A second remote hole for OpenBSD
Posted Mar 14, 2007 20:57 UTC (Wed) by drag
In reply to: A second remote hole for OpenBSD
Parent article: A second remote hole for OpenBSD
"""Does anyone track this stuff on the Linux side?"""
And when OpenBSD say 'default install' I take it to mean all the officially supported software. Not just the default configuration they happen to ship out. This is the software that they take most seriously with audits and such things. They tend to be very serious about this sort of thing.
And that's not just 'oh how it comes from the cdrom', but it's firewall stuff and there are a few more services then just sshd that OBSD provides by default. If I remember correctly.
This is opposed to any vunerabiltiies in their 'ports' system, which contains the information nessicary to install various non-core software packages. The ports system is not considured part of the 'default install'.
Out of ports there are varying degrees of seriousness and auditing. Apache is a good example of something they take seriously as their Apache versions is modified a bit, they havent' moved to the 2.0 code base yet. It's been extremely audited and their modifications are to increase security and such.
Their version of Apache has had a small number of holes in it, but it's nothing compared to what you have with the sort of Apache software that a typical Linux distribution ships.
The Linux distributions that come close are going to be things like Slackware and Debian Stable that only ship very well-used Apache versions based on the 1.3.x code base. (and Of course Debian being Debian has Apache2 aviable)
OpenBSD realy is a very impressive peice of work. It's the one system I would feel comfortable throwing out on the internet with no firewall or anything else to monitor and just let it sit serving web pages with only occasional updates.
Of course it's I/O performance is shit, it's SMP support is primative, and the userfreindliness is a throw back to the late 80's.
But you can't have everything, can you?
I mentioned Secunia in my last post. They are only one of dozens of places you can access vunerability databases, but they have a nicer interface which makes it usefull for showing links to.
Keep in mind that, like I mentioned before, it's easy to get into number matching games with Secunia so keep a critical eye on the sorts of vunerabilities.
Comparing remote holes is probably somewhat reliable though.
So you asked about remote holes on the Linux kernel.
There are 114 advisories on the Linux 2.6.x series kernel. Out of those about 19% are remote.
16% are unpatched.
2% will lead to system access, while 45% are DOS (usually crashes).
However keep in mind that something may be a 'DOS' now, can be a exploit later.
Also some advisories have multiple vunerabilities. So you can have a advisory that has 3-4 or more different bugs in it. They were just reported from a bunch.
But doing a quick overview of the situation shows that you have about 3 bugs that are repoted to allow remote access with the Linux 2.6 kernel from 2003 to 2007.
Looks like the same vunerabilities were present in 2.4 kernel also.
Now if you want a more serious look I suggest checking out OSVDB.
It's 'open source' not in the sort of software it tracks, but how it's completely open. Other places like Secunia or such allow a sort of overview access, but OSVBD has free access and a high level of quality.
It allows access to it's database directly and you can obtain copies of it.
So this would allow you to do fancy things like tie it into a security analysis tool so that when you find services on your network you can look up any vunerability information on them.
Or you can do a much more scientific data analysis of vunerabilities for doing more accurate comparisions.
Also they have rss feeds and I beleive you can set it up to retreive email notifications on various software packages.
Another important information they provide is vendor information, like contact information (which can be suprisingly hard to find sometimes).
to post comments)