DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
Old 6th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 332
Thanked 9 Times in 9 Posts
Default

This happened to OpenBSD in February of 2007...note the dates:

# 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
# 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.

And later on Core managed to upgrade the bug to "arbitrary code" vulnerability:

# 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
# 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.

http://www.coresecurity.com/content/open-bsd-advisorie
Reply With Quote
Old 6th March 2011
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Quote:
Originally Posted by c_moriarty View Post
I'm assuming that bugs and security issues would be reacted to more quickly in certain Linux distributions (Fedora, OpenSuse, Ubuntu) than they would be in FreeBSD or NetBSD... Isn't that correct?
This is debatable and likely ass-backwards at that.

When FreeBSD or NetBSD have a security issue to fix, they can commit it whenever they need to, and notify all listeners to update their systems. The whole process could take ${time to fix bug} + 5 minutes. This is the advantage of near-total control over your distributions source.

Fedora on the other hand can report the issue to the maintainer and wait for a fix, optionally committing one or more of their programmers to help fix it (not likely for most rpm). Then wait on that patch to be included by the upstream maintainer (Linux kernel, Samba, etc), and push it out to all listeners. The whole process could take ${time to report bug} + ${time for upstream to fix bug} + ${time for fedora maintainers to notice bug fix} + ${time to make new RPM}. This is the disadvantage that your product is made up largely of other peoples products.



Stuff in the ports collection works the same way as Fedora. In the case of Debian folk, the process may look more like: Ugh, bug. Fix it -> maybe tell upstream -> give all users own patched version of code -> upstream tells us we created 5 more bugs and have brain damage. No offense to other Debs .




If you don't like compiliation from source, you will want
  • To relax your interest in security, source and its integrity is GOD.
  • To not use a SOURCE based OS.
  • To find a distribution with a well defined security policy and a Rapid Response Team that sleeps on the desk of upstream security issues.


If you just don't like the time it takes to compile stuff from source, buy a faster computer. If you think that's stupid, let me point a finger to a box across the room that has a 500Mhz CPU and note it compiles a hell of a lot slower than the multiple multi-core Xeon processors the build box at work uses for compiles.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 6th March 2011
qmemo's Avatar
qmemo qmemo is offline
Shell Scout
 
Join Date: Jul 2008
Location: Egypt
Posts: 133
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by TerryP View Post
If you don't like compiliation from source, you will want
  • To relax your interest in security, source and its integrity is GOD.
  • To not use a SOURCE based OS.
  • To find a distribution with a well defined security policy and a Rapid Response Team that sleeps on the desk of upstream security issues.
just out of curiosity, which OS/OSs fits that profile ?
Reply With Quote
Old 6th March 2011
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

If you find one, let me know!
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 6th March 2011
qmemo's Avatar
qmemo qmemo is offline
Shell Scout
 
Join Date: Jul 2008
Location: Egypt
Posts: 133
Thanked 0 Times in 0 Posts
Default

THOUGHT SO
Reply With Quote
Old 7th March 2011
c_moriarty c_moriarty is offline
Port Guard
 
Join Date: Mar 2011
Posts: 10
Thanked 0 Times in 0 Posts
Default

Well, right now Fedora 14 has been out for quite a while.
When I install Fedora 14 right now and update it it has 850+ updates. Software is also updated very regularly (not that much at once, of course, but as far as how long it takes before a few pieces of software come up as needing updating, it usually takes 2 or 3 days).
When I had NetBSD installed, I just let the vulnerable packages be installed and waited for at least 3 days and nothing had changed except one update to Python, which still left it with a vulnerability.
That seems like a very dramatic difference in response, to me.
Reply With Quote
Old 7th March 2011
qmemo's Avatar
qmemo qmemo is offline
Shell Scout
 
Join Date: Jul 2008
Location: Egypt
Posts: 133
Thanked 0 Times in 0 Posts
Default

@c_moriarty
Re-Read the entire post, the answer you're looking for is out there && if you were just re-stating what you have already asked about and the honourable users/admins answered you, then I do not know what the heck I can say about that :P
Reply With Quote
Old 7th March 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 332
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by c_moriarty View Post
When I had NetBSD installed, I just let the vulnerable packages be installed and waited for at least 3 days and nothing had changed except one update to Python, which still left it with a vulnerability.
That seems like a very dramatic difference in response, to me.
How many of the vulnerabilities are in core NetBSD? Do some research...

Search CERT for vulnerabilities. I just did, and here are the numbers:

Vulnerability warnings:
OpenBSD - 295
Solaris - 306
NetBSD - 319
FreeBSD - 389
Mac OS X - 397
Windows - 1110
Linux - 1400

Or perhaps the National Vulnerability Database:

OpenBSD - 165
NetBSD - 186
FreeBSD - 432
Solaris - 680
Mac OS X - 1450
Windows - 2600
Linux - 3462

Which one looks better now?
Reply With Quote
Old 7th March 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,906
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by c_moriarty View Post
When I install Fedora 14 right now and update it it has 850+ updates.
...
When I had NetBSD installed, I just let the vulnerable packages be installed and waited for at least 3 days and nothing had changed except one update to Python, which still left it with a vulnerability.
Again, there are a number of fallacies to your argument.
  • Software updates do not get published only as a result of identfied software vulnerabilities or identified solutions. Software updates can occur because some other piece of software has been updated, & this cascades into a number of libraries, etc. needing to be updated as well. Red Hat apparently does this piecemeal -- releasing updates as they are deemed ready. The *BSD projects tend to aggregate applications changes to formal releases.
  • Most Linux distributions attempt to emulate Windows in being a complete desktop environment -- meaning that a lot of extraneous applications have been installed which the user doesn't know about. Many of these "updates" are upgrading applications which are not even being used.

    In contrast, most of the *BSD family are installed in a minimalist fashion & the user must consciously add chosen applications. While this does not mean that the user will understand all that is added, there is a higher probability that they have some idea. More fundamental to this thread, the number applications potentially needing updates is smaller. The 850 number originally quoted doesn't necessarily translate. It really appears that you are comparing apples to oranges.
It appears that you have made up your mind & are more comfortable with the piecemeal policy implemented by many Linux distributions. Great. This is your choice. Choice in the marketplace is a good thing, but I challenge you to look at this list of 850 updates & answer whether these are all pertinent to your particular situation.

Last edited by ocicat; 7th March 2011 at 03:31 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot copy large files to Flash Drive sharris FreeBSD General 6 30th July 2010 09:57 AM
Have problem transfer large file bigger 1GB bsdme2 FreeBSD General 9 14th January 2009 05:49 AM
Large MFS filesystems jggimi Guides 2 26th October 2008 05:17 PM
mirror device detached on large file copy lil_elvis2000 FreeBSD General 24 27th June 2008 02:56 PM
FreeBSD 7.0 Writing large amount to USB Disc cause kernel panic pvree FreeBSD General 1 13th June 2008 02:50 AM


All times are GMT. The time now is 09:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick