[3348] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (hallam@ai.mit.edu)
Wed Oct 23 18:02:20 1996
From: hallam@ai.mit.edu
To: alexf@iss.net, www-security@ns2.rutgers.edu
Cc: hallam@ai.mit.edu
In-Reply-To: Your message of "Tue, 22 Oct 96 12:15:59 EDT."
<01BBC012.C9F45D40@alexf.iss.net>
Date: Wed, 23 Oct 96 15:37:19 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
>Re: Sendmail. The latest, 8.8, is vulnerable. The vulnerability was
>posted to bugtraq and BoS on the 17th. I believe that we are working on
>adding this test to our latest version of the Intranet Scanner software (I
>don't know off-hand when you will be able to download a version that will
>include this check, though. Check the web site periodically).
Re sendmail, just do not use this piece of incompetent software. If
you must have a mailer on the machine at all run one that was
written by someone who is marginaly competent.
I'm not a great fan of automatically upgrading software, particularly
sendmail where product announcements tend to be followed soon
after by CERT buletins. On the machines where I must run it I
tend to trust certain vendors to have patched the holes competently
more than I trust Eric. On the other hand there are vendors such
as Sun who have shipped machines with buggy versions of sendmail
for years after the discovery of the problem.
Phill
