Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Exploit Discovered for OpenBSD

Posted by samzenpus on from the patch-it-up dept.

An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."

12 of 338 comments (clear)

  1. Heh by cyberbob2351 · · Score: 5, Funny
    From TFA:

    Remotely Exploitable: Yes
    Locally Exploitable: No
    That right there is the biggest slap in the face! Everyone should have the freedom to fux0r their own machine!

    Opensource my ass...
    --
    for sale
    I'm a self-modifying sig virus
  2. Well done, the OpenBSD team. by Anonymous Coward · · Score: 5, Insightful

    Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.

    1. Re:Well done, the OpenBSD team. by Kandenshi · · Score: 5, Insightful

      I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

      Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

      Someone decided that people don't care enough about the number of remote exploits found in a given OS. They were probably right.

    2. Re:Well done, the OpenBSD team. by Leto-II · · Score: 5, Funny

      Could this be a sign of overconfidence in the Linux community?


      Not really, since this has nothing to do with Linux. It's OpenBSD, not Linux.
      --
      Do not anger the worm.
    3. Re:Well done, the OpenBSD team. by Tom · · Score: 5, Funny

      It is when basically the only thing your OS does "in the default install" is allow SSH logins. Which is more remote access than a default install of Windos contains. ;-)

      Ok, make that "more intentional remote access"...
      --
      Assorted stuff I do sometimes: Lemuria.org
    4. Re:Well done, the OpenBSD team. by TheRaven64 · · Score: 5, Informative
      Note that many Sendmail and Apache exploits do not affect OpenBSD, for two reasons:
      1. The kernel contains a lot of exploit mitigation stuff, that may well turn an arbitrary code execution into a DoS.
      2. OpenBSD doesn't actually include Sendmail or Apache, it includes forks of both. These are heavily audited by the OpenBSD guys, and not all of the changes are merged upstream.
      When a new category of bug is found in OpenBSD, the entire tree is searched for occurrences of it. This often means that seemingly innocuous changes in something like OpenBSD's httpd turn out to have fixed things that are later found to be security holes.

      --
      I am TheRaven on Soylent News
    5. Re:Well done, the OpenBSD team. by Just+Some+Guy · · Score: 5, Insightful

      I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

      Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

      My company makes far more than the OpenBSD team brings in, and yet we still respect them and try to emulate their practices. I'm not sure what kind of hubris it takes to dismiss someone's ideas just because you have more money.

      --
      Dewey, what part of this looks like authorities should be involved?
  3. Re:Advisory Timeline by evilviper · · Score: 5, Interesting

    which implies an attempted cover up.

    Cover up? The OpenBSD team believed it was only a remote DoS vulnerability until proof of concept code was provided, and re-labeled it as such immediately.

    What part seems suspicious to you?
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  4. Holy Cow, an OpenBSD Vuln? by Anonymous Coward · · Score: 5, Funny

    Thank GOD I run the company webserver on NT!

  5. Time to make a list... by Anonymous Coward · · Score: 5, Funny

    -The Sox won the world series
    -The Pope died
    -Mac got Intel chips
    -The Berlin Wall came down
    -I out-lived 4 cats
    -Man walked on the moon
    -I got laid
    and...
    -BSD had a hole

    1. Re:Time to make a list... by bytesex · · Score: 5, Funny

      Do the facts that you got laid and that BSD had a hole have anything to do with each other ? Just asking - kids these days...

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
  6. OpenBSD Website by Anonymous Coward · · Score: 5, Informative

    From the OPENBSD Website:
    Only two remote holes in the default install, in more than 10 years!

    At least they don't hide it.