version 1.287, 2004/05/26 19:56:42 |
version 1.288, 2004/05/30 19:49:08 |
|
|
<hr> |
<hr> |
|
|
<ul> |
<ul> |
<a name=goals></a> |
<a name="goals"></a> |
<li><h3><font color=#e00000>Goal</font></h3><p> |
<li><h3><font color=#e00000>Goal</font></h3><p> |
|
|
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
|
|
cryptography</a>, we are able to take cryptographic approaches towards |
cryptography</a>, we are able to take cryptographic approaches towards |
fixing security problems.<p> |
fixing security problems.<p> |
|
|
<a name=disclosure></a> |
<a name="disclosure"></a> |
<li><h3><font color=#e00000>Full Disclosure</font></h3><p> |
<li><h3><font color=#e00000>Full Disclosure</font></h3><p> |
|
|
Like many readers of the |
Like many readers of the |
|
|
turnaround is possible. Thus we think that full disclosure helps the |
turnaround is possible. Thus we think that full disclosure helps the |
people who really care about security.<p> |
people who really care about security.<p> |
|
|
<a name=process></a> |
<a name="process"></a> |
<li><h3><font color=#e00000>Audit Process</font></h3><p> |
<li><h3><font color=#e00000>Audit Process</font></h3><p> |
|
|
Our security auditing team typically has between six and twelve |
Our security auditing team typically has between six and twelve |
|
|
managed such a success is the lpd advisory that Secure Networks put out. |
managed such a success is the lpd advisory that Secure Networks put out. |
<p> |
<p> |
|
|
<a name=newtech></a> |
<a name="newtech"></a> |
<li><h3><font color=#e00000>New Technologies</font></h3><p> |
<li><h3><font color=#e00000>New Technologies</font></h3><p> |
|
|
As we audit source code, we often invent new ways of solving problems. |
As we audit source code, we often invent new ways of solving problems. |
|
|
The auditing process is not over yet, and as you can see we continue |
The auditing process is not over yet, and as you can see we continue |
to find and fix new security flaws.<p> |
to find and fix new security flaws.<p> |
|
|
<a name=default></a> |
<a name="default"></a> |
<li><h3><font color=#e00000>"Secure by Default"</font></h3><p> |
<li><h3><font color=#e00000>"Secure by Default"</font></h3><p> |
|
|
To ensure that novice users of OpenBSD do not need to become security |
To ensure that novice users of OpenBSD do not need to become security |
|
|
by default, creating instantaneous security problems for their users |
by default, creating instantaneous security problems for their users |
within minutes after their first install.<p> |
within minutes after their first install.<p> |
|
|
<a name=crypto></a> |
<a name="crypto"></a> |
<li><h3><font color=#e00000>Cryptography</font></h3><p> |
<li><h3><font color=#e00000>Cryptography</font></h3><p> |
|
|
And of course, since the OpenBSD project is based in Canada, it is possible |
And of course, since the OpenBSD project is based in Canada, it is possible |
|
|
<li><h3><font color=#e00000>Advisories</font></h3><p> |
<li><h3><font color=#e00000>Advisories</font></h3><p> |
|
|
<li> |
<li> |
<a name=35></a> |
<a name="35"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.5 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.5 Security Advisories</font></h3> |
These are the OpenBSD 3.5 advisories -- all these problems are solved |
These are the OpenBSD 3.5 advisories -- all these problems are solved |
|
|
<ul> |
<ul> |
<li><a href=errata.html#xdm> May 26, 2004: |
<li><a href=errata.html#xdm> May 26, 2004: |
xdm(1) ignores the requestPort resource and creates a |
xdm(1) ignores the requestPort resource and creates a |
listening socket regardless of the setting in xdm-config. |
listening socket regardless of the setting in xdm-config</a>. |
</a>. |
|
<li><a href=errata.html#cvs2> May 20, 2004: |
<li><a href=errata.html#cvs2> May 20, 2004: |
A buffer overflow in the cvs(1) server has been found, |
A buffer overflow in the cvs(1) server has been found, |
which can be used by CVS clients to execute arbitrary code on |
which can be used by CVS clients to execute arbitrary code on |
the server.</a> |
the server</a>. |
<li><a href=errata.html#procfs> May 13, 2004: |
<li><a href=errata.html#procfs> May 13, 2004: |
Integer overflow problems were found in procfs, allowing |
Integer overflow problems were found in procfs, allowing |
reading of arbitrary kernel memory.</a> |
reading of arbitrary kernel memory</a>. |
<li><a href=errata.html#cvs> May 5, 2004: |
<li><a href=errata.html#cvs> May 5, 2004: |
Pathname validation problems have been found in cvs(1), |
Pathname validation problems have been found in cvs(1), |
allowing clients and servers access to files outside the |
allowing clients and servers access to files outside the |
repository or local CVS tree.</a> |
repository or local CVS tree</a>. |
</ul> |
</ul> |
|
|
<p> |
<p> |
<li> |
<li> |
<a name=34></a> |
<a name="34"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.4 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.4 Security Advisories</font></h3> |
These are the OpenBSD 3.4 advisories -- all these problems are solved |
These are the OpenBSD 3.4 advisories -- all these problems are solved |
|
|
<br> |
<br> |
|
|
<li> |
<li> |
<a name=33></a> |
<a name="33"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.3 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.3 Security Advisories</font></h3> |
These are the OpenBSD 3.3 advisories -- all these problems are solved |
These are the OpenBSD 3.3 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=32></a> |
<a name="32"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.2 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.2 Security Advisories</font></h3> |
These are the OpenBSD 3.2 advisories -- all these problems are solved |
These are the OpenBSD 3.2 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=31></a> |
<a name="31"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.1 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.1 Security Advisories</font></h3> |
These are the OpenBSD 3.1 advisories -- all these problems are solved |
These are the OpenBSD 3.1 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=30></a> |
<a name="30"></a> |
|
|
<h3><font color=#e00000>OpenBSD 3.0 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 3.0 Security Advisories</font></h3> |
These are the OpenBSD 3.0 advisories -- all these problems are solved |
These are the OpenBSD 3.0 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=29></a> |
<a name="29"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.9 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.9 Security Advisories</font></h3> |
These are the OpenBSD 2.9 advisories -- all these problems are solved |
These are the OpenBSD 2.9 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=28></a> |
<a name="28"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.8 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.8 Security Advisories</font></h3> |
These are the OpenBSD 2.8 advisories -- all these problems are solved |
These are the OpenBSD 2.8 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=27></a> |
<a name="27"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.7 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.7 Security Advisories</font></h3> |
These are the OpenBSD 2.7 advisories -- all these problems are solved |
These are the OpenBSD 2.7 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=26></a> |
<a name="26"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.6 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.6 Security Advisories</font></h3> |
These are the OpenBSD 2.6 advisories -- all these problems are solved |
These are the OpenBSD 2.6 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=25></a> |
<a name="25"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.5 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.5 Security Advisories</font></h3> |
These are the OpenBSD 2.5 advisories -- all these problems are solved |
These are the OpenBSD 2.5 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=24></a> |
<a name="24"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.4 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.4 Security Advisories</font></h3> |
These are the OpenBSD 2.4 advisories -- all these problems are solved |
These are the OpenBSD 2.4 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=23></a> |
<a name="23"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.3 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.3 Security Advisories</font></h3> |
These are the OpenBSD 2.3 advisories -- all these problems are solved |
These are the OpenBSD 2.3 advisories -- all these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=22></a> |
<a name="22"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.2 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.2 Security Advisories</font></h3> |
These are the OpenBSD 2.2 advisories. All these problems are solved |
These are the OpenBSD 2.2 advisories. All these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=21></a> |
<a name="21"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.1 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.1 Security Advisories</font></h3> |
These are the OpenBSD 2.1 advisories. All these problems are solved |
These are the OpenBSD 2.1 advisories. All these problems are solved |
|
|
|
|
<p> |
<p> |
<li> |
<li> |
<a name=20></a> |
<a name="20"></a> |
|
|
<h3><font color=#e00000>OpenBSD 2.0 Security Advisories</font></h3> |
<h3><font color=#e00000>OpenBSD 2.0 Security Advisories</font></h3> |
These are the OpenBSD 2.0 advisories. All these problems are solved |
These are the OpenBSD 2.0 advisories. All these problems are solved |
|
|
</dl> |
</dl> |
<p> |
<p> |
|
|
<a name=watching></a> |
<a name="watching"></a> |
<li><h3><font color=#e00000>Watching our Changes</font></h3><p> |
<li><h3><font color=#e00000>Watching our Changes</font></h3><p> |
|
|
Since we take a proactive stance with security, we are continually |
Since we take a proactive stance with security, we are continually |
|
|
</ul> |
</ul> |
|
|
<p> |
<p> |
<a name=reporting></a> |
<a name="reporting"></a> |
<li><h3><font color=#e00000>Reporting problems</font></h3><p> |
<li><h3><font color=#e00000>Reporting problems</font></h3><p> |
|
|
<p> If you find a new security problem, you can mail it to |
<p> If you find a new security problem, you can mail it to |
|
|
urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>. |
urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>. |
|
|
<p> |
<p> |
<a name=papers></a> |
<a name="papers"></a> |
<li><h3><font color=#e00000>Further Reading</font></h3><p> |
<li><h3><font color=#e00000>Further Reading</font></h3><p> |
|
|
A number of papers have been written by OpenBSD team members, about security |
A number of papers have been written by OpenBSD team members, about security |