Date: Wed, 5 Sep 2001 16:05:13 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Daniel Blankensteiner <dslb@linuxmail.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FreeBSD vs. OpenBSD Message-ID: <20010905160513.A80087@xor.obsecurity.org> In-Reply-To: <20010905065206.6009.qmail@linuxmail.org>; from dslb@linuxmail.org on Wed, Sep 05, 2001 at 02:52:06PM %2B0800 References: <20010905065206.6009.qmail@linuxmail.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Sep 05, 2001 at 02:52:06PM +0800, Daniel Blankensteiner wrote: > FreeBSD: "Please be aware that the telnet daemon shipping in FreeBSD prior to July 23, 2001 contains a remotely exploitable security problem. " > OpenBSD: "Four years without a remote hole in the default install!" Well, how can I put this..OpenBSD had the telnetd vulnerability too, they just don't count it for some reason, even though telnetd was enabled by default up to 18 months ago. That's the problem with making extravagant claims about your own greatness; sooner or later they start to dictate terms to you, and you change your actions to keep the claim true rather than lose face. I asked for the banner notice on the FreeBSD website because I thought it was better to own up to the vulnerability and try and reach as many FreeBSD administrators as possible to minimize the damage to their systems when they get owned. Kris P.S. A little known fact which is true as far as I've been able to determine, is that prior to the telnetd root hole, FreeBSD had gone for over 4 1/2 years without a remote root hole in the default install, using the same definition as OpenBSD. Of course, both systems have had serious security holes in that time..just look at the history of advisory releases. The statistic is essentially meaningless. --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lq+pWry0BWjoQKURAkHSAKDpCZ6ceSYS5wGfCJfBfVvU+kLq2ACfaFWx +ZyTzCC6v0GGxUGJS1Cw4m4= =AxHF -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010905160513.A80087>