Lars Hansson wrote:
> On Fri, 16 Mar 2007 10:08:02 +0100
> Karel Kulhavy <[hidden email]> wrote:
>> http://www.heise.de/security/news/meldung/86730 >
> And for the majority of the worlds population that doesn't speak German
> this says exactly what?
It says more or less:
That the OpenBSD Developers tried to lower the severity/importance of
Note that the author of the (german) article is [hidden email],
so you should send any complaints to him, not to the translator.
Note also that Heise tends to correct errors in their articles
without notice. For example, they first stated that it wasn't unclear
wether the bug has really been fixed. Later, some reader told them
that this was related to the suggested workaround (scrub vs. block),
and today that statement has been removed. Without any comment.
As i happen to speak german, here's a small summary:
The article, which is from the 14th of March, quotes an Article from
the 13th where heise.de reported on the fix that has been quite an
issue here on the mailing list.
The article then goes on to state that n article by core security it
is revealed how this bug can bring a system remotely to a halt and
even compromise it. Heise.de describes this as "and so core security
reveals how security leaks are being trivialized by the openbsd group".
The article then elaborates how the fix you put up was indeed put up
very shortly after being alerted about the bug, but that it was only
categorized as a "maintenance fix" and that "the openbsd group states
that bug that enables malicious users to be able to halt a system
from remote are not security issues, only when a system can be
compromised, it's a security issue for the openbsd group". They
(heise.de) then draw a parallel to the freebsd developers who, for
heise's point of view, also have a too tight definition of security
when not releasing a patch for some DoS-vulnerability. The article
then tell that after some discussion with core security, the openbsd
team deemed the fix as a security fix, but only if the core security
group would state that it only affect ipv6 and thus only very few
people are actually at risk.
I personally think this discussion is all really for nothing. No one
of the openBSD group is, in my opinion, obliged to do anything, and
yet I have received more support, better support and faster support
than I possible could expect from any "company". This of course
doesn't directly related to the security discussion, but indirectly,
yes. If the patch is there, then why bother them instead of thank
them for fixing it? :->
> "Report states that OpenBSD developers played down critical vulnerability"
Report states that you can either choose spam about every single crash
in the system fixed which would lead to a couple of "security
advisory" spam every week if we were serious about it or just be
hyprocites like every other vendor and keep silent about stuff that we
find internally and make "security" announcement spam every time someone
external reports a bug.
The current practice is to not get worked up over things unless it's
obviously exploitable or someone presents an exploit.
The security researchers have the luxury of spending a couple of weeks
on each bug. If we'd spend a few weeks just to find out if a bug is
exploitable or not you'd get a release every ten years. The bug was of
the size that if a real kernel hacker happens to spot it, he spends 5
minutes fixing it and mailing out a diff to a few people for
eyeballing and then moves on doing other productive things.
> wether the bug has really been fixed. Later, some reader told them
> that this was related to the suggested workaround (scrub vs. block),
> and today that statement has been removed. Without any comment.
The problem with scrub is that Core thought it was a sufficient
workaround. Itojun looked at the pf inet6 code, and seeing how poorly
pf scrub handles inet6, thought that was unlikely to actually work
against the problem. against their particular exploit packets, but
perhaps not against other cases.
We told Core that we did not feel scrub was enough.
And then some idiot in the press tries to swing that into an
accusation against us?
Yes, the guy has a slant. But Core was massively unclear about this
in their advisory.
* Lars Hansson <[hidden email]> [2007-03-16 12:24]:
> On Fri, 16 Mar 2007 11:23:59 +0100
> Frank Tegtmeyer <[hidden email]> wrote:
> > The article claims that the OpenBSD developers tried to deny that the
> > ICMPv6 bug is a remotely exploitable security hole.
> Aha. Slow newsday in Germany, eh?
no, typical heise day.
Henning Brauer, [hidden email], [hidden email] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam