Re: 3.9 coming out

[Joachim Schipper <j_(_dot_)_schipper_(_at_)_math_(_dot_)_uu_(_dot_)_nl>]

On Mon, Apr 03, 2006 at 02:40:50AM -0600, David B. wrote:
> hi, I see 3.9 is getting ready to be released.  Do you plan on bundling 
> Apache2 with it?  it would seem a logical thing to do, since the Apache 
> version currently bundled with it seems to have problems.
> 
> I just lost my entire development box to a hack this week, right through 
> smoothwall's DMZ. I had apache up, postgresql installed with the mod_php as 
> the middleware.  All settings were default and the only port I had open was 
> 80 through smoothwall.  I even had all packets dropped that came from asia, 
> south america and africa.
> 
> The point being, if you sell security as your market niche, you might want 
> to make sure that, at least, Apache be up to date, and not a version from 5 
> years ago where who knows how many hacks there are out there for it.
> 
> I don't mind rebuilding my development box from scratch because that's why 
> I had it on the net like that anyway, simply to see how long it would take 
> for someone to crash it.  It took less than a month - that's not very good 
> from a default security viewpoint.
> 
> I'm assuming of course that Apache is the problem, as there are no logs or 
> anyway to tell what happened, but the hard drive started to make an awful 
> screaching sound as the drive was apparently being forced to track the 
> heads back and forth very quickly.  The drive is fine, but apache and 
> postgresql won't start, and the wtmp file was erased, so that when I did a 
> 'last' only my most recent login came up.

As pointed out, Apache 2 won't make it into base. Also, as I like to
say, PHP is more likely to be the point of entry. And the oldish version
of Apache, with lots of fixes, that is in OpenBSD is *less*, not more,
likely to have major bugs than the current Apache.

As to getting hacked - OpenBSD is only secure by default, or when run by
someone who knows what he's doing.

		Joachim