After the recent hole found in OpenSSH [earlier story], the OpenBSD home page has been updated with a new slogan: "One remote hole in the default install, in nearly 6 years!" All in all, not a bad track record... (Previously the tagline had read "Five years without a remote hole in the default install!")

Check out the OpenBSD errata page to see the various security fixes applied over time, as well as a list of other known issues with the many releases.

May the G0dZ smile upon the honest OS provider:

     One remote hole in the default install, in nearly 6 years!

From: Scott Sandeman-Allen
Subject: Re: Honesty
Date: Wed, 26 Jun 2002 16:13:44 -0600

I'm not aware of any system being compromised by a hacker via this
"hole".

Could/should this be noted by saying:

    Only one potential remote hole in nearly 6 years!
    Fixed before any known systems were compromised.

Just a thought,

Scott

From: Brian Szymanski
Subject: Re: Honesty
Date: Wed, 26 Jun 2002 21:04:13 -0400 (EDT)

> Could/should this be noted by saying:
>
> Only one potential remote hole in nearly 6 years!
> Fixed before any known systems were compromised.

IMHO, that sounds whiny and pathetic. I like the way they have it now,
which owns up to it and more. There's been enough "OpenBSD's claims of
security are bullshit" threads over the years that it's better to just say
it's there and move on. (consider the dhclient-script exploit and the
whining it caused). Owning up to it gives the trolls less to work with.
Perhaps that whole section could be a link to a page with a more thorough
explanation of what serious bugs have been fixed over the years and what
their "real-world" impact was. Or perhaps just have the link point to
/errata.html so people with clue can read for themselves.
Cheers,
Brian