At 14:27 29/11/00 -0600, Jeff Bachtel wrote:
>Once again (I ranted enough about this on bugtraq, I thought):
>
>OpenBSD does NOT have an adduser vulnerable to the problem describe,
>and its useradd utility SPECIFICALLY has command-line options to
>prevent the problem described.
right, that's good news. Now the question that arises is whether one can say
that an OS is weak just because there are many incidents reported on
sec sites.
>I'm just a little pissed that that vulnerability was added to the
>database for ANY vendor. None of the programs try to gauruntee unique
>names, AFAIK (although openbsd, again, does! if called properly).
So you can understand that FreeBSD guys are also pissed that many
vulnerabilities are added when they are about ports.
>This vulnerability would very properly belong to the any Web-based
>Adduser scripts that call the OS' useradd programs IMPROPERLY. As no
>actual packages were named in the advisory, it most properly belongs
>as a "Secure programming" problem.
>
>OpenBSD's talkd was vulnerable to exploitation, so was its ftpd and
>fstat.
so, you confirm that there were vulnerabilities reported not so far. This is
exactly what I meant:)
>The reason you see so many FreeBSD security advisories, is that they
>watch for problems with programs in their ports collection, and send
>updates about them. OpenBSD does not, although it does update its
>ports as quickly as FreeBSD for security problems.
>
>Sorry, mouss hit a button by bringing that up :)
The button was hit by the guy who talked about manpages and ease of use
among other things, and I simply couldn't let it go.
BTW. I consider OpenBSD as one of the most secure OSes.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
