[LUAU] so much for OpenBSD

808blogger 808blogger at gmail.com
Mon Aug 6 11:09:38 PDT 2007 

well.... Keep in mind no other OS has even a close record  to what the
openbsd team has done. And dont forget that the ssh you use everyday is
written by the openbsd team, thats right. Theo and co. have done a HUGE job
improving security the unix world at large.

and on the topic of this particular exploit, you would actaully have to be
on the same physical LAN segment to use this exploit. this is a not an "over
the internet" hack that can occur

to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html

"However, in order to exploit a vulnerable system an attacker needs to be
able to inject fragmented IPv6 packets on the target system's local network.
This requires direct physical/logical access to the target's local network
-in which case the attacking system does not need to have a working IPv6
stack- or the ability to route or tunnel IPv6 packets to the target from a
remote network."


99% of users will not even have a a problem with this and
you dont even have to patch the system if you dont want to  simply put
'block in quick inet6' in your pf.conf

dont dump on the openbsd guys..... their product rocks.

Sean

On 8/5/07, Jim Thompson <jim at netgate.com> wrote:
>
> and their over-hyped "security" focus.  They can't even behave
> responsibly when a remote execution bug shows up.
>
> http://www.coresecurity.com/index.php5?
> module=ContentMod&action=item&id=1703
>
> (Anyone else remember Clinton's "deny deny deny"?)
>
> They've now been forced to change their tagline to, "Only two remote
> holes in the default install, in more than 10 years!"
>
> (The previous hole was an OpenSSH exploit found by Mark Dowd in June
> 2002.)
>
> Gee, it could be, "OpenBSD: exploitable every five years, thus far!"
>
> they even won an award for their bad behavior: http://pwnie-
> awards.org/winners.html:
>
> ---
> Pwnie for Lamest Vendor Response
>
> Awarded to the vendor who mishandled a security vulnerability most
> spectacularly.
>
> OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365)
> OpenBSD team
> The OpenBSD team refused to acknowledge the bug as a security
> vulnerability and issued a "reliability fix" for it.
> A week later Core Security had developed proof of concept code that
> demonstrated remote code execution.
> Read the full timeline and quotes in the Core advisory (above).
>
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
>

More information about the LUAU mailing list