[LUAU] so much for OpenBSD
Jim Thompson
jim at netgate.com
Mon Aug 6 12:10:51 PDT 2007
On Aug 6, 2007, at 1:09 PM, 808blogger wrote:
> well.... Keep in mind no other OS has even a close record to what the
> openbsd team has done.
Please.
> And dont forget that the ssh you use everyday is
> written by the openbsd team, thats right. Theo and co. have done a
> HUGE job
> improving security the unix world at large.
So what? There were RSA-keyed, encrypted telnets in-existence before
ssh got written.
(Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later
of 'C2' fame.)
> and on the topic of this particular exploit, you would actaully
> have to be
> on the same physical LAN segment to use this exploit. this is a not
> an "over
> the internet" hack that can occur
>
> to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html
>
> "However, in order to exploit a vulnerable system an attacker needs
> to be
> able to inject fragmented IPv6 packets on the target system's local
> network.
> This requires direct physical/logical access to the target's local
> network
> -in which case the attacking system does not need to have a working
> IPv6
> stack- or the ability to route or tunnel IPv6 packets to the target
> from a
> remote network."
"logical"... if your router manages to create a tunnel for you,
you're hosed.
Its **SPIN**, get it?
> 99% of users will not even have a a problem with this and
> you dont even have to patch the system if you dont want to simply put
> 'block in quick inet6' in your pf.conf
Right, but the claim is "default installation", and they didn't want
to lose that.
(and let us not forget that the other bug was in (drumroll) ssh)
> dont dump on the openbsd guys..... their product rocks.
their process for security bugs appears to be quite badly borked.
and FreeBSD rocks much, much harder.
Jim
More information about the LUAU
mailing list