OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Is postfix vulnerable to the Linux setcap bug?
From: Robert R. Wal (rrwreptile.eu.org)
Date: Fri Jun 09 2000 - 13:48:07 CDT

On 00.06.09 Brad Knowles pressed the following keys:

> > Trying to "fix" it by checking for this bug in all setuid
> > programs under the sun is simply stupid.
>
> To have to do so is stupid, I will agree with that statement.
> However, Eric has historically been blamed for security problems that
> occurred with other programs or other parts of the system, regardless
> of whether sendmail was actually responsible or not.

My $.02.

Fact that for once the system is to blame for the hole exploitable through
sendmail doesn't prove that Eric was right blaming everybody but him for
previous bugs in sendmail.

Sendmail was at least once responsible for totally stealth DoS attack
resulting from not implementing proper workaround for _documented_
difference in accept() on Linux systems that was there for years (before
2.2). Eric, with his usual it-wasn't-me face told that it's Linux's fault,
that sendmail doesn't respect documented behaviour of syscall on one of
supported systems.

Robert

PS. Sorry for huge offtopic and if anyone feels the urge to respond, please
do it by personal mail, not on the list. 

-- 
       Bastard Operator From 149.156.96.35 -- Robert R. Wal
WY WSZYSCY JESTEŚCIE PO**NI! WAS NIE MOŻNA SĄDZIĆ! WAS TRZA LECZYĆ!