[nycbug-talk] security advisory

Charles Sprickman spork
Thu Jan 19 15:10:52 EST 2006


I'm logging into all my jail boxes and running "chflags -R noschg /", 
since securelevels are now officially useless.

Onion, shmonion!

C

On Thu, 19 Jan 2006, michael wrote:

> Does anyone here take exception to what Jason Miller has written?
> -- 
>
> Michael
>
> ------------------------------------------------
> How not to respond to a security advisory
> Jason Miller, 2006-01-18
>
> A recently announced weakness in the BSD securelevel system isn't going
> to be fixed in OpenBSD. While securelevel may have problems, the
> vendor's security response is unacceptable and doesn't fit with their
> stated goals. Recently, I stumbled across an interesting security
> advisory by RedTeam Pentesting, that discussed a vulnerability in a few
> implementations of the BSD securelevel system. There were two different
> issues, each affecting different implementations. As usual, I carefully
> read through the advisories trying to understand what sort of impact
> the vulnerabilities had, how disclosure had been done, and that sort of
> thing. Once I got to the Fix section of the advisory, something caught
> my eye immediately.
>
> No fix will be released for OpenBSD. To quote Theo de Raadt:
>
> "Sorry, we are going to change nothing. Securelevels are useless."
>
> http://www.securityfocus.com/columnists/380
>
>
>
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>




More information about the talk mailing list