OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Karel Kulhavy
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Lars Hansson
On Fri, 16 Mar 2007 10:08:02 +0100
Karel Kulhavy <[hidden email]> wrote:

> http://www.heise.de/security/news/meldung/86730

And for the majority of the worlds population that doesn't speak German
this says exactly what?

--
Lars Hansson <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Stéphane Chausson-3
"Report states that OpenBSD developers played down critical vulnerability"
http://www.heise-security.co.uk/news/86757

Lars Hansson wrote:
> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>
>> http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak German
> this says exactly what?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Frank Tegtmeyer-5
In reply to this post by Lars Hansson
Lars Hansson <[hidden email]> writes:

> And for the majority of the worlds population that doesn't speak German
> this says exactly what?

The article claims that the OpenBSD developers tried to deny that the
ICMPv6 bug is a remotely exploitable security hole.

Regards, Frank

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Ralph Gessner
In reply to this post by Lars Hansson
Lars Hansson wrote:

> And for the majority of the worlds population that doesn't speak German
> this says exactly what?


http://www.heise-security.co.uk/news/86757

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Didier Wiroth
In reply to this post by Lars Hansson
Lars Hansson wrote:
> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>
>> http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak German
> this says exactly what?
>
Hello,
It says more or less:
That the OpenBSD Developers tried to lower the severity/importance of
the problem/bug.


Kind regards
Didier

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Shane J Pearson
In reply to this post by Lars Hansson
On 16/03/2007, at 8:56 PM, Lars Hansson wrote:

> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>
>> http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak  
> German
> this says exactly what?

There is an English version linked from the bottom of that page:

http://www.heise-security.co.uk/news/86757

Although this "news" item looks like the typical over-hyped hysterics  
I have come to expect from journalists.


Shane J Pearson
shanejp netspace net au

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Matthias Kilian
In reply to this post by Lars Hansson
On Fri, Mar 16, 2007 at 05:56:03PM +0800, Lars Hansson wrote:
> > http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak German
> this says exactly what?

It looks like some kind of (deliberate?) misinterpretation of the
Core report. Heise also made available an english translation:

http://www.heise-security.co.uk/news/86757

Note that the author of the (german) article is [hidden email],
so you should send any complaints to him, not to the translator.
Note also that Heise tends to correct errors in their articles
without notice. For example, they first stated that it wasn't unclear
wether the bug has really been fixed. Later, some reader told them
that this was related to the suggested workaround (scrub vs. block),
and today that statement has been removed. Without any comment.


Ciao,
        Kili

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Lars Hansson
In reply to this post by Frank Tegtmeyer-5
On Fri, 16 Mar 2007 11:23:59 +0100
Frank Tegtmeyer <[hidden email]> wrote:
> The article claims that the OpenBSD developers tried to deny that the
> ICMPv6 bug is a remotely exploitable security hole.

Aha. Slow newsday in Germany, eh?


--
Lars Hansson <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Christian Fuchs
In reply to this post by Lars Hansson
Greetings!

As i happen to speak german, here's a small summary:

The article, which is from the 14th of March, quotes an Article from  
the 13th where heise.de reported on the fix that has been quite an  
issue here on the mailing list.
The article then goes on to state that n article by core security it  
is revealed how this bug can bring a system remotely to a halt and  
even compromise it. Heise.de describes this as "and so core security  
reveals how security leaks are being trivialized by the openbsd group".
The article then elaborates how the fix you put up was indeed put up  
very shortly after being alerted about the bug, but that it was only  
categorized as a "maintenance fix" and that "the openbsd group states  
that bug that enables malicious users to be able to halt a system  
from remote are not security issues, only when a system can be  
compromised, it's a security issue for the openbsd group". They  
(heise.de) then draw a parallel to the freebsd developers who, for  
heise's point of view, also have a too tight definition of security  
when not releasing a patch for some DoS-vulnerability. The article  
then tell that after some discussion with core security, the openbsd  
team deemed the fix as a security fix, but only if the core security  
group would state that it only affect ipv6 and thus only very few  
people are actually at risk.


I personally think this discussion is all really for nothing. No one  
of the openBSD group is, in my opinion, obliged to do anything, and  
yet I have received more support, better support and faster support  
than I possible could expect from any "company". This of course  
doesn't directly related to the security discussion, but indirectly,  
yes. If the patch is there, then why bother them instead of thank  
them for fixing it? :->

Greetings,

Christian Fuchs


On Mar 16, 2007, at 10:56 AM, Lars Hansson wrote:

> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>
>> http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak  
> German
> this says exactly what?
>
> --
> Lars Hansson <[hidden email]>
>

See you,

Christian Fuchs

e-mail: [hidden email]
UIN: 398213

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Christian Fuchs
In reply to this post by Ralph Gessner
Hi again!

Dammit now iv'e translated it altough there was an english version of  
it online?

Better read the real version, not my sloppy transcript :)

Best regards,

Christian Fuchs


On Mar 16, 2007, at 11:27 AM, Ralph Gessner wrote:

> Lars Hansson wrote:
>
>> And for the majority of the worlds population that doesn't speak  
>> German
>> this says exactly what?
>
>
> http://www.heise-security.co.uk/news/86757
>

See you,

Christian Fuchs

e-mail: [hidden email]
UIN: 398213

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Artur Grabowski
In reply to this post by Stéphane Chausson-3
Stiphane Chausson <[hidden email]> writes:

> "Report states that OpenBSD developers played down critical vulnerability"

Report states that you can either choose spam about every single crash
in the system fixed which would lead to a couple of "security
advisory" spam every week if we were serious about it or just be
hyprocites like every other vendor and keep silent about stuff that we
find internally and make "security" announcement spam every time someone
external reports a bug.

The current practice is to not get worked up over things unless it's
obviously exploitable or someone presents an exploit.

The security researchers have the luxury of spending a couple of weeks
on each bug. If we'd spend a few weeks just to find out if a bug is
exploitable or not you'd get a release every ten years. The bug was of
the size that if a real kernel hacker happens to spot it, he spends 5
minutes fixing it and mailing out a diff to a few people for
eyeballing and then moves on doing other productive things.

//art

> http://www.heise-security.co.uk/news/86757
>
> Lars Hansson wrote:
> > On Fri, 16 Mar 2007 10:08:02 +0100
> > Karel Kulhavy <[hidden email]> wrote:
> >
> >> http://www.heise.de/security/news/meldung/86730
> > And for the majority of the worlds population that doesn't speak
> > German
> > this says exactly what?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Theo de Raadt
In reply to this post by Matthias Kilian
> wether the bug has really been fixed. Later, some reader told them
> that this was related to the suggested workaround (scrub vs. block),
> and today that statement has been removed. Without any comment.

The problem with scrub is that Core thought it was a sufficient
workaround.  Itojun looked at the pf inet6 code, and seeing how poorly
pf scrub handles inet6, thought that was unlikely to actually work
against the problem.  against their particular exploit packets, but
perhaps not against other cases.

We told Core that we did not feel scrub was enough.

And then some idiot in the press tries to swing that into an
accusation against us?

Yes, the guy has a slant.  But Core was massively unclear about this
in their advisory.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Henning Brauer
In reply to this post by Lars Hansson
* Lars Hansson <[hidden email]> [2007-03-16 12:24]:
> On Fri, 16 Mar 2007 11:23:59 +0100
> Frank Tegtmeyer <[hidden email]> wrote:
> > The article claims that the OpenBSD developers tried to deny that the
> > ICMPv6 bug is a remotely exploitable security hole.
>
> Aha. Slow newsday in Germany, eh?

no, typical heise day.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD-Entwickler wollten kritische Lu:cke kleinreden

Karel Kulhavy
In reply to this post by Lars Hansson
On Fri, Mar 16, 2007 at 05:56:03PM +0800, Lars Hansson wrote:
> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>
> > http://www.heise.de/security/news/meldung/86730
>
> And for the majority of the worlds population that doesn't speak German
> this says exactly what?

OpenBSD developers tried to play down a critical security hole.

CL<

>
> --
> Lars Hansson <[hidden email]>