Annotation of www/security.html, Revision 1.17
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
2: <html>
3: <head>
4: <title>OpenBSD</title>
5: <link rev=made href=mailto:www@openbsd.org>
6: <meta name="resource-type" content="document">
7: <meta name="description" content="OpenBSD advisories">
8: <meta name="keywords" content="openbsd,main">
9: <meta name="distribution" content="global">
10: <meta name="copyright" content="This document copyright 1997 by OpenBSD.">
11: </head>
12:
13: <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E">
14:
1.2 deraadt 15: <img alt="[OpenBSD]" SRC="/images/smalltitle.gif">
1.1 deraadt 16:
1.2 deraadt 17: <p>
1.12 deraadt 18: <h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3>
1.14 deraadt 19: OpenBSD believes in strong security. Our aspiration is to be NUMBER
1.17 ! deraadt 20: ONE in the industry for security. Our open software development model
! 21: permits us to take a more uncompromising view towards increased
! 22: security than Sun, SGI, IBM, HP, or other vendors are able to. We can
! 23: make changes the vendors would not make. Also, since OpenBSD is
! 24: exported with cryptography software, we are able to take cryptographic
! 25: approaches towards fixing security problems.
1.12 deraadt 26:
27: <p>
1.13 deraadt 28: Like most members of the
29: <a href=http://www.geek-girl.com/bugtraq/index.html>
30: BUGTRAQ mailing list (which rarely sees OpenBSD security reports
31: these days :-)</a>,
32: we believe in full disclosure of security problems. We have found
33: that the coding of proper fixes to security problems typically only
34: requires about 4-5 minutes of coding. Thus we typically have fixes
35: available extremely quickly.
36:
37: <p>
1.15 deraadt 38:
1.12 deraadt 39: Our security auditing team typically has between six and twelve
1.15 deraadt 40: members, and most of us continually search for and fix new security
41: holes. We have been auditing since the summer of 1997. The process we
1.12 deraadt 42: followed to increase security was simply a comprehensive file-by-file
43: analysis of every critical software component. Flaws were found in
44: just about every area of the system. Entire new classes of security
45: problems were found while we were doing the audit, and in many cases
46: source code which had been audited earlier had to be re-audited with
47: these new flaws in mind.
48:
49: <p>
1.16 deraadt 50: Another facet of our security auditing process is it's proactiveness.
51: In almost all cases we have found that the determination of
52: exploitability is not an issue. During our auditing process we find
53: many bugs, and endeavor to simply fix them even though exploitability
54: is not proven. We have fixed many simple and obvious careless
55: programming errors in code and then only months later discovered that
56: the problems were in fact exploitable. This proactive auditing
57: process has really paid off. Statements like ``This problem was fixed
58: in OpenBSD about 6 months ago'' have become commonplace in security
59: forums like BUGTRAQ.
1.15 deraadt 60:
61: <p>
1.14 deraadt 62: The auditing process is not over yet, and as you can see we continue
63: to find and fix new security flaws.
1.12 deraadt 64:
65: <p>
66: <h3><font color=#e00000><strong>OpenBSD 2.1 Security Advisories</strong></font></h3>
1.11 deraadt 67: These are the OpenBSD 2.1 advisories. All these problems are solved
68: in OpenBSD 2.2. Some of these problems still exist in other
1.1 deraadt 69: operating systems.
70:
71: <ul>
1.11 deraadt 72: <li><a href=rfork>Rfork() system call flaw (patch included)</a>
73: <li><a href=procfs>Procfs flaws (patch included)</a>
74: <li><a href=signals>Deviant Signals (patch included)</a>
1.9 deraadt 75: </ul>
76:
77: <p>
1.12 deraadt 78: <h3><font color=#e00000><strong>OpenBSD 2.2 Security Advisories</strong></font></h3>
1.11 deraadt 79: These are the OpenBSD 2.2 advisories. All these problems are
1.9 deraadt 80: solved in OpenBSD current. Some of these problems still exist in other
1.14 deraadt 81: operating systems.
1.9 deraadt 82:
83: <ul>
1.11 deraadt 84: <li><a href=/errata.html#f00f>Intel P5 f00f lockup (patch included)</a>
85: <li><a href=/errata.html#sourceroute>
86: Sourcerouted Packet Acceptance (patch included)</a>
87: <li><a href=/errata.html#ruserok>Setuid coredump & Ruserok() flaw (patch included)</a>
88: <li><a href=/errata.html#mmap>Read-write mmap() flaw (patch included)</a>
1.1 deraadt 89: </ul>
90:
1.9 deraadt 91: <p>
1.12 deraadt 92: <h3><font color=#e00000><strong>Other Resources</strong></font></h3>
1.3 deraadt 93: Other security advisories that have (in the past) affected OpenBSD can
1.4 deraadt 94: be found at the <a href=http://www.secnet.com/nav1.html>Secure Networks archive</a>.
1.3 deraadt 95:
1.5 deraadt 96: <p> If you find a new security problem, you can mail it to
1.6 deraadt 97: <a href=mailto:deraadt@openbsd.org>deraadt@openbsd.org</a>.
1.7 deraadt 98: <br>
1.5 deraadt 99: If you wish to PGP encode it (but please only do so if privacy is very
100: urgent, since it is inconvenient) use this <a href=pgpkey>pgp key</a>.
101:
1.2 deraadt 102: <hr>
1.1 deraadt 103: <font size="-1">
1.2 deraadt 104: <em>This site Copyright © 1996, 1997 OpenBSD.</em><br>
1.17 ! deraadt 105: $OpenBSD: index.html,v 1.16 1998/02/19 22:41:42 deraadt Exp $
1.1 deraadt 106: </font>
107:
108: </BODY>
109: </HTML>