In a follow-up e-mail published this week, de Raadt outlined his current perspective on the controversy and his interpretation of the findings that have emerged from the ongoing code audit. Reviews are being conducted on the history and provenance of code in the IPSEC stack as well as the current implementation. Reviewers have uncovered several bugs that could have security implications, but the nature of the bugs suggests that they were not intentional, nor were they intended to facilitate a backdoor.
The most serious revelation so far is the discovery of a bad conditional expression in older versions of the Encapsulating Security Payload (ESP) code. This hole was quietly closed in 2002 without the usual vulnerability disclosure process. As such, the bug is not present in modern-day OpenBSD, but has remained unknown to users due to the lack of a public advisory.
OpenBSD audit reveals bugs but no backdoor
Posted on Thursday, December 23 2010 @ 19:44 CET by Thomas De MaesschalckARS Technica reports OpenBSD code reviewers have found no evidence to back the claim that the FBI planted a backdoor in the operating system's IPSEC stack. They did find a couple of security bugs but they're unlikely to be intentional or with the aim of planting a backdoor.
