Hi Joe,

I see that some errata information has CVE included (probably those
disclosed before OpenBSD fixed them).  Where this information is absent, I
am not confident that the errata details are relevant.  In the case of the
SSL problem, there was a patch released around the time of the original CVE
creation which modified ssl_engine_log.c (where the relevant fix was made)
but which fixed a different issue.

Many UNIX administrators do not have the technical skills required to
identify which bits of corrected code fix which problems.  Simplifying the
process of locating vulnerability information would, therefore, make OpenBSD
a more attractive option to a wider audience and help ardent OpenBSD
advocates sell the solution to managers and executives who may not fully
appreciate the advantages of OpenBSD.

I love the fact that OpenBSD does not compromise the fundamental security
and design principles upon which it was founded.  Adding clearer
documentation of OpenBSD's superior security can only enhance its
reputation.

Cheers,

Dan

On 10/19/06, Joe <[EMAIL PROTECTED]> wrote:
>
> Podo Carp wrote:
> > Thanks Steve,
> >
> > The scanner does indeed rely on banners (which can be completely
> unreliable
> > especially on OpenBSD).  However, I would like them to not knock over my
> > servers trying to confirm the problem if I can easily determine that the
> > patches are irrelevant.   Of course this is a greater problem for holes
> that
> > are not fixed but I can't tell which is the case without more
> information.
> >
> > A centralized repository of vulnerability information would make my job
> > maintaining OpenBSD systems much simpler and would provide yet another
> > avenue to extoll the virtues of OpenBSD versus other operating systems
> (as
> > in this case where the patch was released a year before the
> vulnerability
> > was disclosed).
> >
> You can find all security vulnerabilities here:
>
> http://www.openbsd.org/errata.html

Reply via email to