[nycbug-talk] security advisory

michael lists
Thu Jan 19 08:40:33 EST 2006


Does anyone here take exception to what Jason Miller has written?
-- 

Michael

------------------------------------------------
How not to respond to a security advisory
Jason Miller, 2006-01-18

A recently announced weakness in the BSD securelevel system isn't going
to be fixed in OpenBSD. While securelevel may have problems, the
vendor's security response is unacceptable and doesn't fit with their
stated goals. Recently, I stumbled across an interesting security
advisory by RedTeam Pentesting, that discussed a vulnerability in a few
implementations of the BSD securelevel system. There were two different
issues, each affecting different implementations. As usual, I carefully
read through the advisories trying to understand what sort of impact
the vulnerabilities had, how disclosure had been done, and that sort of
thing. Once I got to the Fix section of the advisory, something caught
my eye immediately.

No fix will be released for OpenBSD. To quote Theo de Raadt:

"Sorry, we are going to change nothing. Securelevels are useless."

http://www.securityfocus.com/columnists/380







More information about the talk mailing list