Remotely Crash OpenBSD 407
*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.
Does this count? (Score:5, Interesting)
Patch for production systems? (Score:5, Interesting)
What's a sane admin to do?
Re:Does this count? (Score:5, Interesting)
about ipv6 (Score:5, Interesting)
I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?
Does anyone have any insight?
Re:Patch for production systems? (Score:5, Interesting)
One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).
Yes, you'll need to muck about with
--Ryv
Dont worry... (Score:1, Interesting)
--jboss
Re:Just a crash? Crash == DoS, no? (Score:2, Interesting)
Now as for Microsoft, if MS patched something within... no, wait, it was patched before the bug came out... anyway, we'd cut them a bit more slack.
cogito = think, ergo = therefore, sum = am (Score:1, Interesting)
Cogito ergo sum:
Rene Descartes, Discourse on Methode, Part 4:Re:Maybe time to drop this "securitier than thou" (Score:2, Interesting)
Re:Patch for production systems? (Score:4, Interesting)
If I setup the system for mail - which I don't do for a simple firewall - I also use Postfix. Only other alternative is qmail and DJB's stuff is just too much of a PITA/non-standard.
--Ryv
Re:Dont make it sound like the end of the world (Score:1, Interesting)
As well, ssh is typically the first thing to run on IPv6, as it's a neat way to tunnel other protocols before they are ported... Oh, and if you have IPv6 support in ssh, it will default to IPv6 first (IPv6 addresses are returned before IPv4 addresses by the resolver).
Re:Oh well... (Score:4, Interesting)
MSFT Can't Win (Score:1, Interesting)
Think of the sheer number of test cases. You've got how many different versions of Windows still supported. Multiply that by all the apps MSFT sells (e.g.: Office) and all the apps that major corporations also run (e.g. Oracle). Multiply by a few hundred hardware platfroms.
I'm not particulary fond of MSFT myself, but complaining about the speed AND quality of their patches reflects poorly on you.