File: [local] / www / security.html (download) (as text)
Revision 1.18, Thu Feb 19 22:50:12 1998 UTC (26 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.17: +10 -8 lines
writing good english text is hard
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
<html>
<head>
<title>OpenBSD</title>
<link rev=made href=mailto:www@openbsd.org>
<meta name="resource-type" content="document">
<meta name="description" content="OpenBSD advisories">
<meta name="keywords" content="openbsd,main">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997 by OpenBSD.">
</head>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E">
<img alt="[OpenBSD]" SRC="/images/smalltitle.gif">
<p>
<h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3>
OpenBSD believes in strong security. Our aspiration is to be NUMBER
ONE in the industry for security. Our open software development model
permits us to take a more uncompromising view towards increased
security than Sun, SGI, IBM, HP, or other vendors are able to. We can
make changes the vendors would not make. Also, since OpenBSD is
exported with cryptography software, we are able to take cryptographic
approaches towards fixing security problems.
<p>
Like most readers of the
<a href=http://www.geek-girl.com/bugtraq/index.html>
BUGTRAQ mailing list</a>,
we believe in full disclosure of security problems. We believe that
security information moves very fast in crackers circles. Our
experience shows that coding and release of proper security fixes
typically requires about an hour of work resulting in very fast fix
turnaround. Thus we think that full disclosure helps the people who
really care about security.
<p>
Our security auditing team typically has between six and twelve
members, and most of us continually search for and fix new security
holes. We have been auditing since the summer of 1997. The process we
followed to increase security was simply a comprehensive file-by-file
analysis of every critical software component. Flaws were found in
just about every area of the system. Entire new classes of security
problems were found while we were doing the audit, and in many cases
source code which had been audited earlier had to be re-audited with
these new flaws in mind.
<p>
Another facet of our security auditing process is it's proactiveness.
In almost all cases we have found that the determination of
exploitability is not an issue. During our auditing process we find
many bugs, and endeavor to simply fix them even though exploitability
is not proven. We have fixed many simple and obvious careless
programming errors in code and then only months later discovered that
the problems were in fact exploitable. This proactive auditing
process has really paid off. Statements like ``This problem was fixed
in OpenBSD about 6 months ago'' have become commonplace in security
forums like BUGTRAQ.
<p>
The auditing process is not over yet, and as you can see we continue
to find and fix new security flaws.
<p>
<h3><font color=#e00000><strong>OpenBSD 2.1 Security Advisories</strong></font></h3>
These are the OpenBSD 2.1 advisories. All these problems are solved
in OpenBSD 2.2. Some of these problems still exist in other
operating systems.
<ul>
<li><a href=rfork>Rfork() system call flaw (patch included)</a>
<li><a href=procfs>Procfs flaws (patch included)</a>
<li><a href=signals>Deviant Signals (patch included)</a>
</ul>
<p>
<h3><font color=#e00000><strong>OpenBSD 2.2 Security Advisories</strong></font></h3>
These are the OpenBSD 2.2 advisories. All these problems are
solved in OpenBSD current. Some of these problems still exist in other
operating systems.
<ul>
<li><a href=/errata.html#f00f>Intel P5 f00f lockup (patch included)</a>
<li><a href=/errata.html#sourceroute>
Sourcerouted Packet Acceptance (patch included)</a>
<li><a href=/errata.html#ruserok>Setuid coredump & Ruserok() flaw (patch included)</a>
<li><a href=/errata.html#mmap>Read-write mmap() flaw (patch included)</a>
</ul>
<p>
<h3><font color=#e00000><strong>Other Resources</strong></font></h3>
Other security advisories that have (in the past) affected OpenBSD can
be found at the <a href=http://www.secnet.com/nav1.html>Secure Networks archive</a>.
<p> If you find a new security problem, you can mail it to
<a href=mailto:deraadt@openbsd.org>deraadt@openbsd.org</a>.
<br>
If you wish to PGP encode it (but please only do so if privacy is very
urgent, since it is inconvenient) use this <a href=pgpkey>pgp key</a>.
<hr>
<font size="-1">
<em>This site Copyright © 1996, 1997 OpenBSD.</em><br>
$OpenBSD: security.html,v 1.18 1998/02/19 22:50:12 deraadt Exp $
</font>
</BODY>
</HTML>
![[BACK]](/icons/back.gif){kind=icon}
Return to security.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www