upvote
Best guess, from the commit message alone[0]: It was fixed as a bug, at the time they didn't have evidence it could lead to LPE

The AI security tool then, retroactively discovered that it could have been used for LPE.

Again, just my guess I could be wrong.

[0] https://github.com/openbsd/src/commit/1957873d2063db11dab780...

reply
OpenBSD has a reputation for being... selective about what they admit is a security-relevant bug.
reply
They appreciate technical correctness and they do not exaggerate. Most 'security researchers' are not technically correct and they exaggerate a lot (seeking fame and all).

Dismissing their claims is not being selective, it's just the right thing to do.

reply
The fact that most security researches tend to bullshit to pump up their numbers doesn't mean that OpenBSD isn't selective.

The main claim from OpenBSD is "Only two remote holes in the default install since forever".

It is technically true. But it's also selective because they deliberately disable every service by default and don't install any software beyond core.

Once the OS is configured to be useful, we're far from the default install and they would (and have!) refuse to update their motto when confronted with RCEs in those parts.

Which is fair enough! You gotta draw the line somewhere. But that's still being very selective.

reply
deleted
reply