Re: [LI] root access from old sendmail boxes

[Manoj Victor Mathew <mvm@xxxxxxxxxxxxxxx>]

On Thu, Jan 20, 2000 at 08:30:45AM +0530, Suresh Ramasubramanian wrote:
> Raju posts in detail, using the bounce command to forward bugfix reports
> from debian-announce etc etc to LI.  When rms / aleph one or whoever has
> posted the report says so, ~then~ you'll see this scramble.
> 
> When someone like poor old me stands out yelling about "security holes",
> then there's a general feeling that I'm crying wolf.
> 

Oh! I am sorry! What I wrote was 

<qoute>
Honestly, I would not have believed Mr. Suresh if he said "Sendmail
8.8.4 has a bug that crackers can exploit to gain r00t.", without
giving the details.
</qoute>

But what I /meant/ was

Mr. Suresh's detailed account on the Sendmail bug has enabled me to
know how that specific bug can give r00t. Thanks Suresh! 

I am not a network administrator, and hence have no need to be aware
of all possible bugs. I read FYIs posted by Raju, but do not bother to
go deeper into those. And if Suresh had not posted the details, I
would not have known those 'details', but I still would not have
searched the net for it. Simply because I have no need for Sendmail
bugs.

I have /no/ reasons to not believe Suresh; President, CAUCE India. And I
do read his posts :-)


'Believe' was not the right word. I guess need to be more careful from
now on.


> 
> There's nothing very "inner" about it, actually.  It's publicly available
> (since the past 4 years) on sites regularly used by network security
> people.
> 

Another reason, why posts with 'details' are alright.


With Apologies and Thanks.
--mvm
-- 
Manoj Victor Mathew  (GPG#: 3D96A9B9)
Cochin, India.
--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.