Robert Huff wrote:
Chuck Swiger writes:
[ ... ]
        Would you care to nominate an inherently network-accessible
program with such a track record?  For example: 5.2.1 was released
in late February; there are currently 12 security advisories*, of
which I would consider at least 5 to be part of the core system.
(As opposed to things in the base system, like BIND.)

"In March 1997, I offered $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account.

My offer still stands. Nobody has found any security holes in qmail."

Note that the author has chosen to view this guarantee as applicable to remotely exploitable holes resulting in being able to run programs as some user, rather than denial-of-service exploits (say, filling up the drive due to a mailbomb), and that there have been security issues with commonly used patches to qmail. Then again, anything which uses SSL (ie, qmail+TLS) has been vulnerable to the horde of OpenSSL issues...

People who think that installing qmail today are likely to not be hacked due to a security hole in qmail over the next two years do indeed have some reason for their belief.


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to