, 2006-01-18
A recently announced weakness in the BSD securelevel system isn't going to be fixed in OpenBSD. While securelevel may have problems, the vendor's security response is unacceptable and doesn't fit with their stated goals.
Expand all |
Post comment
How not to respond to a security advisory
2006-01-19
Miles (3 replies)
Miles (3 replies)
How not to respond to a security advisory
2006-01-25
Michael Favinsky (1 replies)
Michael Favinsky (1 replies)
Proof: at the end of the day Linux and FreeBSD just ignored (didn't "fixed") anything.
The result is the same, in a security viewpoint.
RedTeam made false assumptions about a security problem because of a misinterpretation of file flags and securelevel purposes.
The adequate response would only to explain RedTeam that they misunderstood what securelevel is for (and what it's not for). That's how I understand Theo de Raadt reply: "securelevel are useless [ for this purpose ]".
And that's how I understand why Linux and FreeBSD teams aren't in a hurry to "fix" this.
If they didn't think the same, they would have fixed the behaviour by now.
Mr. Miller have choosen to interpret the "useless" word totaly out of context (it's "useless" for what RedTeam tried to do), I think it's not the adequate interpretation of TdR words.
But that's what happen when someone (here, RedTeam) make public and out of context citation from a private mail exchange.
So it's not TdR or J. Miller fault, rather RedTeam, a consulting compagny looking for publicity. Nothing to see there.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/380/32980#32980