Linked by Thom Holwerda on Tue 1st Nov 2005 08:38 UTC, submitted by Spock
OpenBSD "We are pleased to announce the official release of OpenBSD 3.8. This is our 18th release on CD-ROM (and 19th via FTP). We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.8 provides significant improvements, including new features, in nearly all areas of the system."
Order by: Score:
Congratulations
by Anonymous on Tue 1st Nov 2005 09:36 UTC
Anonymous
Member since:
---

and keep up the good work !!!

Reply Score: 1

Unofficial 3.8 install ISO-s
by Anonymous on Tue 1st Nov 2005 09:52 UTC
Anonymous
Member since:
---

From www.openbsd.org:

"Some other open source operating systems are commonly distributed as CD-ROM ISO images. This is not how OpenBSD is distributed."

Some unofficial (and of course unsupported by OpenBSD team) install ISOs here:

http://www.hup.hu/modules.php?name=News&file=article&sid=9953

Reply Score: 2

make it your own
by Anonymous on Tue 1st Nov 2005 10:01 UTC
Anonymous
Member since:
---

You can easily make your own isos:

http://www.pantz.org/os/openbsd/makingaopenbsdcd.shtml

Reply Score: 0

v ONE remote hole?
by Anonymous on Tue 1st Nov 2005 10:04 UTC
RE: ONE remote hole?
by Anonymous on Tue 1st Nov 2005 10:08 UTC in reply to "ONE remote hole?"
Anonymous Member since:
---

can't you read???

Reply Score: 0

RE: ONE remote hole?
by Anonymous on Tue 1st Nov 2005 10:20 UTC in reply to "ONE remote hole?"
Anonymous Member since:
---

This is discussed many times, the OpenBSD peeps mean by "remote hole" a method to really access the system. Thus remote vulnerabilities do not count unless there is a method to gain some rights on the system.

I'm very pleased to see a new release with again some amazing features and can't wait to try out to play with the new RAID tools. But first I need to buy myself a LSI/AMI card ;)

Reply Score: 1

RE[2]: ONE remote hole?
by Anonymous on Tue 1st Nov 2005 10:48 UTC in reply to "RE: ONE remote hole?"
Anonymous Member since:
---

And that's what the talkd vulnerability is, a daemon that is enabled by default. I remember reading different description on their webpage years ago (or it may just be a different part of it) which said whether or not it was exploitable was 'inconclusive' since no one bothered to develop an exploit. In other words, they didn't count it because no one had proven it to be exploitable, not because it was proven otherwise. It sounds like a whitewash to me.

Reply Score: 0

v RE[3]: ONE remote hole?
by Anonymous on Tue 1st Nov 2005 10:58 UTC in reply to "RE[2]: ONE remote hole?"
RE[4]: ONE remote hole?
by Ronald Vos on Tue 1st Nov 2005 11:41 UTC in reply to "RE[3]: ONE remote hole?"
Ronald Vos Member since:
2005-07-06

In other words, it might be a remote hole, they're just not sure. That's hilarious.

It says something about how feasible exploiting it is. I.e.: not. Remember these guys/gals are the people removing potential integer overflow vulnerabilities from their code.

Reply Score: 3

v RE[5]: ONE remote hole?
by Anonymous on Tue 1st Nov 2005 13:25 UTC in reply to "RE[4]: ONE remote hole?"
RE[4]: ONE remote hole?
by Soulbender on Wed 2nd Nov 2005 03:32 UTC in reply to "RE[2]: ONE remote hole?"
Soulbender Member since:
2005-08-18

"And that's what the talkd vulnerability is, a daemon that is enabled by default."

talkd is not enabled by default.

Reply Score: 1

RE[5]: ONE remote hole?
by Anonymous on Wed 2nd Nov 2005 14:40 UTC in reply to "RE[4]: ONE remote hole?"
Anonymous Member since:
---

"talkd is not enabled by default."

That's where you would be wrong. In version 2.8 and earlier, it was enabled by default. It was only AFTER the vulnerability occured that they disabled it by default, in the 2.8 install: http://www.openbsd.org/plus28.html

They even disabled fingerd by default in 2.8 as well. They were trying to cover their asses so they could keep making that bogus claim.

Reply Score: 0

RE[6]: ONE remote hole?
by Anonymous on Wed 2nd Nov 2005 17:42 UTC in reply to "RE[5]: ONE remote hole?"
Anonymous Member since:
---

Please provide an exploit for talkd.

Reply Score: 1

RE[7]: ONE remote hole?
by Soulbender on Thu 3rd Nov 2005 02:10 UTC in reply to "RE[5]: ONE remote hole?"
Soulbender Member since:
2005-08-18

"That's where you would be wrong. In version 2.8 and earlier, it was enabled by default"

is != was.
And unless you can provide a proof of concept talkd exploit or prove that it's actually remotely exploitable the claim, for what it's worth, isnt invalid.

Reply Score: 1

RE[8]: ONE remote hole?
by Anonymous on Fri 4th Nov 2005 00:16 UTC in reply to "RE[7]: ONE remote hole?"
Anonymous Member since:
---

http://www.killsometime.com/video/video.asp?ID=327

http://video.google.com/videoplay?docid=-7153152098207965240

"Having a hole that could, some time in the past, have been exploited doesn't count as a remote hole."

Of course it does, otherwise you can discount ever remote hole that has ever been fixed.

"You have to have a workable exploit on the current version (at the time)."

Why must the exploit have to be created at the time the vulnerability was first discovered? That makes no sense. A remote hole is a remote hole regardless of whether or not it's been exploited.

I'm sure that there still are lots of potential holes in the current distribution but the point is, they're so hard to find that nobody knows where they are or how to exploit them.

"if you find a hole in a daemon that has been disabled in the current version it doesn't count (or did they find that hole before 2.8 came out?)."

You don't understand, when the vulnerability was discovered in 2000, talkd was enabled by default. The OpenBSD team disabled talkd by default BECAUSE OF the discovery of the vulnerability.

"is != was. "

At the time when the vulnerability was discovered, talkd was enabled by default, so you can't discount it.

"And unless you can provide a proof of concept talkd exploit or prove that it's actually remotely exploitable the claim, for what it's worth, isnt invalid."

That makes no sense, why should the burden of proof be on me? No one has proven that it's NOT exploitable, so following your logic, I could conclude that it MUST be exploitable.

Reply Score: 0

Congratulations
by Anonymous on Tue 1st Nov 2005 10:09 UTC
Anonymous
Member since:
---

I Love openBSD.

Reply Score: 0

MMAP instead of BRK
by Anonymous on Tue 1st Nov 2005 10:15 UTC
Anonymous
Member since:
---

"malloc(3) has been rewritten to use the mmap(2) system call, introducing unpredictable allocation addresses and guard pages, which helps in detecting heap based buffer overflows and prevents various types of attacks."

This is such a modest way to introduce a radical change in memory management. OpenBSD is the first OS to really use the MMU to protect from buffer overflows in the Heap.

Reply Score: 3

Useful links
by BryanFeeney on Tue 1st Nov 2005 14:37 UTC
BryanFeeney
Member since:
2005-07-06

A presentation by Theo de Raadt on some of the security improvements implemented by OpenBSD
http://www.openbsd.org/papers/auug04/index.html

The OpenBSD 3.8 song - actually this is just a narrated story, but the other songs on the page are pretty good.
http://www.openbsd.org/lyrics.html#38
http://mirror.phy.olemiss.edu/mirror/openbsd/songs/

Edited 2005-11-01 14:53

Reply Score: 2

Great work.
by polarizer on Tue 1st Nov 2005 15:01 UTC
polarizer
Member since:
2005-10-13

Great work. Especially the sasyncd. Keep on OpenBSDing.

polarizers 2cent
http://www.codixx.de/polarizer.html

Reply Score: 1

OpenBSD CD
by Anonymous on Tue 1st Nov 2005 15:08 UTC
Anonymous
Member since:
---

http://php.khk.tartu.ee/~alari/?p=2

It's not in english, but the commands are pretty much explaining, what to do.

Reply Score: 0

is Open BSD just CLI
by anand78 on Tue 1st Nov 2005 16:07 UTC
anand78
Member since:
2005-07-07

Is there X or KDE/Gnome for Open BSD. How about drivers support.

Reply Score: 1

RE: is Open BSD just CLI
by BryanFeeney on Tue 1st Nov 2005 16:22 UTC in reply to "is Open BSD just CLI"
BryanFeeney Member since:
2005-07-06

Yes: X, KDE and Gnome are all supported. Hardware support is not as good as Linux and Windows (due to its minority status) and possibly worse than other BSDs due to the organisation's refusal to accept closed-source drivers.

That said, I'm not sure if KDE and Gnome are part of the core distribution. OpenBSD is really aimed more at secure servers and workstations rather than "normal" servers and workstations. For example, they still use Apache 1.3, even though it's slower than 2.x, because they know their heavily modified Apache 1.3 is secure, but can't say with any certainty what Apache 2.x is like.

Reply Score: 2

RE[2]: is Open BSD just CLI
by Anonymous on Tue 1st Nov 2005 16:38 UTC in reply to "RE: is Open BSD just CLI"
Anonymous Member since:
---

OpenBSDs aim is not geared towards anything in particular. It's developed with the developers in mind. Nothing else. It's developers want a stable, secure and totally free OS. That comes at a price. X w/patches is included and I think the window manager is TWM by default. KDE/GNOME/others are available as part of ports.

Reply Score: 1

RE[3]: is Open BSD just CLI
by Anonymous on Tue 1st Nov 2005 21:06 UTC in reply to "RE[2]: is Open BSD just CLI"
Anonymous Member since:
---

Last time I checked, the default window manager was fvwm.

Reply Score: 0

RE[2]: is Open BSD just CLI
by lazywally on Tue 1st Nov 2005 17:18 UTC in reply to "RE: is Open BSD just CLI"
lazywally Member since:
2005-07-06

Apache2 is not included due to license restrictions. nothing to do with patches.

Reply Score: 2

OpenBSD
by Anonymous on Tue 1st Nov 2005 17:42 UTC
Anonymous
Member since:
---

Can be made to do just about anything. Defaults to FVWM, but any WM will work. Thousands of "ports" like FreeBSD. Multi-arc OS. I run it on PPC, SPARC, and x86, in fact, OpenBSD has worked quite will on every system I've tried.

It can take only minutes to install. Easy network configuration. The list goes on. For those wondering what you can do with OpenBSD, in my case I have a PPC (G3) server, and several (P200, P150, SS20) clients (X-Terminals), even my laptop (Compaq 1210) runs OpenBSD. So for me, OpenBSD does everything I need.

I have excellent uptimes, some reaching close to one year, this OS has been *very* stable for me.

The other thing I like about it is, it doesn't have 8 DVDs worth of stuff to install, only a couple hundred megs, add more/less as you want.

OpenBSD Rocks! Thanks Theo and Gang!

Reply Score: 1

RE: OpenBSD
by Anonymous on Tue 1st Nov 2005 17:50 UTC
Anonymous
Member since:
---

Great info. I will install 3.8 on an old Compaq I have collecting dust.

Reply Score: 0

0p3n85|} |200Lz!
by Anonymous on Tue 1st Nov 2005 17:59 UTC
Anonymous
Member since:
---

7H3 5C|21p7 K177135 L0053!
;)

Reply Score: 0

OpenBSD
by TaterSalad on Tue 1st Nov 2005 18:43 UTC
TaterSalad
Member since:
2005-07-06

I'll be trying this when I get home. I got an old PC that wants to be formatted. I think putting OpenBSD on it will be good because then I'll have a cheap lil server to store files on, and it will give me a chance to get to know this OS a little better.

Reply Score: 2

nice one
by Anonymous on Tue 1st Nov 2005 23:12 UTC
Anonymous
Member since:
---

Lol,mplayer was easily installed and i even had sound out of the box.

Reply Score: 1

defining a remote exploit
by kamper on Thu 3rd Nov 2005 00:21 UTC
kamper
Member since:
2005-08-20

Having a hole that could, some time in the past, have been exploited doesn't count as a remote hole. You have to have a workable exploit on the current version (at the time). I'm sure that there still are lots of potential holes in the current distribution but the point is, they're so hard to find that nobody knows where they are or how to exploit them.

I'm not knowledgeable on the history, but it seems to me that if you find a hole that you can't actually exploit then it doesn't count and if you find a hole in a daemon that has been disabled in the current version it doesn't count (or did they find that hole before 2.8 came out?).

Reply Score: 1