Greetings!
As i happen to speak german, here's a small summary:
The article, which is from the 14th of March, quotes an Article from
the 13th where heise.de reported on the fix that has been quite an
issue here on the mailing list.
The article then goes on to state that n article by core security it
is revealed how this bug can bring a system remotely to a halt and
even compromise it. Heise.de describes this as "and so core security
reveals how security leaks are being trivialized by the openbsd group".
The article then elaborates how the fix you put up was indeed put up
very shortly after being alerted about the bug, but that it was only
categorized as a "maintenance fix" and that "the openbsd group states
that bug that enables malicious users to be able to halt a system
from remote are not security issues, only when a system can be
compromised, it's a security issue for the openbsd group". They
(heise.de) then draw a parallel to the freebsd developers who, for
heise's point of view, also have a too tight definition of security
when not releasing a patch for some DoS-vulnerability. The article
then tell that after some discussion with core security, the openbsd
team deemed the fix as a security fix, but only if the core security
group would state that it only affect ipv6 and thus only very few
people are actually at risk.
I personally think this discussion is all really for nothing. No one
of the openBSD group is, in my opinion, obliged to do anything, and
yet I have received more support, better support and faster support
than I possible could expect from any "company". This of course
doesn't directly related to the security discussion, but indirectly,
yes. If the patch is there, then why bother them instead of thank
them for fixing it? :->
Greetings,
Christian Fuchs
On Mar 16, 2007, at 10:56 AM, Lars Hansson wrote:
On Fri, 16 Mar 2007 10:08:02 +0100
Karel Kulhavy <[EMAIL PROTECTED]> wrote:
http://www.heise.de/security/news/meldung/86730
And for the majority of the worlds population that doesn't speak
German
this says exactly what?
--
Lars Hansson <[EMAIL PROTECTED]>
See you,
Christian Fuchs
e-mail: [EMAIL PROTECTED]
UIN: 398213
