A serious sendmail security hole
Posted Mar 22, 2006 20:10 UTC (Wed)
by dberkholz (guest, #23346)
[Link] (3 responses)
Posted Mar 22, 2006 20:14 UTC (Wed)
by mattdm (subscriber, #18)
[Link] (2 responses)
Posted Mar 23, 2006 18:07 UTC (Thu)
by kmccarty (subscriber, #12085)
[Link]
Posted Mar 31, 2006 9:06 UTC (Fri)
by barrygould (guest, #4774)
[Link]
Posted Mar 22, 2006 20:36 UTC (Wed)
by gvy (guest, #11981)
[Link] (15 responses)
Posted Mar 22, 2006 20:52 UTC (Wed)
by dmantione (guest, #4640)
[Link] (14 responses)
Posted Mar 22, 2006 21:11 UTC (Wed)
by gvy (guest, #11981)
[Link] (6 responses)
Posted Mar 22, 2006 21:25 UTC (Wed)
by TwoTimeGrime (guest, #11688)
[Link] (5 responses)
Posted Mar 22, 2006 21:36 UTC (Wed)
by rfunk (subscriber, #4054)
[Link] (2 responses)
Posted Mar 24, 2006 17:27 UTC (Fri)
by TwoTimeGrime (guest, #11688)
[Link] (1 responses)
Posted Mar 24, 2006 17:43 UTC (Fri)
by rfunk (subscriber, #4054)
[Link]
But when was the last time a remote root hole was discovered in the Linux
kernel? How many have there been in "modern times" (say, since 2000)?
And can you provide a link to a remote-root Linux kernel hole? I'm aware
of local-root and remote-DoS holes, but no remote-root holes.
Posted Mar 22, 2006 23:12 UTC (Wed)
by bastiaan (guest, #5170)
[Link]
They have learnt their lessons indeed. That's why they ditched the monolithic spaghetti hell of Sendmail 8 and are writing Sendmail X from scratch! Anyone who has taken a look at the horrible crufty source code of Sendmail 8 knows it's not maintainable anymore. It has constructs like macros that contain return statements, functions that go on for pages and pages, all kinds of if-else statements for obsolete configuration file verions, etc.... yuk!
Posted Mar 22, 2006 22:26 UTC (Wed)
by jeroen (guest, #12372)
[Link] (3 responses)
Posted Mar 22, 2006 22:38 UTC (Wed)
by xorbe (guest, #3165)
[Link]
Posted Mar 23, 2006 1:22 UTC (Thu)
by dskoll (subscriber, #1630)
[Link] (1 responses)
Posted Mar 23, 2006 2:19 UTC (Thu)
by busterb (subscriber, #560)
[Link]
Posted Mar 22, 2006 23:17 UTC (Wed)
by jgarzik (guest, #8364)
[Link] (2 responses)
Posted Mar 23, 2006 14:46 UTC (Thu)
by dmantione (guest, #4640)
[Link] (1 responses)
Sendmail not, it could flawlessly interact with all new tools.
Posted Mar 23, 2006 20:13 UTC (Thu)
by beoba (guest, #16942)
[Link]
Posted Mar 23, 2006 8:58 UTC (Thu)
by mjcox@redhat.com (guest, #31775)
[Link] (1 responses)
Vulnerabilities fixed in sendmail: 1 critical
The data isn't for comparison (only version 4 shipped exim, so it has a shorter date range), but recently there are not as many vulnerabilities in MTAs as people think.
Posted Mar 23, 2006 16:50 UTC (Thu)
by rfunk (subscriber, #4054)
[Link]
Vulnerabilities fixed in sendmail: 1 critical
Vulnerabilities fixed in postfix: 1 low
It's striking to me that even after sendmail fixed some architecture
problems with 8.12, there have been multiple remote root holes
discovered, while the better-architected postfix and qmail have never had
any remote root holes discovered in that same amount of time -- or ever,
to my knowledge.
Vulnerabilities fixed in exim: 3 moderate
Meanwhile, exim gets by with an architecture similar to sendmail's, but
starts with better code, and the results seem to show the compromise.
Also Gentoo.A serious sendmail security hole
Also Fedora Core 4 and 5.A serious sendmail security hole
Also Debian.A serious sendmail security hole
Also Fedora Legacy.A serious sendmail security hole
...by default it comes with Postfix and Exim is also in the repository.also ALT Linux, but...
So why use Sendmail?
Because it can do anything. I've used multiple MTA's; none has the also ALT Linux, but...
flexibility of Sendmail.
Anything but security is nice indeed.also ALT Linux, but...
Nice troll, but Sendmail has been quite secure for some time now. Maybe 10 years ago it was a mess of security holes but the Sendmail folks have learned their lesson. Sendmail is very secure. Everything has a hole appear everyone once in a while. Postfix is not a SMTP panacea.also ALT Linux, but...
Two words: remote root. Security in Sendmail vs. Postfix (or qmail or probably exim)
The Linux kernel has had remote root bugs too. Should we all abandon it in favor of something else?Security in Sendmail vs. Postfix (or qmail or probably exim)
Possibly.
Security in Sendmail vs. Postfix (or qmail or probably exim)
also ALT Linux, but...
Maybe 10 years ago it was a mess of security holes but the Sendmail folks have learned their lesson.
What can you do with sendmail what other MTAs can't? Knowing the things you can do with exim, I'm seriously wondering what else you might want to do with an MTA.What can you do with sendmail what other MTAs can't?
Remote server management. ;-)What can you do with sendmail what other MTAs can't?
Milter. It's Sendmail's killer feature, in my opinion.What can you do with sendmail what other MTAs can't?
Wow, sendmail can fertilize fish eggs? That _is_ uncommon for an MTA! What can you do with sendmail what other MTAs can't?
IMO exim has MORE flexibility than sendmail, due to its superior database lookup abilities... with less of the security problems than sendmail.also ALT Linux, but...
In order to support things like Spam filtering packages and virus also ALT Linux, but...
scanners, Exim got new versions.
This seems analogous to saying that Windows is superior because new ATi cards work with it immediately upon release.also ALT Linux, but...
FWIW, for all Red Hat Enterprise Linux (so from 20020517 to date) this is the first sendmail vulnerability needing to be fixed....A serious sendmail security hole
Vulnerabilities fixed in postfix: 1 low
Vulnerabilities fixed in exim: 3 moderate
I agree that there aren't many vulnerabilities in any MTAs these days.
But it only takes one remote root to ruin your week.
Not many, but look at severity