patch016 for 3.1

Contributed by jose on 2002-10-22 from the securification dept.

(blank) was the first to write:

"you know where... "

Looking at the patch it looks like a simple buffer overflow problem in the kadmind(8) tool. This is a remote exploit for sites using Kerberos on OpenBSD. The patch should be up at the FTP site for patches ASAP.

(Comments are closed)

Comments

By Peter () pboosten@hotmail.com on 2002-10-22 06:07 mailto:pboosten@hotmail.com

It seems that somehow someone always forgets to actually make this patch available....

In the meantime we're sitting ducks :-)
By Noryungi () n o r y u n g i @ y a h o o . c o m on 2002-10-23 01:29 mailto:n o r y u n g i @ y a h o o . c o m

I received email from the NetBSD Security Officer, pointing out that this affected NetBSD 1.6 as well... Before I even heard of it for OpenBSD.
By Anonymous Coward () on 2002-10-22 22:12

Patch file not on FTP like others already stated.

1) 3.2 is affected to this remote hole?
2) is it enabled by default?
3) how can one disable it using a config file?
By Mr. Paranoid () anonymous@anonymouscoward.com on 2002-10-22 23:40 anonymouscoward.com

How secure is an operating system that will publish a security vulnerability patch to a broken link?

I understand I can get the diff elsewhere, but the fact that FAQ documentation gives a method of patching and then when performing that method leads to a broken link in the process.

Should the documentation also state that if the links are broken to use CVS? I'm wondering what is the fastest/safest method to patch?

I sure hope the person that makes the links doesn't do code audit testing, cause they aren't good at testing there links.
By Skull () on 2002-10-23 02:03

Am I the only one who is not impressed with the openbsd-security announce mailing list?

Based on other unhappy comments I suspect I am not. I'd like to be notified of things that ship in the base (like apache) which are vulnerable, as well as even things in ports, which are vulnerable. I don't want to wade through Bugtraq, or be under informed by the official list:

http://marc.theaimsgroup.com/?l=openbsd-security-announce&r=1&w=2

If the OpenBSD team is too busy to stay on top of a security announce list for the OpenBSD project, maybe some third party should do it?

Maybe I am in a small minority who considers security announcements as being extremely important (not just the making available of a fix in a timely fashion which OpenBSD has a good record for)?

Frankly it's a testament to the kick ass nature of The OpenBSD Journal that it's timeliness has notified me of more problems, quicker, than the official mailing list.

-Skull
By Anonymous Coward () on 2002-10-24 14:33

OpenBSD and security...

Like "One remote hole in the default install, in nearly 6 years!" is true, NOT!

That is only some marketings bullshit.

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]