Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Operating Systems BSD

New FreeBSD, NetBSD Security Advisories 71

Dan writes "FreeBSD has formally announced a security advisory entitled "OpenSSH buffer management error" for the now famous OpenSSH advisory (OpenSSH has released a new version 3.7.1 to address this issue). NetBSD has issued a similar advisory and fix for this issue. NetBSD has released two additional security advisories entitled "Kernel memory disclosure via ibcs2" and "Insufficient argument checking in sysctl(2)"."
This discussion has been archived. No new comments can be posted.

New FreeBSD, NetBSD Security Advisories

Comments Filter:
  • Patches vs. Fixes (Score:5, Interesting)

    by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Wednesday September 17, 2003 @08:27AM (#6984985) Journal
    If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem. You never see a reconsideration of the problem. I wonder how long it takes to go from a release version through patch after patch until a piece of code is just old and crufty and in need of wholesale replacement.
    • Re:Patches vs. Fixes (Score:4, Informative)

      by Horny Smurf ( 590916 ) on Wednesday September 17, 2003 @10:45AM (#6986127) Journal
      in this case, the problem was a bug rather than a design issue, so a 3-line code change is appropriate. I do agree that there is a lot of "special case" "fixes" that try to hide fundamental problems.
    • by Anonymous Coward on Wednesday September 17, 2003 @11:41AM (#6986660)

      If you ever take a look at the patched code for one of these security advisories, you mainly see some special case code stuck in there to patch up the problem.

      If you ever take a look at the actual *problem*, you'll find that hey are usually just buffer overflows or other unchecked data, in which case 'some special case code' is the only appropriate course of action.

  • by Anonymous Coward on Wednesday September 17, 2003 @08:41AM (#6985085)
    The first comment on a BSD story wasn't a BSD troll, now that my freinds is news for nerds, stuff that matters.
  • OS X (Score:5, Interesting)

    by Zelet ( 515452 ) on Wednesday September 17, 2003 @08:43AM (#6985105) Journal
    Does this affect OS X's implementation of SSHD? So far Apple has not released a patch.
    • Re:OS X (Score:5, Informative)

      by dthable ( 163749 ) on Wednesday September 17, 2003 @10:49AM (#6986158) Journal
      I'm running 10.2.6 and I have OpenSSH 3.4p1. So yes, we are at risk.

      Check your system. In terminal type:
      sshd -v
    • The lazy answer is, does mac OS X use openssh? If so, then it most likely would (since as far as I can tell, this is an openssh-only problem).
      • It does use OpenSSH, but the desktop version has it disabled by default. If you really wanted to, you can grab the code, compile and install it yourself.
  • Just Remember (Score:2, Insightful)

    by rudy_wayne ( 414635 )
    Having to fix a security flaw in a closed source program is proof than closed source is bad. Fixing a security flaw in an open source program is proof that open source is good.

    • Also remember (Score:2, Insightful)

      It is significantly easier for hackers to find exploits in programs that come with the source. This vunerability could have been exploited for 6 months or more. Being closed source has nothing to do with being able to fix security flaws. It does however mean that only the company/person who has the code can fix it.

      There are security flaws in all software (maybe with the exception of Hello, World!), this has nothing to do with the availability of the source.
  • So what? (Score:2, Informative)

    by pbrammer ( 526214 )
    All of the other vendors released similar bulletins... Most of them questioned the validity of this hole, but to be safe, they issued these notes to their customers to update OpenSSH. I know RedHat and Mandrake did.

    Phil
    • Re:So what? (Score:3, Insightful)

      by MavEtJu ( 241979 )
      It wasn't so much an exploit but more a denial of service.

      If there is a way for third parties to disable a service running on my computer, yes I would like to be informed by it :-)
  • I downloaded the OpenSSH 3.6 port for FreeBSD last night. It included the buffer overflow fix (which confused me, since I was planning on doing the patching myself :)

    Of course, it installed sshd in /usr/local/sbin... sshd 2.9 (i think) was still located in /usr/sbin.

  • I was having problems the day before last, and I updated the SSH program to OpenSSH to fix some other problems, how might I find out if the version I installed had the fixer-upper in it? (and not by getting hacked :-p)
  • Hi there fellow slashdaughters, this got me upgraded:

    ./configure --prefix=/opt --sysconfdir=/etc/ssh
    make
    make install

    use ps -aux to find the ##### of the process of sshd.

    kill -HUP #####



    Anyone who reboots to accomplish this upgrade shouldn't be a sysadmin. Have fun!
    • by MavEtJu ( 241979 ) <<gro.ujtevam> <ta> <todhsals>> on Thursday September 18, 2003 @12:40AM (#6991931) Homepage
      congratulations, you just have let your old sshd reread its configuration instead of stopping it and starting the new one.
      • Not sure why your comment got moderated up so high, since it might confuse people. Something not mentioned in the parent post that might make things a little clearer is that you'll want to replace the prefix path:
        --prefix=/opt
        with whatever is appropriate for your setup. Do a which sshd to find out where your sshd has been installed. What I ended up using on my FreeBSD 4.8 box was actually --prefix=/usr

        Last but not least, if you've done much lock-down or modifications to your sshd_conf, you'd actually
        • Not sure why your comment got moderated up so high, since it might confuse people.

          I think he is refering to the kill -HUP #####

          Which will send the currently running ssh daemon the hangup signal, instructing it to re-read its configuration.

          I think it is you who will be doing the confusing.

          Anyone who reboots to accomplish this upgrade shouldn't be a sysadmin.

          What an absolutely absurd statement. I bet you've just recently figured that you can upgrade a daemon without rebooting, so anyone who upgrades
  • I can't stand it when Dan posts stories about FreeBSD with links to his bsdforums site. This is so useless. The link should go to the mailing list archive or a web site with the advisory, not to the discussion of it on your site.
    Dan, please don't do it! Please! It looks really bad.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...