A second remote hole for OpenBSD
Posted Mar 14, 2007 21:23 UTC (Wed) by ajross
In reply to: A second remote hole for OpenBSD
Parent article: A second remote hole for OpenBSD
Obviously this is turning into a Linux vs. BSD flame war,
which has little to nothing to do with my original point of "Is
OpenBSD's marketing slogan helping or huirting?". So this will
be my last post. But it strikes me that this is a rather
good meta-example of why silly marketing is a Bad Thing. Rather
than argue about actual security flaws, or potential problems
with the OpenBSD development process, we get sidetracked by
OpenBSD fans into a "Linux is so much worse!" flame.
when OpenBSD say 'default install' I take it to
mean all the officially supported software. Not just the default
configuration they happen to ship out.
I think you've been hoodwinked. Granted, I can't find clear
definitions of "remote hole" or "default install" on their
website (another reason this kind of marketing gimmick is dumb).
But I strongly suspect that "default install" means the software
you get when you install the operating system using the
default settings. Any other interpretation seems, to me, to
be overly generous (and potentially insecure), no?
There are 114 advisories on the Linux 2.6.x series kernel. Out of
those about 19% are remote. 16% are unpatched. 2% will lead to
system access, while 45% are DOS (usually crashes).
OK, I call your bluff. I just looked at these in the expanded
list of these vulnerabilities (not the pie charts -- the actual
list). And I couldn't find any of them that fit the
OpenBSD definition of a "remote hole" (i.e. code execution, not
DoS) in the "default install" of a major Linux distribution.
There were plenty of local issues, to be sure, and lots of DoS
opportunities. And I saw a few remotely exploitable holes or
"security bypass" bugs, but only in little-used code that (as far
as I am aware) major vendors don't ship enabled.
So as far as I can see, the "OpenBSD N" value for the linux
kernel over the lifetime of the Secunia database is in fact,
zero, which I amusingly note is somewhat less that two. Did I
to post comments)