[Tfug] "secure by default" ??

Ammon Lauritzen ammon at simud.org
Wed Feb 8 16:03:44 MST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, recently, an old friend of mine acquired a machine running what I am
led to believe is a pretty stock OpenBSD 3.8 installation.

The vast majority of my sysadminly experience is in Linux environments,
with some dabbling in Solaris and OSX. I have tried to experiment with
the BSD family several times in the past, but have always had bad luck
somewhere early on in the setup process (like unreliable nic drivers or
other subtle show stoppers). We're giving this machine a try as another
attempt at putting the bad history behind us.

Somewhere between getting vim and bash installed and downloading the
openldap source, I discovered something that started my spidey senses
tingling.

ammon at esme:~$ ssh -v
OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005

Now... call me ignorant... but I thought that last October's security
advisory (still quite visible on OpenSSL's front page) obsoleted this
version of the library. I know that OpenSSH == OpenBSD. So... what's up
with their ignoring the SSL library folks?

If the OpenBSD version of the library is unaffected by this
vulnerability, then why haven't they changed the version number?  And,
if they fixed bugs, then why haven't those been released back into the
main product line? And if this is just the stock vulnerable version,
then why on earth hasn't it been updated yet?

Along those lines, when I was installing Apache, I discovered a
pre-existing 1.3.29 installation. Which, while it wasn't turned on and
running without my permission, is still an obsolete server version
lacking needed fetures that is on the machine without my approval. It
was also not installed via the pkg system, ie, there is no easy way to
remove it short of tracking down offending files and removing them
individually.

I am led to understand that this is supposedly a 'hardened' version of
the application and is supposed to be one of the winning features of the
operating system. But, why haven't they at least updated to the 2.0
line? After all, 2.0.0 was released almost four years ago. 1.3.29 is
more than two years old, and there have been numerous security
advisories and associated updates made to the 1.3 line since then.

How am I supposed to believe that their version of 1.3.29 is actually
safe when it tells me otherwise? I don't like black boxes. Avoidance of
such is kind of one of the big points of open source in the first place, ne?

Ammon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD6njQR9XALM4wLEoRAgH8AKCyn75S4VTjceRHCN1ROVaq5spk3ACgxat1
XCoco5UQNsfAuspnOrU9XNQ=
=OqZM
-----END PGP SIGNATURE-----

More information about the tfug mailing list