  
  Well, sure, but that doesn't to squat for security -- it just makes things more insecure. So now an unprivileged app can masquerade as a apache or imapd.
  You do not understand the issue : Too many daemons runs as root just beacuse they need to bind to a low port. So any exploit will be a remote root exploit. Besides, if you rely on port numbers for security on random machines, I guess you have some problems ;-)
11. Re:So, speaking of security, by hey! · 2005-04-15 07:34 · Score: 1, Interesting
  
  No offense taken, I do understand the problem. It's just that the problem of security never boils down to one thing, does it.
  
  It isn't just about a daemon getting root privileges. That's really bad of course. But impersonating a trusted program is really bad to, just not quite as bad. When the trusted program can bind to the port, and only that program, it solves both aspects of that particular problem.
  
  Oh, there's lots more ways we can get in trouble, but every door that's closed and locked is a good thing.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
12. Re:So, speaking of security, by dmiller · 2005-04-17 11:05 · Score: 1
  
  It may be more accurate to say that "too many programs start as root because they need to bind to a low port", but most of them give up root privileges quickly (at least on OpenBSD).
13. Re:So, speaking of security, by evilviper · 2005-04-18 04:58 · Score: 1
  
  "too many programs start as root because they need to bind to a low port", but most of them give up root privileges quickly
  
  While that's true, it's far from ideal. There have been many instances where popular apps (eg samba) that were supposed to drop root privlidges immediately, didn't do so properly, and became a remote root exploit anyhow...
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
MOD PARENT UP by Anonymous Coward · 2005-04-15 16:15 · Score: 0

+5 Eng Comp 101
Requiem for the FUD by Anonymous Coward · 2005-04-16 01:22 · Score: 0

// Please *don't* mod this up. It has already been done! Thx
... facts are facts. ;)
FreeBSD:
FreeBSD, Stealth-Growth Open Source Project (Jun 2004)
"FreeBSD has dramatically increased its market penetration over the last year."
Nearly 2.5 Million Active Sites running FreeBSD (Jun 2004)
"[FreeBSD] has secured a strong foothold with the hosting community and continues to grow, gaining over a million hostnames and half a million active sites since July 2003."
What's New in the FreeBSD Network Stack (Sep 2004)
"FreeBSD can now route 1Mpps on a 2.8GHz Xeon whilst Linux can't do much more than 100kpps."
NetBSD:
NetBSD, for When Portability and Stability Matter (Oct 2004)
NetBSD sets Internet2 Land Speed World Record (May 2004)
NetBSD again sets Internet2 Land Speed World Record (Sep 2004)
OpenBSD:
OpenBSD Widens Its Scope (Nov 2004)
Review: OpenBSD 3.6 shows steady improvement (Nov 2004)
OpenSSH (OpenBSD subproject) has become a de facto Internet standard.
*BSD in general:
Deep study: The world's safest computing environment (Nov 2004)
"The world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkeley Software Distribution) and the Mac OS X based on Darwin."
BSD Success Stories (O'Reilly, 2004) (pdf) ~ from Onlamp BSD DevCenter
"The BSDs - FreeBSD, OpenBSD, NetBSD, Darwin, and others - have earned a reputation for stability, security, performance, and ease of administration."
..and last but not least, we have the cutest mascot as well - undisputedly. ;)
--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.
1. Re:Requiem for the FUD by Anonymous Coward · 2005-04-16 03:41 · Score: 0
  
  Those are fake facts. No one is using *BSD anymore, because its just for dillitant dablers. And Apple is switching to Linux for Tiger, everyone knows that so stop bragging about it using *BSD because Apple doesnt anymore.
Gripes. by Anonymous Coward · 2005-04-17 13:28 · Score: 0

*HOW* do I get my dreamcast to boot NetBSD? I am not particularly sure how many coasters I have made now.

And, why not BIND 9.X.X? NetBSD still ships with 8.X.X :(
1. Re:Gripes. by niteice · 2005-04-19 01:11 · Score: 1
  
  IIRC, Dreamcasts have a CD drive that spins backwards. YOu ned to rewire your CD burner.
  
  --
  ROMANES EUNT DOMUS
2. Re:Gripes. by Anonymous Coward · 2005-04-26 09:48 · Score: 0
  
  not true at all. i've been able to run netbsd on my dreamcast since 1.5 using a regular cd-r
Re:It Is Official; Wired News Confirms by Anonymous Coward · 2005-04-17 13:32 · Score: 0

I have never seen any real, cold, hard, evidence to backup these absolutely benign claims!
FUD for the FUD by Anonymous Coward · 2005-04-18 13:21 · Score: 0

no kidding the recent tests show Linux networking is 10 times faster then the fastest *BSD, which is certunly not NetBSD. FAKE FACTS.
1. Re:FUD for the FUD by Anonymous Coward · 2005-04-21 08:22 · Score: 0
  
  Recent tests show that I'm 10 times righter than you, and you're always wrong.
2. Re:FUD for the FUD by Anonymous Coward · 2005-04-22 16:50 · Score: 0
  
  Recent data proves that 10 times the people spout unprovable statistics than the 10% that can prove that 90% of all statistics are at least 25% inaccurate based on relevant data acquired 50% of the time by 20% of the researchers.
  
  In keeping with the relevance of this information, 10% of all slashdot messages are posted by a community that is 90% nerds, of which at least 7% are spouting 80% FUD, and this is at least 47% provable 63% of the time.
Re:It Is Official; Wired News Confirms by Anonymous Coward · 2005-04-18 13:25 · Score: 0

How about the Wired news article? These are not benign claims; they're cold hard indictments of *BSD and its clearly impending doom.