Re: [Exim] Does Exim have security problems?

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMJohn Horne at <-
MMJethro R Binks at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [Exim] Does Exim have security problems?
On 2000-08-29 at 19:27 +0600, Mustapha Mahfouz gifted us with:
> Actually as we all know sendmail has a extremely poor record to security,
> with root escapades being reported by CERT alarmingly regurlarly.

*PLEASE* make some attempt to check your facts before making sweeping
statements about application security.

I'm sure that Sendmail Inc don't particularly appreciate your libellous
claims.

There has not been a CERT Sendmail advisory since 1997.

The only recent issue which comes to mind is that Sendmail, in common
with a great number of other applications, was bitten by a Linux kernel
bug, which allowed a malicious local user to manipulate the inherited
capabilities such that a setuid program couldn't then drop its
privileges. Sendmail didn't check the return value from the setuid()
system call. That's a bug, but one which a _great_ many other programs
made; it would be unfair (and for me hypocritical) for people to blame
sendmail because of problems in the Linux kernel. (I'm sure that some
of my old proglets didn't check the return from setuid() when root -
none of those are in use today though).
--
"We've got a patent on the conquering of a country through the use of force.
We believe in world peace through extortionate license fees." -Bluemeat


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-RE: [Exim] Does Exim have security problems?Re: [Exim] Does Exim have security problems?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)