Linked by Thom Holwerda on Tue 1st Nov 2005 08:38 UTC, submitted by Spock
OpenBSD "We are pleased to announce the official release of OpenBSD 3.8. This is our 18th release on CD-ROM (and 19th via FTP). We remain proud of OpenBSD's record of eight years with only a single remote hole in the default install. As in our previous releases, 3.8 provides significant improvements, including new features, in nearly all areas of the system."
Thread beginning with comment 54448
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: ONE remote hole?
by Soulbender on Wed 2nd Nov 2005 03:32 UTC in reply to "RE[2]: ONE remote hole?"
Soulbender
Member since:
2005-08-18

"And that's what the talkd vulnerability is, a daemon that is enabled by default."

talkd is not enabled by default.

Reply Parent Score: 1

RE[5]: ONE remote hole?
by on Wed 2nd Nov 2005 14:40 in reply to "RE[4]: ONE remote hole?"
Member since:

"talkd is not enabled by default."

That's where you would be wrong. In version 2.8 and earlier, it was enabled by default. It was only AFTER the vulnerability occured that they disabled it by default, in the 2.8 install: http://www.openbsd.org/plus28.html

They even disabled fingerd by default in 2.8 as well. They were trying to cover their asses so they could keep making that bogus claim.

Reply Parent Score: 0

RE[6]: ONE remote hole?
by on Wed 2nd Nov 2005 17:42 in reply to "RE[5]: ONE remote hole?"
Member since:

Please provide an exploit for talkd.

Reply Parent Score: 1

RE[7]: ONE remote hole?
by Soulbender on Thu 3rd Nov 2005 02:10 in reply to "RE[5]: ONE remote hole?"
Soulbender Member since:
2005-08-18

"That's where you would be wrong. In version 2.8 and earlier, it was enabled by default"

is != was.
And unless you can provide a proof of concept talkd exploit or prove that it's actually remotely exploitable the claim, for what it's worth, isnt invalid.

Reply Parent Score: 1