Bugtraq mailing list archives
Re: OpenBSD 2.9,2.8 local root compromise
From: Andreas Haugsnes <andreas () haugsnes no>
Date: Fri, 15 Jun 2001 19:58:42 +0200
If my opinions were missunderstod, I'll apologize for that. I am currently a 'eager and happy user' of OpenBSD. Used it for a couple of years, and I must say that it has been among the better operatingsystems. At the side I use FreeBSD, for servers aswell as desktops. The reason that I reacted was that normally, fixes for 'more trivial' errors are corrected -by day-. The coders of OpenBSD are among the better, and up to now have delivered patches/fixes -fast-, aswell as informing users (see you/me) about it. (If you in any sence of way feel that this discussion is taking a 'useless turn', just say so. In the deep end, we're both users and enjoying every minute of it. :) ) Now, going back to your answer here. The reason I reacted the way I did was not because I think "microsoft is better". I have a very neutral opinion for OS', and some users may prefer the ones easier to use. The only reason is that a fix wasn't posted on errata. No information reguarding such a -important- event. How about all the users that use OpenBSD on important servers? No information on the subject was posted before the exploit, and that's what scares me.
Do you do this every time an exploit comes out for any Linux vendor, or Microsoft? You must have a sweaty forehead.
<ironi quotation mark, end> And I have -never- claimed that this is bad contra other systems. But this is not a "match OS issue", please stick to the real issue.
I'd like to know what method of notification Georgi used. Did he file a confidential bug report, or did he just send an email to Theo? He could have also sent an email to one of the mail lists, stating that he had discovered a problem and could someone "in the know" contact him.
Ofcourse, this could be the situation. If it's "that explainable", I recall all my remarks.
What's up with people acting like the sky is falling when any type of exploit is released for OpenBSD? I'd be interested to see a graph of released exploits for Operating Systems. Where do you think OpenBSD would be on that chart in relation to others?
The difference between "gettings bugs" and "telling people about it". It's -not- good policy to let the public know about the bugs / exploits before it has been posted / fixed by the vendor.
The reality is that the OpenBSD development team is small, and busy. And yes this is a problem, and yes they were notified, and yes no officially responded to this BUGTRAQ post and they did not have a patch ready to go. Most of these developers are people just like you and me who have jobs and work on OpenBSD because they enjoy it, and like the ideals behind OpenBSD. No one is getting rich on doing this, believe me.
I don't doubt that in a second, -but-. This is a -critical- bug. It gives -root comprimise-. Think of the damage it causes if no one gets to know about the fixes in time? We're talking -heavy- financial losses.
If what you desire is someone to be there for you night and day, to have patch right away, you should probably be running another OS. I'm not just saying that to be rude or refute the problem with a "go away" attitude. I'm serious.
Night/day, no. But what I expect, aswell as in any other -good coding environment-, is information about -critical- issues as this. If no one gives the information in time, what's the point of even reading the news/maillist/webpages?
In conclusion, OpenBSD never claimed that they were never going to be vulnerable to security issues, and they promised that they would be able to fix everything in a timely manner. But when I look at the alternatives, for some reason I still prefer it. Go figure...
Partially agree, but also a "big issue here", if no one is there to "complain" or "say that things weren't handled good", then who will take their time to fix it ? "Why fix something that isn't broke". People -need- to get things like this pointed out, people NEED to see that security is a growing issue, and at the least, people NEED to: INFORM THE USERS. (excuse the caps.)
btw.. if you made it through my rant here is your reward: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/kern_exec.c
Revision 1.49 / (download) - annotate - [select for diffs] , Fri Jun 15 11:10:18 2001 UTC (6 hours, 38 minutes ago) by art Yes, and do you it's coincidence that it's only 6 hours old? No, here proving my point earlier mentioned. Now that the people have been informed (not in the best way, but still), a fix has been made. But. 6 days has passed, and no one exterior from the OpenBSD team has been informed. That's -not good-. (Which is the -only- point i'm trying to make here. :-) ) In the end, I would like to thank the developers of OpenBSD. The operatingsystem is really good, and I hope to see more of it. Just to point out that I still prefer OpenBSD as a "more secure alternative". Your annoyance, Andreas Haugsnes
Current thread:
- OpenBSD 2.9,2.8 local root compromise Georgi Guninski (Jun 14)
- Re: OpenBSD 2.9,2.8 local root compromise Przemyslaw Frasunek (Jun 14)
- Re: OpenBSD 2.9,2.8 local root compromise Jason R Thorpe (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Andreas Haugsnes (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Rick Updegrove (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Georgi Guninski (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise dmuz (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Andreas Haugsnes (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Tony Lambiris (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Peter van Dijk (Jun 16)
- Re: OpenBSD 2.9,2.8 local root compromise Jason R Thorpe (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise jon (Jun 15)
- <Possible follow-ups>
- RE: OpenBSD 2.9,2.8 local root compromise Brian McKinney (Jun 15)
- Re: OpenBSD 2.9,2.8 local root compromise Przemyslaw Frasunek (Jun 14)