FUD is not needed here
Posted Mar 14, 2007 19:32 UTC (Wed) by mheily
In reply to: A second remote hole for OpenBSD
Parent article: A second remote hole for OpenBSD
Why are you trying to spread FUD about the OpenBSD developers? Do you have any evidence to back up your "psychological analysis" of them?
OpenBSD takes security very seriously. The OpenBSD project released a patch within 48 hours of being notified of a remotely exploitable vulnerability. When the issue was first reported as a denial of service, they released a patch six days later. That's a pretty good response time, IMHO.
The reason this was initially treated as a denial-of-service problem is that the buffer overflow did not directly involve user-supplied data. It is non-trivial to exploit this kind of problem, and kudos should be given to Core for figuring out a way.
Any piece of complex software cannot be proven correct; it can only be proven to be *incorrect* in certain corner cases.
to post comments)