Seems to be lots of heat but not a lot of light.
Sendmail has always been a big unknown WRT security. So there is YASSB
(yet another sendmail security bug). Ho hum, nothing new. Well, if
sendmail is such a pain, what about other mailers? How about smail?
MMDF? Something new and much simpler? I would be really interested
in hearing about the security issues surrounding these packages.
A big unknown? Not at all. We *know* it has more holes; we just
don't know what they are at the moment.... In fact, I was quoting
that line to someone in a meeting at more or less the exact time that
the CERT advisory must have been showing up in my mailbox. I'd call
it a coincidence, except that as you say: ho hum, nothing new about
YASSB. When it comes to security bigger=>badder. As Fred Grampp once
remarked in a similar context (about why mailx on SVR4 was setgid):
``You don't give privileges to a whale''.
--Steve Bellovin
|
|
