Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race

from [Theo de Raadt] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Date: Thu, 23 Mar 2006 19:52:12 -0700 
Sendmail is, as we know, the most used daemon for SMTP in the world. This
is an International Infrastructure vulnerability and should have been
treated that way. It wasn't. It was handled not only poorly, but
irresponsibly.


You would probably expect me to the be last person to say that Sendmail
is perfectly within their rights.  I have had a lot of problems with
what they are doing.

But what did you pay for Sendmail?  Was it a dollar, or was it more?  Let
me guess.  It was much less than a dollar.  I bet you paid nothing.

So does anyone owe you anything, let alone a particular process which
you demand with such length?

Now, the same holds true with OpenSSH.  I'll tell you what.  If there
is ever a security problem (again :) in OpenSSH we will disclose it
exactly like we want, and in no other way, and quite frankly since
noone has ever paid a cent for it's development they have nothing they
can say about it.

Dear non-paying user -- please remember your place.

Or run something else.

OK?

Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence.  Then you can pay for it,
and then you can complain too.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Sudo tricks, John Richard Moser
Next by Date:  [Full-disclosure] [FLSA-2006:186277] Updated sendmail packages fix security issues, Jesse Keating
Previous by Thread:  Re: [Full-disclosure] SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Gadi Evron
Next by Thread:  Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), purplebag
Indexes:  [Date] [Thread] [Top] [All Lists]