Vulnerabilities in FreeBSD

flynn_nrg writes: "O'Reilly has an interesting article about vulnerabilities in common programs found on most FreeBSD boxes. From the article: "Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in OpenSSH, Squid, Listar/Ecartis, slrnpull, and IRIX's syslogd; problems in Sudo, MHonArc, and Mosix; and a local root hole and denial-of-service attack vulnerability in FreeBSD.""

Re:A real treatment of why this is true.

[PD]

Hmmm. Let me consider that again. Yup. I am quite sure that it WAS a troll. Besides the overused of the bold tag, the author used the word Berzerkeley. Definitely a troll.

In any case, a few security bugs can't kill an OS. Windows would be dead a hundred times if that were true.

Linux has becoming more and more unstable

[Anonymous Coward]

I used to be a big Linux advocate, unfortunately it seems that Linux has been becoming more and more unstable. The hundreds of different distributions of Linux all have their pros and cons, but there is no centralised package or ports system. Want a package for Linux ? Ok, cool - DEB, RPM? RPM? That's the most popular. But don't try using a Mandrake RPM or a SuSE RPM on RedHat.
Linux has given up its usefulness for graphical installers and Windowesque gimmicks. The code bloat is unbelievable. Unless you roll out your own distribution or use a minimalist distribution like Slackware, the default installs for RedHat, Mandrake, etc are huge, Windows-like monstrosities.

So what?, I hear you say. Linux is stable and secure. Wrong again. The Lion worm proved that Linux is not as secure as one might believe. The fact that VMs get changed in the middle of a stable release branch (2.4.x) shows bad organization.

It took Linux years to overcome its awful filesystem problems, and now journalling filesystems are available. But speedwise, compared to the FreeBSD FFS, they are slow and cumbersome, and have yet to prove as reliable. FFS Softlinks are a few generations ahead of any journalling filesystem on the market.

FreeBSD is far better organized, the ports and packages collections are better synced and more reliable, the system is more stable and easier to understand. The firewall included with FreeBSD has been proven and has a far better track record than ipchains or iptables, the latter having security problems in its first week or release, the former having no stately inspection and being a complete mess due to its shell-script bound layout.

But Linux has more software than FreeBSD!, scream the Linux die-hards. What they fail to realize is that 99% of Linux software runs under FreeBSD. I haven't encountered a Linux program that didn't run under FreeBSD. Sure, I've heard reports by trolls that certain software doesn't work, but all the software I've tried works, in fact, even faster than the native Linux versions in most cases. To the VMWare troll: Yes, VMWare does work under FreeBSD.

FreeBSD vs Linux is a debate that won't ever be settled, but people who have used both generally prefer FreeBSD for mission-critical tasks. Those who claim that FreeBSD performs worse than Linux either haven't used FreeBSD or are trolls.

I won't say that FreeBSD is the best Unix variant on the market, but the best open source Unix variant? Yes. Solaris is still tops, but in terms of Free (Open Source) systems, FreeBSD is probably the best all-rounder. NetBSD, OpenBSD and Linux all have their respective places, but overall, FreeBSD will probably take over most of the open source server market, at least in organizations with serious management.

Re:Linux has becoming more and more unstable

[boltar]

FreeBSD may have a faster filesystem but it has MUCH slower graphics than linux even when running
Xfree 4. I have no idea why but on my dual boot machine the X server on 4.5 runs at about 50% the
speed of the same server on linux.

Re:Linux has becoming more and more unstable

[cyr]

He did say "dual boot", which kind of implies he was talking about the same box...

Re:Linux has becoming more and more unstable

[boltar]

Read what I wrote you clueless fuckwit. They're on the same machine! Dual boot, hello??? Moron.

Re:Linux has becoming more and more unstable

[Shanep]

The average user of FreeBSD does'nt really care about GUI speed.

My smb/afp/lpd/web proxy server runs FreeBSD. Suffice to say, it does not even have a video card, mouse or even keyboard for that matter.

However, does your video card require AGP extensions to opperate at full speed in XF86?

Re:Linux has becoming more and more unstable

[cyr]

In the Linux world it is up to the distribution makers to deliver a stable system that suits your needs. The development of the kernel and various software takes place a high speed and often in several directions at the same time. I believe that diversity and choice are good things, but you should rely on the cutting edge stuff for mission critical tasks.

FreeBSD vulnerabilities?

[rsidd]

The article covered two vulnerabilities specific to FreeBSD, a few in third party programs which apply to all platforms (the article itself makes no reference to FreeBSD), and some vulnerabilities (mosix, IRIX syslogd) which are specific to other platforms (Linux and IRIX respectively) and have nothing whatever to do with FreeBSD
So how does that make it an article on FreeBSD vulnerabilities?

Re:FreeBSD vulnerabilities?

[JoeWalsh]

I'm thinking the "BSD Is Dying" trolls bribed the /. editors to put this up.

Re:FreeBSD vulnerabilities?

[rakjr]

The title is 100% FUD. It might as well have been titled "All nixes full of security holes. MS to make $$$. It is not the kind of thing I expect out of O'Rielly. I am also surprised it was posted here on /. The article is out of date relative to the fixes. It would be one thing if after all this time, there were still no fixes. I think the article should be pulled from /. it is of no value. Anyone who manages a system should have fixes the mentioned problems long ago. It was just a catchy title with no thought or substance.

Linux has become more and more unstable

[Anonymous Coward]

I used to be a big Linux advocate, unfortunately it seems that Linux has been becoming more and more unstable. The hundreds of different distributions of Linux all have their pros and cons, but there is no centralised package or ports system. Want a package for Linux ? Ok, cool - DEB, RPM? RPM? That's the most popular. But don't try using a Mandrake RPM or a SuSE RPM on RedHat. Linux has given up its usefulness for graphical installers and Windowesque gimmicks. The code bloat is unbelievable. Unless you roll out your own distribution or use a minimalist distribution like Slackware, the default installs for RedHat, Mandrake, etc are huge, Windows-like monstrosities.

So what?, I hear you say. Linux is stable and secure. Wrong again. The Lion worm proved that Linux is not as secure as one might believe. The fact that VMs get changed in the middle of a stable release branch (2.4.x) shows bad organization.

It took Linux years to overcome its awful filesystem problems, and now journalling filesystems are available. But speedwise, compared to the FreeBSD FFS, they are slow and cumbersome, and have yet to prove as reliable. FFS Softlinks are a few generations ahead of any journalling filesystem on the market.

FreeBSD is far better organized, the ports and packages collections are better synced and more reliable, the system is more stable and easier to understand. The firewall included with FreeBSD has been proven and has a far better track record than ipchains or iptables, the latter having security problems in its first week or release, the former having no stately inspection and being a complete mess due to its shell-script bound layout.

But Linux has more software than FreeBSD!, scream the Linux die-hards. What they fail to realize is that 99% of Linux software runs under FreeBSD. I haven't encountered a Linux program that didn't run under FreeBSD. Sure, I've heard reports by trolls that certain software doesn't work, but all the software I've tried works, in fact, even faster than the native Linux versions in most cases. To the VMWare troll: Yes, VMWare does work under FreeBSD.

FreeBSD vs Linux is a debate that won't ever be settled, but people who have used both generally prefer FreeBSD for mission-critical tasks. Those who claim that FreeBSD performs worse than Linux either haven't used FreeBSD or are trolls.

I won't say that FreeBSD is the best Unix variant on the market, but the best open source Unix variant? Yes. Solaris is still tops, but in terms of Free (Open Source) systems, FreeBSD is probably the best all-rounder. NetBSD, OpenBSD and Linux all have their respective places, but overall, FreeBSD will probably take over most of the open source server market, at least in organizations with serious management.

please ...

[Anonymous Coward]

what timothy forgot to mention is that the freebsd group had already released patches before posting this article. i guess he could have actually gone out and checked, but alas, this is /. ... home of editors that don't give a shit

go on, mod me down

Lame Article

[smnolde]

Gee, just two FreeBSD vulnerabilities in that article.... I run several FreeBSD workstations and servers and neither of them would be affected because it's easy to workaround those problems and equally simple to track -STABLE.

Ever get into rpm hell on a redhat box? Debian might be a little better, but still, Debian is barely more than a kernel from being FreeBSD. FreeBSD is infinitely simpler to tailor to your needs and manage than any other *nix system I've tried.

This article doesn't discourage me a bit, since fixes for the mentioned vulnerabilities were available so soon after the announcements. I absolutely love FreeBSD for all me needs and encourage other to install and learn it.

Re:Lame Article

[Anonymous Coward]

Its kind of sad that so few people seem to
understand the open source community. The bugs
are old. They are not BSD specific(except 2).
Anybody running BSD probably knows his or her
stuff and checks security problems on a regular
basis.
Sounds like the writer needed some lunch money.
O'Reilly must be really hard up.
Unlike Microsoft the open source community embraces
its faults and posts every single bug and security
threat as soon as ANYONE finds a problem. The
reason a big deal is made about problems on microsoft
software is that the doors are closed and until
you pay your little fee, or the problem is a threat
to microsofts monopoly NOONE knows there
was a problem except the blackHATS.
Running OpenBSD here.

Re:Lame Article

[smnolde]

Perhaps I made myself unclear by leaving a word out. My original statement should have read to the effecct that "debian is little more than a kernel away from being FreeBSD...".

I was trying to complement the debian project since I've heard so many good things about it's automation and package management. At the same time, I believe it's the FreeBSD of the GNU/Linux world.

I still like FreeBSD and will desperately avoid having to administer a RedHat box again.

Re:Lame Article

[ealar dlanvuli]

haha wtf, how did this get modded up.

FreeBSD ports/package isn't even in competition with linux anything. It's about 500 years ahead of the game.

frends don't let friends mod trolls up.

I have seen the light www.gentoo.org

[Anonymous Coward]

www.gentoo.org

wow...

[tcc]

only 2?

Heck, I'm waiting for my Service pack 3 for win2k to apply the 14 pages of hotfix and security patch automatically to my newer systems without having to reload the windowsupdate/rebooting 3 times (explorer 5.5sp2, reboot, security roolup jan 2002, reboot and finally the critical, and that doesn't include post-sp2 hotfixes that aren't "critical").

No wonder I am considering FreeBSD for my email server, yeah it'll need maintenance and security, yes I hate the overhead and everything is so much simpler in windows, that I have to give it to microsoft, but GOD, I don't want to reboot a zillion time after applying patches every week, heck, I don't want to apply patches every week :).

Re:wow...

[Arandir]

Overhead? What overhead? Or where you referring to the overhead of running an email server under Windows.

Re:wow...

[DrSkwid]

overhead?

nah mate, I never even touch mine

uptime :
7:03AM up 36 days, 16:49, 5 users

*BSD is living

[Anonymous Coward]

It is official; Netcraft confirms: *BSD is living!

Another piece of great news hit the already prosperous *BSD community when IDC confirmed that *BSD market share has risen yet again, now up to more than of 18 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has gained more market share, this news serves to reinforce what we've known all along. *BSD is growing in complete unity, as fittingly exemplified by coming dead first [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amdest.com] [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a superb future. In fact there will be a wonderful future for *BSD because *BSD is living. Things are looking very good for *BSD. As many of us are already aware, *BSD continues to gain market share. Black ink flows like a river of cash. FreeBSD is the most successful of them all, having acquired 93% more core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 70000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 2 to 1. Therefore there are about 70000/2 = 35000 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 15000 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (70000+35000+7000)*4 = 448000 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the success of Walnut Creek, excellent sales and so on, FreeBSD became a viable business and was taken over by BSDI who sell another popular OS. Now BSDI is also growing, its success acquired by yet another software house.

All major surveys show that *BSD has steadily increased in market share. *BSD is very strong and its long term survival prospects are very good. If *BSD is to keep growing it will be among those who appreciate solid, fast and well-engineered OSes. *BSD continues to succeed. Nothing short of a miracle could kill it at this point in time. For all practical purposes, *BSD is here for good.

Fact: *BSD is living

Re:*BSD is living

[redhatbox]

Dear God, this is the funniest thing I've ever read in my entire life, so help me Theo.

Although I post this from a Linux box, I had to take a moment to gaze fondly upon my OpenBSD server in the corner :).

I'm only torn on whether this should be "+5 Funny" or "+5 Insightful". Truly a prime example of geek wit at its finest, in any event...

Oh dear, my FreeBSD box is insecure...

[Thornae]

Better fix that:

#cvsup /etc/cvsupfile
#cd /usr/src
#make buildworld
#make installworld

There. I feel much safer now.

Almost forgot...

[Thornae]

Nearly missed one of the other vulns on the list.

#portupgrade sudo

Now I'm done.

(Not that I use sudo, but it's there for completeness)

Re:Almost forgot...

[ChocoboKnight]

Everybody should try "man jail". A chroot on steroids, go on, try it. You won't be disappointed.

Re:Oh dear, my FreeBSD box is insecure...

[OpperNerd]

should be

#cvsup /etc/cvsupfile
#cd /usr/src
#make buildworld
#make buildkernel && make installkernel
#mergemaster
#make installworld

IRIX patch released 18 months ago

[rasper99]

The patch to fix the IRIX problem was included in the standard IRIX maintenance patches that were released 18 months ago. I would hope if someone had a system on the internet they would patch it more often than every 18 months.