I’ve not seen any openbsd exploit code in… a decade though? Can you point me to a single working exploit for anything in openbsd lately?

(Excluding shellshock/log4shell kind of vulns)

I mean an exploit against some service running on openbsd, or even necessarily the os contents..

Edit: I don’t mean an 0day, just an exploit that worked on some combo of openbsd and x. X being anything like e.g Apache or Bind or whatever

There was an RCE in OpenSMTPD --- a 25/tcp RCE, that'll bring you back to the '90s! --- like a minute ago.

I think that was early 2020 if memory serves. There was another serious security bug discovered a few months before too.

2022.

Do you have a source for that? I run it on a few machines and monitor that stuff, I think I would remember. I remember patching that one before the portable tree release with the fix was in a distro. I remember it very well because I was rushed, heading out to a meal but realizing a machine was vulnerable.

Here's what I find googling:

https://github.com/superzerosec/cve-2020-7247

2020-01-29

I think later they had another crashing bug that wasn't exploitable. This one from 2020 was poor validation of input leading to a shell command. A very 90s bug indeed.

Oh! You're totally right. I had two different links, and, of course, the actual Qualys advisory has the date you're giving it. Thanks for taking the time to correct me on this.