“We are pleased to announce the official release of OpenBSD 3.8. This is our 18th release on CD-ROM (and 19th via FTP). We remain proud of OpenBSD’s record of eight years with only a single remote hole in the default install. As in our previous releases, 3.8 provides significant improvements, including new features, in nearly all areas of the system.”
OpenBSD 3.8 Released
About The Author
Follow me on Twitter @thomholwerda
2005-11-01 10:08 amAnonymous
can’t you read???
2005-11-01 10:20 amAnonymous
This is discussed many times, the OpenBSD peeps mean by “remote hole” a method to really access the system. Thus remote vulnerabilities do not count unless there is a method to gain some rights on the system.
I’m very pleased to see a new release with again some amazing features and can’t wait to try out to play with the new RAID tools. But first I need to buy myself a LSI/AMI card
2005-11-01 10:48 amAnonymous
And that’s what the talkd vulnerability is, a daemon that is enabled by default. I remember reading different description on their webpage years ago (or it may just be a different part of it) which said whether or not it was exploitable was ‘inconclusive’ since no one bothered to develop an exploit. In other words, they didn’t count it because no one had proven it to be exploitable, not because it was proven otherwise. It sounds like a whitewash to me.
2005-11-01 10:58 amAnonymous
My bad, I missed it, the description next to the talk vulnerability on the current webpage STILL says: ” It is not clear yet what the impact is.”
(That was put there in 2000)
In other words, it might be a remote hole, they’re just not sure. That’s hilarious.
2005-11-01 11:41 amRonald Vos
In other words, it might be a remote hole, they’re just not sure. That’s hilarious.
It says something about how feasible exploiting it is. I.e.: not. Remember these guys/gals are the people removing potential integer overflow vulnerabilities from their code.
2005-11-01 1:25 pmAnonymous
Huh?! Where does it say that it’s not exploitable? It specifically says that they don’t know the impact. It also says it allows you to write arbitrary data to the heap. It’s a string formatting vulnerability, not an integer overflow. This vulnerability was patched on all the BSDs, not just on OpenBSD, so it’s not just OpenBSD personally being paranoid.
I love how people scored down my previous posts even though this guy provided absolutely no information to back up his claims and I provided links to the official website where they said “durrrh, we don’t know the impact.” If they meant to say it is not exploitable, they would have said that. Don’t blame me because the official website contradicts your claim.
2005-11-02 3:32 amSoulbender
“And that’s what the talkd vulnerability is, a daemon that is enabled by default.”
talkd is not enabled by default.
2005-11-02 2:40 pmAnonymous
“talkd is not enabled by default.”
That’s where you would be wrong. In version 2.8 and earlier, it was enabled by default. It was only AFTER the vulnerability occured that they disabled it by default, in the 2.8 install: http://www.openbsd.org/plus28.html
They even disabled fingerd by default in 2.8 as well. They were trying to cover their asses so they could keep making that bogus claim.
2005-11-02 5:42 pmAnonymous
Please provide an exploit for talkd.
2005-11-03 2:10 amSoulbender
“That’s where you would be wrong. In version 2.8 and earlier, it was enabled by default”
is != was.
And unless you can provide a proof of concept talkd exploit or prove that it’s actually remotely exploitable the claim, for what it’s worth, isnt invalid.
2005-11-04 12:16 amAnonymous
“Having a hole that could, some time in the past, have been exploited doesn’t count as a remote hole.”
Of course it does, otherwise you can discount ever remote hole that has ever been fixed.
“You have to have a workable exploit on the current version (at the time).”
Why must the exploit have to be created at the time the vulnerability was first discovered? That makes no sense. A remote hole is a remote hole regardless of whether or not it’s been exploited.
I’m sure that there still are lots of potential holes in the current distribution but the point is, they’re so hard to find that nobody knows where they are or how to exploit them.
“if you find a hole in a daemon that has been disabled in the current version it doesn’t count (or did they find that hole before 2.8 came out?).”
You don’t understand, when the vulnerability was discovered in 2000, talkd was enabled by default. The OpenBSD team disabled talkd by default BECAUSE OF the discovery of the vulnerability.
“is != was. ”
At the time when the vulnerability was discovered, talkd was enabled by default, so you can’t discount it.
“And unless you can provide a proof of concept talkd exploit or prove that it’s actually remotely exploitable the claim, for what it’s worth, isnt invalid.”
That makes no sense, why should the burden of proof be on me? No one has proven that it’s NOT exploitable, so following your logic, I could conclude that it MUST be exploitable.
I Love openBSD.
“malloc(3) has been rewritten to use the mmap(2) system call, introducing unpredictable allocation addresses and guard pages, which helps in detecting heap based buffer overflows and prevents various types of attacks.”
This is such a modest way to introduce a radical change in memory management. OpenBSD is the first OS to really use the MMU to protect from buffer overflows in the Heap.
A presentation by Theo de Raadt on some of the security improvements implemented by OpenBSD
The OpenBSD 3.8 song – actually this is just a narrated story, but the other songs on the page are pretty good.
Edited 2005-11-01 14:53
Great work. Especially the sasyncd. Keep on OpenBSDing.
It’s not in english, but the commands are pretty much explaining, what to do.
Is there X or KDE/Gnome for Open BSD. How about drivers support.
2005-11-01 4:22 pmBryanFeeney
Yes: X, KDE and Gnome are all supported. Hardware support is not as good as Linux and Windows (due to its minority status) and possibly worse than other BSDs due to the organisation’s refusal to accept closed-source drivers.
That said, I’m not sure if KDE and Gnome are part of the core distribution. OpenBSD is really aimed more at secure servers and workstations rather than “normal” servers and workstations. For example, they still use Apache 1.3, even though it’s slower than 2.x, because they know their heavily modified Apache 1.3 is secure, but can’t say with any certainty what Apache 2.x is like.
2005-11-01 4:38 pmAnonymous
OpenBSDs aim is not geared towards anything in particular. It’s developed with the developers in mind. Nothing else. It’s developers want a stable, secure and totally free OS. That comes at a price. X w/patches is included and I think the window manager is TWM by default. KDE/GNOME/others are available as part of ports.
2005-11-01 9:06 pmAnonymous
Last time I checked, the default window manager was fvwm.
2005-11-01 5:18 pmlazywally
Apache2 is not included due to license restrictions. nothing to do with patches.
Can be made to do just about anything. Defaults to FVWM, but any WM will work. Thousands of “ports” like FreeBSD. Multi-arc OS. I run it on PPC, SPARC, and x86, in fact, OpenBSD has worked quite will on every system I’ve tried.
It can take only minutes to install. Easy network configuration. The list goes on. For those wondering what you can do with OpenBSD, in my case I have a PPC (G3) server, and several (P200, P150, SS20) clients (X-Terminals), even my laptop (Compaq 1210) runs OpenBSD. So for me, OpenBSD does everything I need.
I have excellent uptimes, some reaching close to one year, this OS has been *very* stable for me.
The other thing I like about it is, it doesn’t have 8 DVDs worth of stuff to install, only a couple hundred megs, add more/less as you want.
OpenBSD Rocks! Thanks Theo and Gang!
Great info. I will install 3.8 on an old Compaq I have collecting dust.
7H3 5C|21p7 K177135 L0053!
I’ll be trying this when I get home. I got an old PC that wants to be formatted. I think putting OpenBSD on it will be good because then I’ll have a cheap lil server to store files on, and it will give me a chance to get to know this OS a little better.
Lol,mplayer was easily installed and i even had sound out of the box.
Having a hole that could, some time in the past, have been exploited doesn’t count as a remote hole. You have to have a workable exploit on the current version (at the time). I’m sure that there still are lots of potential holes in the current distribution but the point is, they’re so hard to find that nobody knows where they are or how to exploit them.
I’m not knowledgeable on the history, but it seems to me that if you find a hole that you can’t actually exploit then it doesn’t count and if you find a hole in a daemon that has been disabled in the current version it doesn’t count (or did they find that hole before 2.8 came out?).
and keep up the good work !!!
“Some other open source operating systems are commonly distributed as CD-ROM ISO images. This is not how OpenBSD is distributed.”
Some unofficial (and of course unsupported by OpenBSD team) install ISOs here:
You can easily make your own isos:
Sorry, I think they meant to say there were at least http://www.openbsd.org/errata27.html#talkd“>two in the default install in the past 8 years. Not that it means anything anyway, because everyone knwos that OpenBSD disables all the widely used, helpfuls ervices just to make that claim.