LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

[Posted June 14, 2006 by corbet]

From:  Theo de Raadt <deraadt-AT-cvs.openbsd.org>
To:  Gadi Evron <ge-AT-linuxbox.org>
Subject:  Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Date:  Thu, 23 Mar 2006 19:52:12 -0700
Cc:  full-disclosure-AT-lists.grok.org.uk, bugtraq-AT-securityfocus.com
Archive-link:  Article, Thread 

> Sendmail is, as we know, the most used daemon for SMTP in the world. This
> is an International Infrastructure vulnerability and should have been
> treated that way. It wasn't. It was handled not only poorly, but
> irresponsibly.

You would probably expect me to the be last person to say that Sendmail
is perfectly within their rights.  I have had a lot of problems with
what they are doing.

But what did you pay for Sendmail?  Was it a dollar, or was it more?  Let
me guess.  It was much less than a dollar.  I bet you paid nothing.

So does anyone owe you anything, let alone a particular process which
you demand with such length?

Now, the same holds true with OpenSSH.  I'll tell you what.  If there
is ever a security problem (again :) in OpenSSH we will disclose it
exactly like we want, and in no other way, and quite frankly since
noone has ever paid a cent for it's development they have nothing they
can say about it.

Dear non-paying user -- please remember your place.

Or run something else.

OK?

Luckily within a few months you will be able to tell Sendmail how
to disclose their bugs because their next version is going to come
out with a much more commercial licence.  Then you can pay for it,
and then you can complain too.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
(Log in to post comments)

Re: SendGate: Sendmail Multiple Vulnerabilities

Posted Jun 21, 2006 19:41 UTC (Wed) by arcticwolf (guest, #8341) [Link]

and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it.

Hmm, I must've dreamt the donations I made to the OpenBSD project in the past, then. Good to know I didn't actually waste money on people who refuse to fully disclose security issues in their code.

Sarcasm aside, though, if Theo or any of the other OpenBSD developers want money from me again, they should maybe rethink their position. Not that my contributions matter much, but I'm sure I'm not the only one who feels this way; there's many worthy projects to support, and most of them don't treat their users like idiots and tell them to remember "their place".

Feel free to keep the money I already sent, though.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds