Исходное сообщение
"В развиваемом проектом OpenBSD SMTP-сервере OpenSMTPD выявле..." Отправлено Нимано, 05-Окт-15 13:36
> Интересно, что разработчики OpenBSD отказались поменять на сайте заявление о наличии только двух удалённо эксплуатируемых уязвимостях в базовой поставке OpenBSD за всю историю существования проекта. Вообще-то это "классика": http://www.coresecurity.com/content/open-bsd-advisorie > 2007-02-20: First notification sent by Core. > 2007-02-20: Acknowledgement of first notification received from the OpenBSD team. > 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic. > 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree. > 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack , as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term. > 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain. ... > 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow. > 2007-03-05: OpenBSD team notified of PoC availability. > 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website. > 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information. > 2007-03-09: OpenBSD team changes notice on the project's website to "security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity for a successful attack from outside of the local network. Короче, такой цирк там уже давно. Но, судя по комментариям, подход вполне действенный.

Ваше сообщение
Имя*:
EMail:	Для отправки ответов на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>> Интересно, что разработчики OpenBSD отказались поменять на сайте заявление о наличии только двух удалённо эксплуатируемых уязвимостях в базовой поставке OpenBSD за всю историю существования проекта. > Вообще-то это "классика": > http://www.coresecurity.com/content/open-bsd-advisorie >> 2007-02-20: First notification sent by Core. >> 2007-02-20: Acknowledgement of first notification received from the OpenBSD team. >> 2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic. >> 2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree. >> 2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. [b]OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack [/b], as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term. >> 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain. > ... >> 2007-03-05: Core [b]develops proof of concept code that demonstrates remote code execution[/b] in the kernel context by exploiting the mbuf overflow. >> 2007-03-05: OpenBSD team notified of PoC availability. >> 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website. >> 2007-03-08: Core sends final draft advisory to OpenBSD requesting comments and official vendor fix/patch information. >> 2007-03-09: OpenBSD team changes notice on the project's website to [b]"security fix" and indicates that Core's advisory should reflect the requirement of IPv6 connectivity [/b] for a successful attack from outside of the local network. > Короче, такой цирк там уже давно. > Но, судя по комментариям, подход вполне действенный.
	Введите код, изображенный на картинке: