Oi pessoal,
Acho que esse assunto é meio off list mas mesmo assim vale dar uma lida
no artigo publicado pela Securityfocus sobre uma "academic
vulnerability" no qmail. Segundo o autor do artigo Dan Bernstein se
recusou a pagar o premio em dinheiro oferecido no "qmail security
guarantee" alegando que ninguem dária giga bytes de memoria para um
único processo qmail-smtpd e que então isso não poderia ser considerado
uma vulnerabilidade. Entretanto de acordo com a opinião de muitos o
código escrito por Bernstein ainda é considerado quase perfeito.
Eu nunca diria que o qmail é perfeito mas posso garantir que é muito
eficiente e com uns pequenos tweaks ele torna-se ainda mais eficiente.
Do artigo: A Role Model for Security. Almost.
Qmail isn't perfect
Georgi Guninski recently published a vulnerability in qmail (albeit not
a practical one), which can be exploited on specific configurations of
some 64-bit systems. That's right. Even qmail has bugs. This shouldn't
be a surprise to anybody.
...
If you're familiar with qmail, you'll undoubtedly be aware of the qmail
security guarantee, which offers a monetary reward to the first person
to publish a "verifiable security hole in the latest version of qmail".
Bernstein has publicly denied this reward to Guninski, with the
statement that "Nobody gives gigabytes of memory to each qmail-smtpd
process, so there is no problem with qmail's assumption that allocated
array lengths fit comfortably into 32 bits." This basically means that
Bernstein doesn't consider this to be a security vulnerability.
...
Ultimately, when I look at the history of vulnerabilities in an
application, issues like this one make me feel warm and fuzzy inside.
When a talented vulnerability researcher such as Guninski publishes this
issue, there's a good chance that he payed close attention to the rest
of the code. If this is all that he was able to find, then lets patch it
and take one more step towards perfection.
Mais em http://www.securityfocus.com/columnists/331
---
Vini
_______________________________________________
Freebsd mailing list
Freebsd@fug.com.br
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
