Contributed by Dengue on from the proactive-security dept.
-
Patch02: sshd(8) is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.1 to fix a few problems:
- A security hole that may allow an attacker to partially authenticate if -- and only if -- the administrator has enabled KerberosV.
- By default, OpenSSH KerberosV support only becomes active after KerberosV has been properly configured.
- An excessive memory clearing bug (which we believe to be unexploitable) also exists, but since this may cause daemon crashes, we are providing a patch as well.
- Various other non-critical fixes.
- Patch016 : A security issue exists in the vi.recover script that may allow an attacker to remove arbitrary zero-length files, regardless of ownership.
(Comments are closed)
By Ed () none@please on mailto:none@please
Maybe waiting some days before burning 3.0 will avoid 3.0patch
Like WinXP also OpenBSD 3.0 has patch BEFORE RELEASE ! Please Theo don't go so quickly, thinks twice before However, OpenBSD is always OpenBSD ;-) Anything could change it. Thanks.
Comments
By Alex de Haas () alex@purebsd.com on http://www.purebsd.com
By Anonymous Coward () on
By randomjoker () on
I can only imagine trying to patch a pdp11 400 times... argh!
Seeing as that code was released in like 1983-84, if you were to wait for the patches, to stop, you would be STILL waiting!!!
By Ian Linwood () ian@untouchable.org.uk on mailto:ian@untouchable.org.uk
This will also allow me to stick with IPF - a known quantity.
Comments
By niekze () niekze@yahoo.com on http://www.nothingkillsfaster.com
But I'd wonder about someone who would upgrade production machines within 2 weeks of a release for any OS. (as for Windoze releases, change that 2 weeks to 2 months...heheh)
Comments
By niekze () niekze@yahoo.com on http://www.nothingkillsfaster.com
Comments
By john () john@maKintosh.com on mailto:john@maKintosh.com
By Bent () on
http://www.openbsd.org/errata.html
for OpenBSD 3.0.
So is that true?
Comments
By Rémi Guyomarch () rguyomarch@ifn.fr on mailto:rguyomarch@ifn.fr
$subject
By Anonymous Coward () on
No wait, you're right, they should sit on the fixes until the official release date so as not to upset the customers.
Do you even bother reading the security+reliability fix reports? 90% of the ones I've seen since using OpenBSD (circa 2.5/2.6)have not directly affected me, either due to being related to hardware I don't own, programs I don't install, or configurations I don't use. Moreover, such an experience should be true of most people who run the default installs.
Not to say there's no need to patch or keep current, but it should hardly be much of a kink in your life to apply some patches.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I really enjoy running all *BSDs, but your comments are
bullshit.
Before open your mouth, contribute and help.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Instead of drop useless flames and waste other people time, try help even more fbsd.
please dont waste our time with this kind of thread.
We dont care.
By ThomasJ () on
Oh my! Aren't you?
Well, nice meeting you. Please greet the FreeBSD fellows, when you get back.
Maybe we should visit the FreeBSD fora once in a while... Nah...
By anomdebus () on
Comments
By Ray () intangible@usa.net on mailto:intangible@usa.net
Comments
By Cindy () on www.junkware.2y.net
--Cindy
Comments
By Ray () intangible@usa.net on mailto:intangible@usa.net
I don't think you understand what I was trying to say. I was just trying to say that the numbering scheme for OpenBSD is different from most other Unix software numbering schemes. I was trying to explain that there are no "mature releases" nor "minor releases" in the OpenBSD numbering scheme, there are just 6 month releases. I don't see what's so silly about my comments.
Maybe my post would have made more sense if you read the post that I was replying to. Sorry if I offended you in any way.
Comments
By Cindy () on www.junkware.2y.net
byte me
--Cindy
Comments
By Anonymous Coward () on
Comments
By Cindy () on www.junkware.2y.net
-- Cindy
Comments
By Anonymous Coward () on
Comments
By Cindy () on www.junkware.2y.net
--Cindy
Comments
By Ray () intangible@usa.net on mailto:intangible@usa.net
-Ray-
Comments
By fansipans () on http://dub.gmu.edu/~fansipans/
then they meet a monkey swinging on a tree (a half invisible monkey!) who's name is monkey-y, but instead of joining on the adventure, monkey-y just goes to swim in a puddle of stagnant water with some maggots (stagnant water!) and then the climax of the story unfolds (i don't want to give it away, it's an epic saga tale!)
um wait what were we talking about? sorry, got offtrack. check it out! good song "The Adventures of Planky"
--fansipans
By Brent Graveland () bgraveland@hyperchip.com on mailto:bgraveland@hyperchip.com
Is the lack of 4.4-release patches a sign of quality, or a sign that there is a lack of auditing?
I'm quite happy to have patches released... I've been running 3.0 for a while now. I've ordered 20 CD's for my company, but why bother waiting for CD's to install? make build works fine for me.
Just because the CD's have not arrived yet doesn't mean 3.0 isn't released.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Do you know any packet filter which has all that pf has, and build in less than 6 months ?
I use 3.0 since some times now, and i've no problem with it.
If you don't like OpenBSD, what are you doing here ?
Comments
By Anonymous Coward () on
Yes, I do.
Do you know any packet filter which has all that pf has, and build in less than 6 months ?
I think you've hit it on the head right there. Pf has only been around for 6 months, and not even that! I don't know about you, but I really am not going to entrust my network to a 6-month-old firewall.
If you don't like OpenBSD, what are you doing here ?
I do like OpenBSD, I think it's a great operating system, but I think there's a distinct lack of QA taking place in the hopes of rushing a release out the door on schedule. This is clearly evidenced by pages and pages of errata, most of which trike me as just plain stupid mistakes that were missed.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Nothing. Compare.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
I think you must like oldies which have a lot of security holes, isn't it ?
By Anonymous Coward () on
as to fbsd 4.4. freebsd does active development on 5.0 and backports heavily tested components to the 4.x tree. i don't consider 4.x to be releases, more of maintaining the old stable tree.
By Roo () on
Then again this little flurry of fixes around release time is normal for OpenBSD. Sure, it would be nice if it was right first time, but it's pretty good to have the patches there before the CD.
The only real concern I have amongst the list of errata there is the pf/ipv6 one as it reminds us of pf's immaturity. It would have been nice to have an IPF->PF migration release, but sadly politics often gets in the way of the ideal solution...
If I managed production machines, I would probably continue to run 2.9 on the firewalls and evaluate an upgrade to 3.0 (with patches of course) on internal servers.
Quality is part of a continuous process, and perfection is elusive. Of course being a cynic, I never believe something's perfect. ;)
Cheers,
Rupert
Comments
By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org
part.
The licence of IPF was not respected, and we couldn't respect it. So IPF was pulled out.
I heard that Darren changed his licence then,
very late... too late for OpenBSD 3.0.
Not as if we had a real choice, if we wanted to do things by the book...
Comments
By Roo () on
I'm damn glad that OpenBSD are as thorough about licensing as they are. Another good feature of OpenBSD : I don't have to worry too much about things been yanked out from underneath my preferred OS. It's tackled pro-actively.
Now to wander off on a tangent...
One thing which has impressed me about OpenBSD is that there doesn't seem to be any serious evidence of NIH syndrome. The IPF/PF switch is the exception with proves the rule, you guys switched because you had to.
Code re-use = good. :)
Keep up the good work, it's much appreciated ! Especially by people who like to get work done rather than fight OSes & vendors. :)
Cheers,
Rupert.
By Buck Pyland () buck@stlbsd.org on http://www.stlbsd.org/
"ARSE!" -- Jed the Tourette's Syndrome Taxidermist
By Sacha Ligthert () on http://teksec.xs4all.nl/~outcast/
Comments
By Cindy () on www.junkware.2y.net
By Punkball () punkball@ccs.neu.edu on mailto:punkball@ccs.neu.edu
If you want unpatched systems or easy administration, try win2k...
By Anonymous Coward () on
I'm glad they've atleast found these, or whoever did, and they wrote patches before someone malicious user can use them.
Comments
By Ray () intangible@usa.net on mailto:intangible@usa.net
Comments
By Anonymous Coward () on
Comments
By Ray () intangible@usa.net on mailto:intangible@usa.net
Also, when I said 2.10, I meant it to read two point ten, not two point one.
If you claim that this is a "major change", then what, exactly, was the major change? Replacing IPF with pf? sparc/64 port? Do those constitute "major" changes? Are these changes more "major" compared to a "minor change", such as 2.9, which include softupdates updates and dirpref code, and a port to the Apple Titanium Powerbook G4?
By BluNereid () frank@blunereid.net on mailto:frank@blunereid.net
When I applied the patch, the patch ran just fine, then, i had to go to /usr/src/usr.sbin/ssh and run 'make obj && make clean && make install'
make obj and make clean work just fine, but when i run make install, i got this error message:
make install
===> lib
===> ssh
install -c -s -o root -g bin -m 4555
ssh /usr/bin
install: ssh: No such file or directory
*** Error code 71
What I had to do, to fix it, was to run 'make', then 'make install'
Has anyone else had problems with this before?
b.t.w. I'm running OpenBSD 3.0-stable
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
doing
cd /usr/src ; cvs update -rOPENBSD_2_9 ; make build
will do all that. The problem is that it takes a long time to do "make build" on slower systems. Takes about 30 hours on my Sparc-5 for example and only few minutes if I want to patch the system instead of rebuilding everything.
Another thing - you can patch the system on-line, while it's in production. Doing "make build" is not a good thing to do on a running server though.
By BluNereid () on
My point is, which has been already addressed on misc@ is that the instructions on the patch file were wrong!
Also, I didn't ask, "what did i do wrong?" cause I already know what I had to do, I was just curious if other people experienced the same problem.
By Anonymous Coward () on
So the code gets tested (not by enough of us, and developers can't check every possible combination), then it gets sent to the CD makers, and (that takes time) then it is available for shipping. During the time between code going Gold (ha! Microsoft terminology!) and shipping, what should everyone do? Remember thie process is evolutionary, like grass growing. They keep checking and working, and when they fix things it gets put in the tree when it is unfrozen.
The other BSDs do things their way, and there is very little in common in the way releases happen.
Patches come out for things that need to be addressed instead of waiting for the next release. So cool down, and ask yourself, how can I help the process by testing snapshots and reporting bugs, instead of saying the code isn't stable.
I'm just a user, buy cds, and have had a few things fixed that I noticed were broken along the way, by posting a message to bugs@ or misc@. Recently it seems you need an asbestos monitor to read some of the mailing lists though....
By Dave () dave@fatblokeforpopidol.co.uk on www.ratemypoo.com