OpenBSD Journal

patch016 for 3.1

Contributed by jose on from the securification dept.

(blank) was the first to write:
"you know where... "
Looking at the patch it looks like a simple buffer overflow problem in the kadmind(8) tool. This is a remote exploit for sites using Kerberos on OpenBSD. The patch should be up at the FTP site for patches ASAP.

(Comments are closed)


Comments
  1. By Peter () pboosten@hotmail.com on mailto:pboosten@hotmail.com

    It seems that somehow someone always forgets to actually make this patch available....

    In the meantime we're sitting ducks :-)

  2. By Noryungi () n o r y u n g i @ y a h o o . c o m on mailto:n o r y u n g i @ y a h o o . c o m


    I received email from the NetBSD Security Officer, pointing out that this affected NetBSD 1.6 as well... Before I even heard of it for OpenBSD.

  3. By Anonymous Coward () on

    Patch file not on FTP like others already stated.

    1) 3.2 is affected to this remote hole?
    2) is it enabled by default?
    3) how can one disable it using a config file?

  4. By Mr. Paranoid () anonymous@anonymouscoward.com on anonymouscoward.com

    How secure is an operating system that will publish a security vulnerability patch to a broken link?

    I understand I can get the diff elsewhere, but the fact that FAQ documentation gives a method of patching and then when performing that method leads to a broken link in the process.

    Should the documentation also state that if the links are broken to use CVS? I'm wondering what is the fastest/safest method to patch?

    I sure hope the person that makes the links doesn't do code audit testing, cause they aren't good at testing there links.

  5. By Skull () on

    Am I the only one who is not impressed with the openbsd-security announce mailing list?

    Based on other unhappy comments I suspect I am not. I'd like to be notified of things that ship in the base (like apache) which are vulnerable, as well as even things in ports, which are vulnerable. I don't want to wade through Bugtraq, or be under informed by the official list:

    http://marc.theaimsgroup.com/?l=openbsd-security-announce&r=1&w=2

    If the OpenBSD team is too busy to stay on top of a security announce list for the OpenBSD project, maybe some third party should do it?

    Maybe I am in a small minority who considers security announcements as being extremely important (not just the making available of a fix in a timely fashion which OpenBSD has a good record for)?

    Frankly it's a testament to the kick ass nature of The OpenBSD Journal that it's timeliness has notified me of more problems, quicker, than the official mailing list.

    -Skull

  6. By Anonymous Coward () on

    OpenBSD and security...

    Like "One remote hole in the default install, in nearly 6 years!" is true, NOT!

    That is only some marketings bullshit.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]