On Wed, 2006-04-12 at 14:38, Mike Stankovic wrote:
> --- Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
>
> > On Wed, 2006-04-12 at 12:29, Mike Stankovic wrote:
> >
> > > The recent sendmail security
> > > update allows a remote root exploit !!
> >
> > *If* sendmail is running as root and you can time
> > your
> > exploit to hit while it is executing a setjmp()
> > instruction
> > which sounds kind of theoretical to me. But your
> > point
> > about staying current with updates is absolutely
> > correct.
> >
>
> >From February 15th 2005 through February 14th 2006 the
> list at
> http://www.redhat.com/magazine/017mar06/features/riskreport/
> outlines them in greater detail. (Note there have been
> other risks since February 15th 2006)
Yes, I've just seen other comments about the sendmail update
that implied that it was part of a long/continuing history
of security problems, when in fact catching such a theoretical
problem shows that current sendmail is probably one of the
best-audited programs around. As that link points out, it
isn't anywhere close to the top of the list of programs with
recent security problems. Anyway, if you are fairly up to
date your biggest risk now is probably password guessing in
ssh. It - or pam - should really have some kind of built in
rate limiting and IP blacklisting.
--
Les Mikesell
lesmikesell@xxxxxxxxx
