Linked by Eugenia Loli on Wed 1st Nov 2006 03:05 UTC, submitted by iangibson
OpenBSD "We are pleased to announce the official release of OpenBSD 4.0. This is our 20th release on CD-ROM (and 21st via FTP). We remain proud of OpenBSD's record of ten years with only a single remote hole in the default install. As in our previous releases, 4.0 provides significant improvements, including new features, in nearly all areas of the system." More here. Update: First review here.
Thread beginning with comment 177508
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

> Or maybe their trick is the "default install" part.

The "trick" is the default install bit, and I think that it is a fair one. OpenBSD assumes that the user knows what they are doing, so the user will look up security advisories prior to installing software or enabling a service. They also assume that the user will keep track of new advisories that pop up due to that modification to the default install.

IMHO, that is much better than the practice with most operating systems where a bunch of software is installed and a bunch of services are enabled at default -- almost regardless of their history. That means that the sysadmin cannot really trust the base install and it means that they have a lot more work to do to tie down their system because they have to find out which software is installed and which services are enabled in order to track those security advisories more carefully (more work).

Reply Parent Score: 5

eMagius Member since:

Is that not a remote root exploit?

Not in the default install (GSSAPI is not normally enabled). There's also no evidence that this attack vector actually works. More detail:

Edited 2006-11-01 15:54

Reply Parent Score: 4