Contributed by jose on from the securification dept.
"you know where... "Looking at the patch it looks like a simple buffer overflow problem in the kadmind(8) tool. This is a remote exploit for sites using Kerberos on OpenBSD. The patch should be up at the FTP site for patches ASAP.
(Comments are closed)
By Peter () pboosten@hotmail.com on mailto:pboosten@hotmail.com
In the meantime we're sitting ducks :-)
By Noryungi () n o r y u n g i @ y a h o o . c o m on mailto:n o r y u n g i @ y a h o o . c o m
I received email from the NetBSD Security Officer, pointing out that this affected NetBSD 1.6 as well... Before I even heard of it for OpenBSD.
By Anonymous Coward () on
1) 3.2 is affected to this remote hole?
2) is it enabled by default?
3) how can one disable it using a config file?
By Mr. Paranoid () anonymous@anonymouscoward.com on anonymouscoward.com
I understand I can get the diff elsewhere, but the fact that FAQ documentation gives a method of patching and then when performing that method leads to a broken link in the process.
Should the documentation also state that if the links are broken to use CVS? I'm wondering what is the fastest/safest method to patch?
I sure hope the person that makes the links doesn't do code audit testing, cause they aren't good at testing there links.
By Skull () on
Based on other unhappy comments I suspect I am not. I'd like to be notified of things that ship in the base (like apache) which are vulnerable, as well as even things in ports, which are vulnerable. I don't want to wade through Bugtraq, or be under informed by the official list:
http://marc.theaimsgroup.com/?l=openbsd-security-announce&r=1&w=2
If the OpenBSD team is too busy to stay on top of a security announce list for the OpenBSD project, maybe some third party should do it?
Maybe I am in a small minority who considers security announcements as being extremely important (not just the making available of a fix in a timely fashion which OpenBSD has a good record for)?
Frankly it's a testament to the kick ass nature of The OpenBSD Journal that it's timeliness has notified me of more problems, quicker, than the official mailing list.
-Skull
By Anonymous Coward () on
Like "One remote hole in the default install, in nearly 6 years!" is true, NOT!
That is only some marketings bullshit.