Re: Vulnerability and Patch Information
Touche! I can contribute several hours a week to this effort with the caveat that I wasn't too successful in finding the original fix which spawned this thread. Cheers, Dan On 10/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > Podo Carp wrote: > > I love the fact that OpenBSD does not compromise the fundamental > security > > and design principles upon which it was founded. Adding clearer > > documentation of OpenBSD's superior security can only enhance its > > reputation > > Are you volunteering to do the work? > > --- > Lars Hansson
Re: Vulnerability and Patch Information
Hi Joe, I see that some errata information has CVE included (probably those disclosed before OpenBSD fixed them). Where this information is absent, I am not confident that the errata details are relevant. In the case of the SSL problem, there was a patch released around the time of the original CVE creation which modified ssl_engine_log.c (where the relevant fix was made) but which fixed a different issue. Many UNIX administrators do not have the technical skills required to identify which bits of corrected code fix which problems. Simplifying the process of locating vulnerability information would, therefore, make OpenBSD a more attractive option to a wider audience and help ardent OpenBSD advocates sell the solution to managers and executives who may not fully appreciate the advantages of OpenBSD. I love the fact that OpenBSD does not compromise the fundamental security and design principles upon which it was founded. Adding clearer documentation of OpenBSD's superior security can only enhance its reputation. Cheers, Dan On 10/19/06, Joe <[EMAIL PROTECTED]> wrote: > > Podo Carp wrote: > > Thanks Steve, > > > > The scanner does indeed rely on banners (which can be completely > unreliable > > especially on OpenBSD). However, I would like them to not knock over my > > servers trying to confirm the problem if I can easily determine that the > > patches are irrelevant. Of course this is a greater problem for holes > that > > are not fixed but I can't tell which is the case without more > information. > > > > A centralized repository of vulnerability information would make my job > > maintaining OpenBSD systems much simpler and would provide yet another > > avenue to extoll the virtues of OpenBSD versus other operating systems > (as > > in this case where the patch was released a year before the > vulnerability > > was disclosed). > > > You can find all security vulnerabilities here: > > http://www.openbsd.org/errata.html
Re: Vulnerability and Patch Information
Thanks Steve, The scanner does indeed rely on banners (which can be completely unreliable especially on OpenBSD). However, I would like them to not knock over my servers trying to confirm the problem if I can easily determine that the patches are irrelevant. Of course this is a greater problem for holes that are not fixed but I can't tell which is the case without more information. A centralized repository of vulnerability information would make my job maintaining OpenBSD systems much simpler and would provide yet another avenue to extoll the virtues of OpenBSD versus other operating systems (as in this case where the patch was released a year before the vulnerability was disclosed). I understand that correlating patches with as yet undisclosed or unidentified flaws is not possible. However, whenever a security vulnerability is announced, every administrator should be asking themself if their systems are vulnerable (even if they have tremendous confidence that OpenBSD would normally handle such problems proactively). Answering that question (as you have kindly answered for me) would be a normal part of the review process and documenting the result would be very beneficial to the OpenBSD community. Cheers, Dan On 10/18/06, Steve Shockley <[EMAIL PROTECTED]> wrote: > > Podo Carp wrote: > > I recently underwent an audit of my OpenBSD 3.8 systems and the audit > report > > identified CVE-2004-0700 (mod-proxy/mod_ssl format string vulnerability) > as > > a potential risk. > > Perhaps your scanner relies on reported versions, rather than actual > vulnerabilities? > > If I'm reading the vulnerability right, it was fixed here: > > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c.diff?r1=1.9&r2=1.10&f=h > > The vuln was disclosed 7/27/2004, but was fixed 6/1/2003.
Vulnerability and Patch Information
Greetings, I recently underwent an audit of my OpenBSD 3.8 systems and the audit report identified CVE-2004-0700 (mod-proxy/mod_ssl format string vulnerability) as a potential risk. Given the age of the problem and the proactive patching stance of OpenBSD, I suspect this has been fixed for some time. However, I can't find any reliable information correlating CVE or other general vulnerability records with a specific OpenBSD patch or fix. I have searched the mailing list archives for both security announcements and code updates but have not found any conclusive documentation indicating this vulnerability is not relevant or was fixed. Does OpenBSD provide any authoritative reference as to which vulnerabilities are corrected by which patches? What is the most effective way to find this information if no such reference exists? I apologize if this question has been answered elsewhere. I have spent some time searching with no success. Cheers, Dan