|| ||Theo de Raadt <deraadt-AT-cvs.openbsd.org>|
|| ||Gadi Evron <ge-AT-linuxbox.org>|
|| ||Re: SendGate: Sendmail Multiple Vulnerabilities
(Race Condition DoS, Memory Jumps, Integer Overflow)|
|| ||Thu, 23 Mar 2006 19:52:12 -0700|
|| ||full-disclosure-AT-lists.grok.org.uk, bugtraq-AT-securityfocus.com|
> Sendmail is, as we know, the most used daemon for SMTP in the world. This
> is an International Infrastructure vulnerability and should have been
> treated that way. It wasn't. It was handled not only poorly, but
You would probably expect me to the be last person to say that Sendmail
is perfectly within their rights. I have had a lot of problems with
what they are doing.
But what did you pay for Sendmail? Was it a dollar, or was it more? Let
me guess. It was much less than a dollar. I bet you paid nothing.
So does anyone owe you anything, let alone a particular process which
you demand with such length?
Now, the same holds true with OpenSSH. I'll tell you what. If there
is ever a security problem (again :) in OpenSSH we will disclose it
exactly like we want, and in no other way, and quite frankly since
noone has ever paid a cent for it's development they have nothing they
can say about it.
Dear non-paying user -- please remember your place.
Or run something else.
Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence. Then you can pay for it,
and then you can complain too.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
to post comments)