Quoting SM <[EMAIL PROTECTED]>: > At 14:42 17-04-2008, Eric Rostetter wrote: >> I don't know the history of this expliot, etc. > > Do you know which version of sendmail can be used with the > milter? If the exploit is prior to that, then the fix may not be applicable.
I never argued otherwise. And no, as I've said, I don't know the history, so no I don't know the versions involved. And yes, I've used poor wording twice now. For all I know, from what _little_ I know, the problem is in the popen() call in the milter, and not in the sendmail at the other end at all. How would I know? I have not, and probably will not, take the time to investigate this. For the record: I don't agree with the solution either. But I certainly don't agree that they should have done nothing! Don't paint me as a supporter for the way it was done. I'd have done it differently. But I sure wouldn't leave it exploitable just because I was afraid of "forcing policy" on someone. (Yes, I would have documented it, but I wouldn't have just ignored the problem...) -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
