lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.44.0311181847400.2387-100000@sodom.uberhax0r.net> Date: Tue, 18 Nov 2003 18:52:31 -0500 (EST) From: noir@...rhax0r.net To: Coleman Kane <cokane@...ane.org> Cc: bugtraq@...urityfocus.com Subject: Re: OpenBSD kernel holes ... > I may be wrong here, but I don't think that any of the kern.emul.* > executable emulations are actually enabled on a default install. I have > installed openbsd in environments requiring one of these since 3.2 and > have had to specifically enable them every time. COMPAT_* are compiled in > the default kernel, but are turned of via sysctl in the default install. this exploit will get you uid=0 in all default installs starting from 2.6 upto and including 3.3. i have personally tested 2.6, 3.0, 3.1, 3.2, 3.3 on vmware (since i cann't effort to waste real hardware on openbsd.) > that matter. IMHO, the slogan should be "More secure by default". IMHO, the slogan should be "Less secure than claimed". > > This does fall under reliability fix category, though, since it isn't really > a security issue, the bug puts the system into one of its most secure states: > halted. Well, that is as long as youve disabled the kdb, which you should have > on a production box. this so true for OpenBSD. yes its most secure state is: halted. - noir
Powered by blists - more mailing lists