> Well, before anything else, here's excerpt > from last Monday's > BUGRTRAQ. What were these big companies > again? Maybe it's time to start blowing the > whistle. > > And i quote: > > RAZOR Advisory: Multiple Local Sendmail > Vulnerabilities > > Author: Michal Zalewski > <[EMAIL PROTECTED]> > Release Date: 10/01/2001
Ahh... Mr. Zalewski. cool guy. you should try his perl script signature from bugtraq as root, it will lock/crash ur *unix box! Hmmm... You did not answer the points I raised regarding about sendmail. Instead, you put this link of security thingy which can be another topic altogether. And you know what? In all my e-mails about sendmail I did not say it's the most *secure* of all mta. Why brought this topic out? What you mentioned is a local exploit. For the past years here are the local exploits accdng. to securityfocus.com: 2001-10-01: Sendmail Inadequate Privilege Lowering Vulnerability 2001-10-01: Sendmail Queue Processing Data Loss/DoS Vulnerability 2001-08-17: Sendmail Debugger Arbitrary Code Execution Vulnerability 2001-05-28: Sendmail Unsafe Signal Handling Race Condition Vulnerability 1988-11-03: Sendmail WIZ Default Configuration Vulnerability You need shell access on the mailserver. Since you were concerned about the fortune companies/large ISP's getting hit, It's no big deal for them. What can anybody hacker wannabe do if only port 25 exists on the mailserver? no telnet, pop3/imap, even no ssh! The last remote exploit that happened was Jan. 1997, about the mime conversion thingy. That was about more than 4 years ago. Since ur talking about security, then try telling these fortune companies to ditch oracle instead :) 2001-09-17: Oracle 9i Application Server Path Revealing Vulnerability 2001-08-02: Oracle /tmp Race Condition Vulnerability 2001-08-02: Oracle DBSNMP Oracle Home Environment Variable Buffer Overflow 2001-08-02: Oracle OTRCREP Oracle Home Environment Variable Buffer Overflow Vulnerability 2001-08-01: Oracle DBSNMP CHOwn Path Environment Variable Vulnerability 2001-08-01: Oracle DBSNMP Oracle Home Environment Variable Changing Vulnerability 2001-07-16: Oracle Internet Directory Buffer Overflow Vulnerabilities 2001-07-16: Oracle Internet Directory Format String Vulnerabilities 2001-06-28: Oracle 8i TNS Listener Buffer Overflow Vulnerability 2001-06-27: Oracle 8i SQLNet Denial of Service Vulnerability 2001-05-07: Oracle ADI Plain Text Password Storage Vulnerability 2001-04-18: Oracle 8 Server 'TNSLSNR80.EXE' DoS Vulnerability 2001-04-11: Oracle Application Server ndwfn4.so buffer overflow 2001-01-23: Oracle XSQL Servlet Arbitrary Java Code Vulnerability 2001-01-22: Oracle JSP/SQLJSP Servlet Execution Vulnerability 2000-12-19: Oracle IAS PL/SQL Injection Vulnerabililty 2000-12-19: Oracle Apache+WebDB Documented Backdoor Vulnerability 2000-11-20: Oracle cmctl Buffer Overflow Vulnerability 2000-10-25: Oracle listener Input Validation Vulnerabilities 2000-10-18: Oracle Internet Directory 2.0.6 oidldap Vulnerability And still, no big deal with them. They have legions of security guys to lock their oracle servers around. > I'm sorry, i sorely disagree with what seems > to me like an futile effort in keeping an old > antiquated design and technology alive when > it should be retired for good. But to each > his own preferences. I respect your views > and reasons even though i beg to differ. Oh well. I think you misunderstood me. I'm not, repeat, a sendmail advocate/zealot. My views are that postfix/qmail/sendmail/exim mta's are good. They have their strengths and weaknesses. Hell, if you ask me, I'll go for exim rather than sendmail for low/medium loads. sendmail for company/enterprise mail server. > Mine is simply to point out that in this day > and age, NO new and modern day linux > user/admin should _EVER_ consider using > sendmail when there exists more mature and > efficient MTAs going around. Can you backup your statements with hard facts? Talk is cheap, give the reasons why. > The very purpose of this list is for those > with experience to steer those needing > guidance towards the technology that is most > appropriate in dealing with the modern day > internet. That's correct. regards, --- Andre Varon, CSA http://www.lasaltech.com _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
