Announcement

Collapse
No announcement yet.

OpenBSD Gets Mitigated For Meltdown CPU Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenBSD Gets Mitigated For Meltdown CPU Vulnerability

    Phoronix: OpenBSD Gets Mitigated For Meltdown CPU Vulnerability

    A few days back FreeBSD 11 stable was mitigated for Meltdown (and Spectre vulnerabilities), which came more than one month after these nasty CPU vulnerabilities were disclosed while DragonFlyBSD was quickly mitigated and the first of the BSDs to do so. While OpenBSD is known for its security features and focus, only today did it land its initial Meltdown mitigation...

    http://www.phoronix.com/scan.php?pag...D-Meltdown-Fix

  • #2
    while they might have been caught short by this announcement - they do get the benefit of several other other attempts at mitigation. It's a small consolation, but better than nothing!

    Well done BSD devs to get it sorted out so quickly

    Comment


    • #3
      Originally posted by boxie View Post
      while they might have been caught short by this announcement - they do get the benefit of several other other attempts at mitigation. It's a small consolation, but better than nothing!

      Well done BSD devs to get it sorted out so quickly
      Quickly? Everyone else already fixed it. Maybe except haiku and so on. The truth is BSD don't have enough manpower to even fix simple bugs. There are dozens of bugs in FreeBSD nobody cares about and they're not even reported. The result is very low code quality.
      Last edited by Pawlerson; 02-22-2018, 04:40 AM.

      Comment


      • #4
        Who cares really? It's not like OpenBSD boxes around the world have been actively exploited with meltdown and spectre. The fact that they fixed it in such a short time after not being included in the disclosure is pretty good.

        Comment


        • #5
          Originally posted by cen1 View Post
          Who cares really? It's not like OpenBSD boxes around the world have been actively exploited with meltdown and spectre. The fact that they fixed it in such a short time after not being included in the disclosure is pretty good.
          we don't know that. From what i've heard there is a lot of networking hardware still running unpatched.

          There is frequent talk of bsd generally being understaffed

          Comment


          • #6
            Originally posted by yoshi314 View Post

            we don't know that. From what i've heard there is a lot of networking hardware still running unpatched.

            There is frequent talk of bsd generally being understaffed
            Linux knew about the exploit for like 6 months, *BSD knew when it went public. Perhaps they are understaffed (that is probably true and a fact) but I still don't understand what more people expect. Miracles?

            Comment


            • #7
              Originally posted by cen1 View Post
              Linux knew about the exploit for like 6 months
              I thought Linux upstream was not notified, Maybe RedHat and Suse knew?

              Comment


              • #8
                Originally posted by cen1 View Post
                Who cares really? It's not like OpenBSD boxes around the world have been actively exploited with meltdown and spectre.
                This is a bold statement, considering that there is 0 public data about this.

                Unless you want to make a very snide remark about OpenBSD not being used in places where they could be exploited, akin to saying that OpenBSD is not used at all.

                Comment


                • #9
                  Originally posted by Pawlerson View Post

                  Quickly? Everyone else already fixed it. Maybe except haiku and so on. The truth is BSD don't have enough manpower to even fix simple bugs. There are dozens of bugs in FreeBSD nobody cares about and they're not even reported. The result is very low code quality.
                  So.... according to https://en.wikipedia.org/wiki/Meltdo..._vulnerability)
                  After affected hardware and software vendors had been made aware of the issue on July 28, 2017,[45] the two vulnerabilities were made public jointly, on January 3, 2018, several days ahead of the coordinated release date of January 9, 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list.[8] As a result, patches were not available for some platforms, such as Ubuntu,[46] when the vulnerabilities were disclosed.
                  So everyone else gets 5 months and we are still getting mitigation fixes from Windows/Intel/Linux for this - If the OpenBSD team got their heads at the same time - then they are roughly on par with everyone else. If they got their heads up late in December/early Jan then they have done a fucking awesome job at getting this fixed.

                  Comment


                  • #10
                    Originally posted by yoshi314 View Post
                    From what i've heard there is a lot of networking hardware still running unpatched.
                    Yes, there is lots. And none of it matters. There is no vector to exploit meltdown/spectre on a networking device like those from Cisco, etc. Think about it, these are privilege escalation vulnerabilities, but everything on a LAN switch or router runs as root. There are no other users logging in. And there's no way to exploit any of this from the data plane. You can maybe send a malformed ethernet frame (which requires you already have physical access to the local area network), and then what? Gain access to a portion of the mac address table? Whoop-dee-doo. No way to exploit it from the management plane of these devices either, as they all run signed code and will not run random code, even it were possible to inject it somehow. Sorry, but meltdown/spectre are a total non-issue on networking equipment. Yawn, nothing to see here.

                    Comment

                    Working...
                    X