Vincent Danen <[EMAIL PROTECTED]> wrote: > Of course, I still don't get why we're jumping all over proftpd. It > isn't really *that* insecure. As I pointed out to Han regarding wu- > ftpd, proftpd is in a similar boat. There is this hole, which should > be available in updates RSN, but the last one was in Jan 2002... over > a year and a half ago. Again, comparing to sendmail, this sucker is > pretty secure. Heck, compare it to openssh! How many updates for > openssh have there been in the same timespan? > > We can't just throw stuff out the window because it has a hole today > and has had one over a year or two years ago. That's just silly. Why > aren't we jumping up and down about ditching php? Or apache? Or cups? > Or XFree86? Or bind? Or openldap? The list goes on. All of those have > been updated within the last 1-2 years as well, some many many times.
It's also about the magnitude of the hole. How big are the chances they will be found again. The recent ssh-hole was technically speaking a remote crash, not nice but nothing dramatic. You still have to patch it but that's something I can live with. On the other hand a remote root is a remote root and that is something I really would like to avoid. Once more. The size of the hole is more important than how often people require you to patch. # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html
pgp00000.pgp
Description: PGP signature
