3/3 There's a new sendmail root-exploit out there. Time to patch/upgrade.
(soda isn't vulnerable, but anyone running versions below 8.12 are)
\_ Incorrect. Every version since 5.19 or something is vulnerable
up to and including 8.12.7. Looks like soda still needs to be
upgraded. There's a patch out from FreeBSD, plus patches and
8.12.8 distributions at http://sendmail.org. Please correct your
misinformation. -- randal <rand@sendmail.com>
\_ soda was patched with a 8.12.6 patch.
\_ Email to root.
\_ So what? Sendmail is so buggy wrt security that it might as well
have been written by M$ code monkeys. If you want a secure mail
server try postfix or qmail.
\_ yeah, that's what, the second root hole in the past 3
years! what a piece of shit!
\_ yes. use qmail.
\_ you're deluding yourself if you think that qmail
wouldn't have just as many security problems if
it were as widely used as sendmail. Reference:
Theo and openssh. -tom
\_ Meaning what? That as openssh became more
popular more holes were discovered or that theo
is a jerk so we should all not like openssh?
\_ Theo is specifically a jerk who used to
crow all the time about how secure his
software was, then when it became more
popular more holes were discovered. The
exact same thing would happen with qmail
if djb ever tried to make it into a
generally useful program. -tom
\_ So exactly how many remote root holes
have been discovered in OpenSSH in
the default config? Exactly 1. How
many in OpenBSD's 7 yr history?
Exactly 1. Theo might be an ass but
his software is secure. Same for DJB.
Coding secure software requires a
particular mindset that the people
working on Sendmail (and Bind) don't
have.
\_ since November 2001, there have been
three remote root and two local root
holes found in openssh--that's far
worse than sendmail over the same
period. -tom
\_ tom, you make somewhat of a valid point, but i'm not talking
about theo here, i'm talking about djb. qmail is the #2 MTA.
how many qmail exploits have there been? besides, even if
you are right, in practice it is still less vulnerable bc
it is less targeted. the way i see it:
unix is to windows as qmail is to sendmail.
windows is more targeted, dumber people use windows, and
windows is generally easier to find holes in.
\_ I'm sure qmail is not the #2 MTA--#1 and #2 have to be
sendmail and Exchange. In any case, it may be true that
qmail is inherently more secure than sendmail, but if so,
it's at least partly because of design decisions which
make qmail difficult to use in the real world. -tom
\_ Exchange? I guess technically it's an MTA but using
Exchange in the same sentence as "security" seems
pointless. Anyway, I agree qmail sucks to use in the
real world. Actually it more than sucks.
\_ Qmail doesn't suck any worse than sendmail.
People are just so used to the pointless
complexity of sendmail that they don't really
notice it. Has anyone written a 500 page book
on how to use qmail? No. This is because it is
not as hard to use. -ausman
\_ don't be silly--qmail's configuration is
simpler than sendmail's, but it doesn't
support anything near the same level of
configurability. -tom
\_ And for most folks a standard install of
sendmail works fine, btw. qmail requires
all sorts of tedious bullshit. So although
making any serious changes to sendmail can
be nearly impossible, most people won't need
to anyway.
\_ installing qmail is a breeze. the
only tedious bullshit here is your
comment. --aaron
\_ Having used both extensively I'll simply
disagree as a matter of personal choice.
Sendmail is bad but qmail is worse. |
http://csua.com/feed/