Contributed by dhartmei on from the Pufferix-and-Bobilix dept.
Quoting from the liner notes:
This release, instead of bemoaning vendors or organizations that try to make our task of writing free software more difficult, we instead celebrate the 10 years that we have been given (so far) to write free software, express our themes in art, and the 5 years that we have made music with a group of talented musicians. OpenBSD developers have been torturing each other for years now with Humppa-style music, so this release our users get a taste of this too.
and about OpenVOX:
This song details the process that Ty has to go through to make the art and music for each OpenBSD release. Ty and Theo really do go to a (very specific) bar and discuss what is going on in the project, and then try to find a theme that will work...
Congratulations! :)
(Comments are closed)
By jean (80.238.130.187) on
Comments
By Anonymous Coward (137.240.136.81) on
beer??? :-)
Just ordered my CD and T-Shirt..
Comments
By Nate (65.94.96.99) on
> beer??? :-)
>
> Just ordered my CD and T-Shirt..
>
>
>
Sounds like some drinking was involved during the singing at least.
By mvanbaak (213.154.226.2) on
Humpaaaaaaaaaaaaaaaaaaaaaaaaaaa
By Anonymous Coward (192.16.134.66) on
Hehe I saw Eläkeläiset live this summer and it was soooooo great! Live Humppaa!!!11111one
By Anonymous Coward (69.70.207.240) on
"Have been given" and "so far"? What's this mean? - seriously though.
Someone has given or *authorized* OpenBSD to write free and open source software? Who can stop it, how and why?
Comments
By Anonymous Coward (134.58.253.131) on
A lack of funding can stop it...
That's why you should buy the cd (and some other nice stuff while you're at it) ;-)
Make a donation too, if you can!
Comments
By jh. (85.131.31.181) on
> A lack of funding can stop it...
> That's why you should buy the cd [..] Make a donation too, if you can!
Yeah! You sure gotta pay for the free software! Obviously.
First pay what they ask for the CD and then donate some more
- because it's free, and it's worth it.
(and then there's the debate of the definition of 'free',
no cost, TCO, why Windows is bad/good and Linux better/worse
and what Netcraft can confirm about BSDs.)
By tedu (71.139.173.104) on
>
> "Have been given" and "so far"? What's this mean? - seriously though.
>
> Someone has given or *authorized* OpenBSD to write free and open source software? Who can stop it, how and why?
welcome to the fun-filled world of the passive voice. :)
Comments
By Anonymous Coward (68.100.130.21) on
The passive voice is considered harmful.
Comments
By Anonymous Coward (68.227.41.220) on
>
> The passive voice is considered harmful.
>
only in america
By Anonymous Coward (74.114.186.166) on
By Asenchi (192.203.222.68) asenchi@asenchi.com on
Great work to all involved. Another fantastic release is upon us. Thank you devs.
By Anonymous Coward (yup) (71.234.149.35) on
Comments
By wim (88.82.33.37) wim@kd85.com on https://kd85.com/notforsale.html
> I don't understand all of this humppa stuff (and I'm not really sure I want to), but I do want to say Thank-You to the tireless developers of OpenBSD. Your efforts are appreciated.
Don't feel bad, there is nothing sensible to understand ;-)
Comments
By Miod Vallat (82.195.186.220) miod@ on
C'm'on, you know Humppa is a way of life.
By phessler (209.204.157.100) on
> > I don't understand all of this humppa stuff (and I'm not really sure I want to), but I do want to say Thank-You to the tireless developers of OpenBSD. Your efforts are appreciated.
>
> Don't feel bad, there is nothing sensible to understand ;-)
Humppa is a very serious thing!
By Anonymous Coward (67.86.52.0) on
Church of the Sub-Humppa anyone?
By bob (62.225.37.69) on
best bob
Comments
By Bob Beck (129.128.11.43) beck@openbsd.org on
>
> best bob
Heck. I want a blowfish spiky hat like that!
(Either that or I'll have to get my hair done expertly :)
-Bob
By dv (165.72.200.11) on
By Peter (85.207.45.87) on
Comments
By Anonymous Coward (68.100.130.21) on
Comments
By peter (85.207.45.87) on
>
>
see http://secunia.com/advisories/22173/ please. Yes actually it's fixed but in new verion of OpenSSH and if there is no patch on errata pages I would at least expected official advisory with recomandation for upgrade on version 4.4.
It is very sad that this great OS has such "ignorant" developers, most of OS which use OpenSSH have already issued patches. But for OpenBSD nothing, no patch, no security warning. Situation is ironic because as I know OpenSSH is developed by same team as OpenBSD so I really don't understand this situation.
I don't accept fact that developers or community don't have time, if they don't have time they should not develop "most secure OS ever"
Yes OpenBSD is free, but it is also rude to be quiet about problems it's same for every software. Such situations slowly destroy this OS.
I'm starting to think about migration on FreeBSD althought I bought every OpenBSD release but I just can't afford to use a product without information when and what to patch.
Comments
By Anonymous Coward (205.153.56.10) on
>
> It is very sad that this great OS has such "ignorant" developers, most of OS which use OpenSSH have already issued patches. But for OpenBSD nothing, no patch, no security warning. Situation is ironic because as I know OpenSSH is developed by same team as OpenBSD so I really don't understand this situation.
>
> I don't accept fact that developers or community don't have time, if they don't have time they should not develop "most secure OS ever"
>
> Yes OpenBSD is free, but it is also rude to be quiet about problems it's same for every software. Such situations slowly destroy this OS.
> I'm starting to think about migration on FreeBSD althought I bought every OpenBSD release but I just can't afford to use a product without information when and what to patch.
http://marc.theaimsgroup.com/?l=openbsd-cvs&m=115958929100438&w=2
3.9-stable has been updated to OpenSSH 4.4
By Anonymous Coward (213.46.128.238) on
>
>
See http://security.freebsd.org/advisories/FreeBSD-SA-06:22.openssh.asc
To quote the advisory: "The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact."
Comments
By peter (85.207.45.87) on
> >
> >
>
> See http://security.freebsd.org/advisories/FreeBSD-SA-06:22.openssh.asc
>
> To quote the advisory: "The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact."
Don't you think that there is not important who believes what? The fact is that there is a bug.
mAnd fact is that OpenBSD errata is empty.
Comments
By Asenchi (207.179.121.218) asenchi@asenchi.com on
> mAnd fact is that OpenBSD errata is empty.
Dude, read all the comments in this thread, then you will see that OpenSSH has been upgraded to 4.4 in 3.9.
Comments
By peter (85.207.45.87) on
> > mAnd fact is that OpenBSD errata is empty.
>
> Dude, read all the comments in this thread, then you will see that OpenSSH has been upgraded to 4.4 in 3.9.
Does it means that 3.8 is not supported anymore? I don't think so. And we have still no notification on errata. Please read the goals of OpenBSD.
Comments
By Anonymous Coward (80.127.233.147) on
From the 4.4 release notes:
If you actually read this, it is clear that OpenBSD's native version is not vulnerable.Comments
By peter (85.207.45.87) on
>
> From the 4.4 release notes:
>
> * Fix an unsafe signal hander reported by Mark Dowd. The signal
> handler was vulnerable to a race condition that could be exploited
> to perform a pre-authentication denial of service. On portable
> OpenSSH, this vulnerability could theoretically lead to
> pre-authentication remote code execution if GSSAPI authentication
> is enabled, but the likelihood of successful exploitation appears
> remote.
>
> If you actually read this, it is clear that OpenBSD's native version is not vulnerable.
>
But that it's not I'm talking about. I'm talking about missing patch, missing errata. It does not matter if it's exploitable in default instalation or not. If the product has bug it must be the advisory issued. Look in the past many problems in OpenBSD were fixed and they were not exploitable in default as well. And it's logical, if I will not know about possible problem in my product in case I enable some of it's function I have problem. This must be known!
Comments
By norbertc (125.212.63.119) on
missing patch/fix? nada! none!
for me, some trivial and not so critical fixes does not deserve an errata entry. there's cvs! the commit message that says "this fixes blah blah" serves as a rational errata and disclosure entry for me. heck! i don't even look for patches in the errata page for years now. just checkout the tree! what's fscking hard about it?
By peter (85.207.45.87) on
>
> From the 4.4 release notes:
>
> * Fix an unsafe signal hander reported by Mark Dowd. The signal
> handler was vulnerable to a race condition that could be exploited
> to perform a pre-authentication denial of service. On portable
> OpenSSH, this vulnerability could theoretically lead to
> pre-authentication remote code execution if GSSAPI authentication
> is enabled, but the likelihood of successful exploitation appears
> remote.
>
> If you actually read this, it is clear that OpenBSD's native version is not vulnerable.
>
and just for a bonus:
--one of the goals ---
Pay attention to security problems and fix them before anyone else does. (Try to be the #1 most secure operating system).
source: openbsd.org
Comments
By Asenchi (207.179.121.218) asenchi@asenchi.com on
3.8 will not be supported in 3 weeks. And since this vulnerability isn't exploitable in base, I suspect that they aren't concerned with correcting 3.8.
If you don't like how OpenBSD does things, and don't think it is a secure OS, find another one and use that. Or fix the issue yourself and send in a patch. Complaining about it here, in an offtopic thread, is not the way to get it fixed to your liking.
By Anonymous Coward (128.171.90.200) on
Comments
By peter (85.207.45.87) on
No I'm not. I know that everyone who has different opinion how things should work it's sent to the hell. I'm used to it.
I know that you must agree with me, I have only facts:
1. OpenBSD 3.8 is still supported - no matter how long in the future !!!
2. In OpenSSH is a bug (severity is not proved but it does not mean that this is not dangerous)
3. Errata is empty, it's project page and there is nothing!!!!
You can disagree but if you do, you will refuse OpenBSD goals!
Comments
By Anonymous Coward (128.171.90.200) on
This bug doesn't cause problems in the real world for OpenBSD systems. Excuse me if I don't get hysterical about it.
It is fixed in -current, which is what you use if you want every bug fix as it happens, there is even a mailing list to track cvs changes.
Now how is that contrary to OpenBSD's goals ?
By Lars Hansson (203.65.245.80) on
I "must" do no such thing.
> 1. OpenBSD 3.8 is still supported - no matter how long in the future !!!
Uh, are you on crack? Releases arent supported forever.
> 2. In OpenSSH is a bug (severity is not proved but it does not mean that this is not dangerous)
And the bug has been fixed.
> 3. Errata is empty, it's project page and there is nothing!!!!
Ah I see. So what you are saying is thast you are volunteering yourself and your time to do all the necessary work to create a new errata entry every time a bug is fixed. Right?
>
> You can disagree but if you do, you will refuse OpenBSD goals!
I'm pretty sure the developers understand the goals better than you do.
By norbertc (125.212.63.119) on
> and just for a bonus:
> --one of the goals ---
> Pay attention to security problems and fix them before anyone else does. (Try to be the #1 most secure operating system).
>
> source: openbsd.org
>
>
By nikns (80.90.29.23) nikns@secure.lv on
>
> * Fix an unsafe signal hander reported by Mark Dowd. The signal
> handler was vulnerable to a race condition that could be exploited
> to perform a pre-authentication denial of service. On portable
> OpenSSH, this vulnerability could theoretically lead to
> pre-authentication remote code execution if GSSAPI authentication
> is enabled, but the likelihood of successful exploitation appears
> remote.
>
> If you actually read this, it is clear that OpenBSD's native version is not vulnerable.
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
expired.
What about this?
http://marc.theaimsgroup.com/?l=openbsd-misc&m=115971962730347&w=2
Should I really need to find out about OpenSSH SECURITY VULNERABILITIES reading release changelog?
Thats against OpenBSD goals IMHO.
Comments
By peter (85.207.45.87) on
> >
> > * Fix an unsafe signal hander reported by Mark Dowd. The signal
> > handler was vulnerable to a race condition that could be exploited
> > to perform a pre-authentication denial of service. On portable
> > OpenSSH, this vulnerability could theoretically lead to
> > pre-authentication remote code execution if GSSAPI authentication
> > is enabled, but the likelihood of successful exploitation appears
> > remote.
> >
> > If you actually read this, it is clear that OpenBSD's native version is not vulnerable.
>
> * Fix a pre-authentication denial of service found by Tavis Ormandy,
> that would cause sshd(8) to spin until the login grace time
> expired.
>
> What about this?
>
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=115971962730347&w=2
> Should I really need to find out about OpenSSH SECURITY VULNERABILITIES reading release changelog?
> Thats against OpenBSD goals IMHO.
Definitely agree with you and I'm glad that I'm not alone who is not scared to complain about this problem.
By Anonymous Coward (212.127.142.203) on
> >
> > * Fix an unsafe signal hander reported by Mark Dowd. The signal
> > handler was vulnerable to a race condition that could be exploited
> > to perform a pre-authentication denial of service. On portable
> > OpenSSH, this vulnerability could theoretically lead to
> > pre-authentication remote code execution if GSSAPI authentication
> > is enabled, but the likelihood of successful exploitation appears
> > remote.
> >
> > If you actually read this, it is clear that OpenBSD's native version is not vulnerable.
>
> * Fix a pre-authentication denial of service found by Tavis Ormandy,
> that would cause sshd(8) to spin until the login grace time
> expired.
A DOS attack is not a security vulnerability.
>
> What about this?
>
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=115971962730347&w=2
> Should I really need to find out about OpenSSH SECURITY VULNERABILITIES reading release changelog?
> Thats against OpenBSD goals IMHO.
Read again. OpenBSD native version is NOT vulnerable, even with GSSAPI enabled. ONLY THE PORTABLE VERSION MIGHT BE VULNERABLE.
Comments
By nikns (80.90.29.23) nikns@secure.lv on
> * Fix a pre-authentication denial of service found by Tavis Ormandy,
> that would cause sshd(8) to spin until the login grace time
> expired.
Comments
By Anonymous Coward (212.127.142.203) on
One is a DOS. Which can happen on OpenBSD, but a DOS is not a security vulnerability,
The second is a security vulnerability, but can happen only with the portable version. From the release notes, with emphasis by myself:
On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote.
Comments
By nikns (80.90.29.23) nikns@secure.lv on
>
> One is a DOS. Which can happen on OpenBSD, but a DOS is not a security vulnerability,
I would not be funny if MS security guy would say that.
> The second is a security vulnerability, but can happen only with the portable version. From the release notes, with emphasis by myself:
Yeah, I'm linuk guy, i use GSSAPI authentication - so my OpenSSH can be owned (remote root).
Where on www.OpenSSH.com I can find out that (except reading changelog)?
Comments
By djm@ (206.59.235.113) on
> so my OpenSSH can be owned (remote root).
Possibly
> Where on www.OpenSSH.com I can find out that (except
> reading changelog)?
See the link right in the centre of the page "OpenSSH 4.4/4.4p1"? Follow it and read the release notes. Or, you could subscribe to one of the announcement lists (openbsd or openssh) which is always more timely than polling a webpage.
By Anonymous Coward (213.118.21.55) on
show some exploit code first
Comments
By tedu (71.139.173.104) on
>
> show some exploit code first
it's not possible to be exploited until i see the exploit code? if i stop reading bugtraq the naughty people will leave me alone?
By tedu (71.139.173.104) on
> > The second is a security vulnerability, but can happen only with the portable version. From the release notes, with emphasis by myself:
>
> Yeah, I'm linuk guy, i use GSSAPI authentication - so my OpenSSH can be owned (remote root).
> Where on www.OpenSSH.com I can find out that (except reading changelog)?
you should receive notification from your vendor.
By Anonymous Coward (85.207.45.87) on
>
> A DOS attack is not a security vulnerability.
>
You must be kidding
Comments
By peter (85.207.45.87) on
> >
> > A DOS attack is not a security vulnerability.
> >
>
> You must be kidding
sorry it was written by me. I probably paste wrong row :) Sorry again
By Anonymous Coward (128.171.90.200) on
> You must be kidding
The key word there is vulnerability
It is a reliability issue
Comments
By djm@ (206.59.235.113) on
> > You must be kidding
>
> The key word there is vulnerability
>
> It is a reliability issue
It's a vulnerability, but obviously not in the same league as remote code execution.
If you want the fix, then upgrade to the -stable branch. Simple, eh?
If you just want to avoid it, then disable SSH protocol 1 in sshd_config.
By wob (12.109.229.8) wob@bonch.org on
OFFTOPIC. Why do you feel the need to go offtopic, and flame people on a 'fun' post. Are these developers not allowed to have fun? Why are you being such a dick?
By Anonymous Coward (64.231.234.94) on
-- a pleasantly surprised user :-)
Comments
By Jeroen (213.84.244.128) on
By Anonymous Cow (83.249.219.197) on
Quote from the short article:
"You see when sane people like something, they realize it's just a hobby. When insane, programming-type people like something, they jump into it like it was a swimming pool full of Moutain Dew and anime. The people at this site not only like OpenBSD, they also wrote songs about it. "
Cant find a direct-URL, but hit the mainsite and scroll down to the bottom, then you may catch it...
Comments
By andrew fresh (66.185.224.6) andrew@mad-techies.org on http://openbsd.somedomain.net
> Cant find a direct-URL, but hit the mainsite and scroll down to the bottom, then you may catch it...
the most direct link I found is here: http://www.somethingawful.com/index.php?a=4154.
you have to scroll down to the bottom of the page where the "Awful Link of the Day" is.
By Luis (66.159.200.194) on