Author: Phil Pennock Date: To: exim-users Subject: Re: [Exim] Does Exim have security problems?
On 2000-08-29 at 19:27 +0600, Mustapha Mahfouz gifted us with: > Actually as we all know sendmail has a extremely poor record to security,
> with root escapades being reported by CERT alarmingly regurlarly.
*PLEASE* make some attempt to check your facts before making sweeping
statements about application security.
I'm sure that Sendmail Inc don't particularly appreciate your libellous
claims.
There has not been a CERT Sendmail advisory since 1997.
The only recent issue which comes to mind is that Sendmail, in common
with a great number of other applications, was bitten by a Linux kernel
bug, which allowed a malicious local user to manipulate the inherited
capabilities such that a setuid program couldn't then drop its
privileges. Sendmail didn't check the return value from the setuid()
system call. That's a bug, but one which a _great_ many other programs
made; it would be unfair (and for me hypocritical) for people to blame
sendmail because of problems in the Linux kernel. (I'm sure that some
of my old proglets didn't check the return from setuid() when root -
none of those are in use today though).
--
"We've got a patent on the conquering of a country through the use of force.
We believe in world peace through extortionate license fees." -Bluemeat