|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: List of errors and classes of errors found in OpenBSD code review s?
Date: Thu Jan 23 2003 - 17:26:23 EST
I don't know if there's a list of changes, per-se. Here are some pointers.
See:
http://www.openbsd.org/security.html
and towards the bottom, see the section "Watching our Changes".
Also on the same page, see the "Further Reading" section at the very end.
If you ask around, you could probably also find a list of security advisories where the OpenBSD response has been "This was found during an audit 2 years ago and fixed in version x.y.z". I'm sure someone has a reference.
Let's see, what else. The way auditing often works is, developers will find a certain kind of problem in one program, and then sweep the entire source tree and fix related problems (or potential problems) in a proactive manner. One example would be unsafe printf formatting, another would be bad string handling (making sure strlcpy() et al are used instead of their older unsafe counterparts).
For more about strlcpy and friends:
http://www.openbsd.org/papers/strlcpy-paper.ps
Another example would be the changes that OpenBSD has made to the version of Apache it ships (usr.sbin/httpd) and the version of ISC BIND4 it ships (named). Since these programs are based on external source code, it's easy to look at CVS and get a good baseline comparison of what kinds of changes have been made in the OpenBSD version (using the 'cvs log' keyword). A less effective way to do the same thing would be to look back through the openbsd-cvs mailing list archives.
Hope this helps.
Chad Loder
On Thu, Jan 23, 2003 at 11:54:15AM -0800, Lew Glendenning wrote:
> The code review/scans that the OpenBSD team has done, and the bugs found and
Received on Thu Jan 23 18:08:35 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:29 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |