On Fri Sep 26, 2003 at 08:14:36AM +0200, Han Boetes wrote: > > Of course, I still don't get why we're jumping all over proftpd. It > > isn't really *that* insecure. As I pointed out to Han regarding wu- > > ftpd, proftpd is in a similar boat. There is this hole, which should > > be available in updates RSN, but the last one was in Jan 2002... over > > a year and a half ago. Again, comparing to sendmail, this sucker is > > pretty secure. Heck, compare it to openssh! How many updates for > > openssh have there been in the same timespan? > > > > We can't just throw stuff out the window because it has a hole today > > and has had one over a year or two years ago. That's just silly. Why > > aren't we jumping up and down about ditching php? Or apache? Or cups? > > Or XFree86? Or bind? Or openldap? The list goes on. All of those have > > been updated within the last 1-2 years as well, some many many times. > > It's also about the magnitude of the hole. How big are the chances they > will be found again. The recent ssh-hole was technically speaking a > remote crash, not nice but nothing dramatic. You still have to patch it > but that's something I can live with. > On the other hand a remote root is a remote root and that is something > I really would like to avoid. > > Once more. The size of the hole is more important than how often people > require you to patch.
Very true. But every openssh vuln hasn't been a crash or DoS. Mind you, with openssh a DoS is bad enough. Need to remote admin servers? What happens if the server goes down and you're stuck driving a long time to get to the machine? (It's happened). A DoS in apache is one thing... ssh in and restart. A DoS in ssh is another... how do you ssh in to fix it if ssh doesn't work? So don't think of it in technical terms... put it in real-world situations and then re-evaluate how "bad" the problem is. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
