Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Gadi Evron wrote: snip.cut.hack of security attitude I wonder why anybody believes OpenBSD is the most secure OS around. No - that would be OpenVMS duck! :-) At least until HP kills it. Randy. still wondering what is 'open' about VMS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEJkoXRrGMQdCNGUERAxXeAJsGwsgHx3bIQPpQVA5rM+PEEZMn1QCff4qk fgjq68/XYJXXmvVg7n84R6I= =pIi8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On Fri, 24 Mar 2006, Gadi Evron wrote: On Thu, 23 Mar 2006, Claus Assmann wrote: It took Sendmail a mounth to fix this. A mounth. No. It took sendmail a week to fix this. The rest of the time was used to coordinate the release with all the involved vendors etc. There are a few choices, full disclosure and responsible disclosure are some. You can't do both. Releasing it out of nowhere, obfuscated in very ineffective way, isn't it. Not when it's critical infrastructure. With critical internet infrastructure you need to be a tad bit smarter than that. How would you suggest that they release this? I think that they did it in a pretty responsible way. They where notified of the problem, they fixed it and gave vendors who use/ship the product some time to create and test patches, then it became public. This was done in a month, any longer and I would think that they would be putting us at risk, but I think that this is a very reasonable response. 0Day full-disclosure eith a 'sploit would have been more trouble for me ;-) (I'm probably not alone with that). Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
So you are basically saying open source free software can't be trusted to hold high standards or be reliable or secure if I don't pay for it? No, he is saying that *their* high standards are not necesarily *your* high standards. And that *they* get to define the rules with which they publish their advisories; many people are fine with the way they do it so why should they listen to *you*? Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
This is a pretty hilarious thread. Gadi Evron, Theo de Raadt, Ryan Russell and Eric Allman... if someone appended walk into a bar this could be a hilarious joke. Not that it already isn't. That the likes of Theo and Allman got trolled by Gadi seriously lowers my opinion of them. I find it especially hilarious to see Ryan criticizing Theo. Hey BlueBoar, how has life been since we got you fired from SecurityFocus? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Andrew A wrote: Hey BlueBoar, how has life been since we got you fired from SecurityFocus? How about yours since you stopped beating your wife? -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On 3/25/06, KF (lists) [EMAIL PROTECTED] wrote: Andrew A wrote: Hey BlueBoar, how has life been since we got you fired from SecurityFocus? How about yours since you stopped beating your wife? -KF OMFG Ouch. /str0ke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
I never stopped. All whores are in need of punishment, and all women are whores.On 3/25/06, KF (lists) [EMAIL PROTECTED] wrote:Andrew A wrote:Hey BlueBoar, how has life been since we got you fired from SecurityFocus?How about yours since you stopped beating your wife?-KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. Funny you would do such a thing when you lost your bullshit job at Security Focus over getting owned. Sadly more and more people are posting off-list messages back to the list to get themselves more attention (n3td3v). -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Stan Bubrouski wrote: On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. Funny you would do such a thing when you lost your bullshit job at Security Focus over getting owned. Sadly more and more people are posting off-list messages back to the list to get themselves more attention (n3td3v). Except that I didn't. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On 3/25/06, Blue Boar [EMAIL PROTECTED] wrote: Stan Bubrouski wrote: On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. Funny you would do such a thing when you lost your bullshit job at Security Focus over getting owned. Sadly more and more people are posting off-list messages back to the list to get themselves more attention (n3td3v). Except that I didn't. BB Hehe I wasn't implying you did, those were actually the CC's on the message I was replying to. Sorry. -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Oh here we go. My life is better now that I get to bone KF's mom. On Sat, 25 Mar 2006 05:22:35 -0800 KF (lists) [EMAIL PROTECTED] wrote: Andrew A wrote: Hey BlueBoar, how has life been since we got you fired from SecurityFocus? How about yours since you stopped beating your wife? -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Yeah but you do like to choke on fat cocks. Perhaps its time for a new mail spool to be posted. On Sat, 25 Mar 2006 09:33:22 -0800 Blue Boar [EMAIL PROTECTED] wrote: Stan Bubrouski wrote: On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. Funny you would do such a thing when you lost your bullshit job at Security Focus over getting owned. Sadly more and more people are posting off-list messages back to the list to get themselves more attention (n3td3v). Except that I didn't. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
[EMAIL PROTECTED] wrote: Oh here we go. My life is better now that I get to bone KF's mom. Schweet! I always wanted a little brother! 0x80 is my step daddy. wh00t! -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
I only wish I was your daddy so I could slap the shit out of you like you obviously deserve and never got enough of as a child. On Sat, 25 Mar 2006 19:34:20 -0800 KF (lists) [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Oh here we go. My life is better now that I get to bone KF's mom. Schweet! I always wanted a little brother! 0x80 is my step daddy. wh00t! -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Sendmail vulnerabilities were released yesterday. No real public announcements to speak of to the security community. Do you live under a rock? There were a lot of public announcements about this. To begin with, anyone noticed the memory leak they (Sendmail) silently patched? I wonder how many other unreported silently-patched vulnerabilities are out there? Yes. There was a presentation at Blackhat Europe about this. It happens all the time. Vendors do not practice responsible disclosure but they expect you to. Sendmail is, as we know, the most used daemon for SMTP in the world. This is an International Infrastructure vulnerability and should have been treated that way. It wasn't. It was handled not only poorly, but irresponsibly. So in one sentence you say that the ISS bug is only a DoS and now you are crying that a bug is being handled irresponsibly? Don't you have already talked to death DNS attacks to sound the alarm about? They say it's a remote code execution. They say it's a race condition. No real data available to speak of. I can't see how it's remotely exploitable, but well, no details, remember? From what we can see it seems like a DoS. So if in the best of your abilities this is only a DoS --- why cry over so called irresponsible disclosure of a bug? Oh wait, the minor memory leak that you think you found is the issue. What they did behind the smoke-screen is replace a lot of setjmp() and longjmp() functions (not very secure ones at that) with goto's (interesting choice). So what would you have done? What smoke-screen are you talking about? The int overflow is possibly exploitable, not very sure about the jumps. No idea why ISS says the Race Condition is, would love insight. You got that right. We would all love you to get some insight. One could say ISS and Sendmail did good, obscuring the information so that the vulnerability-to-exploit time will be longer. That proved wrong, useless and pointless. They failed. Obviously. I mean if *you* couldn't figure out how to exploit the ISS issue then they must have failed. Or wait, you couldn't figure it out so perhaps they failed but are still smarter than you. After looking at the available data for 30 minutes (more or less), we know exactly what the vulnerabilities are. Exploiting them may So after 30 minutes you were wrong about an issue. Tell me again how smart you are. Not to mention the silently patched memory leak. Alert the press. DNS is can be attacked AND there is a memory leak in Sendmail. both ISS and Sendmail should look good and hard at the coming massive exploitation of Sendmail servers. Nah the 1337 h4x0rs will be too busy going after DNS right? With issues relating to the Internet Infrastructure I'd be willing to go even with the evil of non-disclosure, as long as something gets done and then reported publically when it finally scaled down in a roll-back after a couple of years. Yeah, that will work. Because, no offense Mark Dowd, no one else could have found the problem. Well at least we know that the world is safe from you. If not, and you are going to make it public, make the effort and fix it as soon as you can, and give information to help the process of healing. Don't do it a mounth late and obscure data. So if you find a bug, it should be fixed and released on the same day you find it. Yeah right. It took Sendmail a mounth to fix this. A mounth. A whole month? The horror! Babies will die and our women will raped if vendors continue to take an entire month to address as many issues addressed in the Sendmail patch. A mounth! Mounth? So first you say no details should have been released for at least 2 years and now you are crying because it took a month to come up with a patch. Do you even read the shit that seems to flow from your brain to your keyboard? With such Vendor Responsibility, perhaps it is indeed a Good Thing to go Full Disclosure. It seems like history is repeating itself and Full Disclosure is once again not only a choice, but necessary to make vendors become responsible. WTF are you talking about? The bug has been disclosed. The patch released. Why are you complaining? How was Sendmail irresponsible by fixing an issue and releasing a patch? I think you have lost your meds. I wish we could somehow avoid all the guys who will inevitably shout in the press end of the world. The Internet is, was and will stay Except for you right? Answer your phone. Its the kettle calling. Speaking of pot perhaps you should smoke less before sending emails to lists. Have you not shouted about DNS have you not shouted in this tripe filled email about how irresponsible Sendmail and ISS are because the issue is so dangerous and that Sendmail and ISS should watch the mass exploitation that their evil ways will cause? One could hope that someone will take
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
I have to comment on these allegations by Gadi Evron.
Tech details:
Sendmail vulnerabilities were released yesterday. No real public
announcements to speak of to the security community.
Sendmail, CERT, and ISS Advisories went out. That's not a real
public announcement?
SecuriTeam released some data:
Improper timeout calculation, usage of memory jumps and integer
overflows allow attackers to perfom a race condition DoS on
sendmail, and may also execute arbitrary code.
More here: http://www.securiteam.com/unixfocus/5RP0L0UI0S.html
ISS only reported the Race Condition (DoS?). The Sendmail Advisory
reported the Race Condition DoS, the Memory Jumps and a
theoretical Integer Overflow.
To begin with, anyone noticed the memory leak they (Sendmail)
silently patched?
I wonder how many other unreported silently-patched
vulnerabilities are out there?
There was no memory leak. Look at the code referred to by SecuriTeam
(see http://www.securiteam.com/unixfocus/5SP0M0UI0G.html):
/* clean up buf after it has been expanded with args */
newstring = str2prt(buf);
if ((strlen(newstring) + idlen + 1) SYSLOG_BUFSIZE)
{
...
if (buf == buf0)
buf = NULL; - Memory leak
errno = save_errno;
return;
}
The part they conveniently left out is that buf0 is a local variable.
If buf == buf0 then you don't need to free it --- freeing it would,
in fact, be a bug. This should be obvious to anyone looking at the
code.
Second, the Integer Overflow is practical, not theoretical.
It is theoretical because the routines in question (rewrite() and
rscheck()) are part of the rewriting engine, which always takes a
fixed size buffer as input. There just isn't a way for the overflow
to ever occur. We fixed it because it was the right thing to do.
ISS reported the Race Condition last mounth. There is NO data
available on when the other vulnerabilities were discovered. Any
guesses?
The memory jumps is part of the race condition, not a separate
problem. The integer overflow problem came to our attention shortly
thereafter.
They also patched many non-security related bugs, added checks and
more informative error messages, etc.
In 8.13.6? Are you suggesting that it is irresponsible of us to
continue to develop code? If you want just the security patch, apply
the security patch, which we made available at the same time.
Sendmail is, as we know, the most used daemon for SMTP in the
world. This is an International Infrastructure vulnerability and
should have been treated that way. It wasn't. It was handled not
only poorly, but irresponsibly.
Here's what ISS releasing the Race Condition vulnerability has to
say: http://xforce.iss.net/xforce/alerts/id/216
They say it's a remote code execution. They say it's a race
condition. No real data available to speak of. I can't see how it's
remotely exploitable, but well, no details, remember? From what we
can see it seems like a DoS.
To be blunt, we don't understand much more about it than all of you
do. It is an extremely subtle problem that involves making an alarm
signal occur in a very small section of code as the result of a
multi-minute timeout. The signal causes a longjmp that can leave a
piece of code in an inconsistent state. ISS explained it to us and
told us that they had managed to craft an exploit in their lab, but
frankly we don't see how it can be practical. This literally
requires nanosecond precision in the millisecond world of networking.
Bottom line
---
What they did behind the smoke-screen is replace a lot of setjmp()
and longjmp() functions (not very secure ones at that) with goto's
(interesting choice).
There's a big difference between a synchronous goto in a single
context versus an asynchronous longjmp() between contexts.
They changed the logic of the code, replaced everything that
calculated timeout. Anything that calculated something and returned
a value now returns a boolean result, when previously they just
returned void. They used to look at the content rather than success.
When we got rid of the longjmp() we had to propagate I/O errors the
hard way --- as return values. This involved adding a lot of
checking. Painful, but necessary.
The int overflow is possibly exploitable, not very sure about the
jumps. No idea why ISS says the Race Condition is, would love
insight.
I've already commented on this.
Public announcement
---
FreeBSD were the only ones who released a public announcement of a
patch and emailed it to bugtraq so far.
Talk to the vendors. I've seen quite a few of their advisories come
by.
The patches
---
The FreeBSD patch much like the sendmail.org patch is very long,
complicated and obscure. The release was made along with a ton of
other patches for FreeBSD. Go figure what's in there.
FreeBSD updated to 8.13.6 rather than using 8.13.5+patches. This is
what we are recommending for everyone.
Sendmail.com's patch is so big they may as well
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Sucks to be held accountable, even when you give stuff away for free, doesn't it? We hold ourselves very accountable. Every day we try to make code better. How's that for accountability, (who are you again?) That does not make it right for our user community to attack developers for their freely given efforts. People who get attacked might stop trying to improve the code. You could run other software, you know. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Finally PEOPLE speak the TRUTH Well said!! -Original Message- From: Theo de Raadt [mailto:[EMAIL PROTECTED] Sent: Thursday, March 23, 2006 9:52 PM To: Gadi Evron Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Sendmail is, as we know, the most used daemon for SMTP in the world. This is an International Infrastructure vulnerability and should have been treated that way. It wasn't. It was handled not only poorly, but irresponsibly. You would probably expect me to the be last person to say that Sendmail is perfectly within their rights. I have had a lot of problems with what they are doing. But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. So does anyone owe you anything, let alone a particular process which you demand with such length? Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Dear non-paying user -- please remember your place. Or run something else. OK? Luckily within a few months you will be able to tell Sendmail how to disclose their bugs because their next version is going to come out with a much more commercial licence. Then you can pay for it, and then you can complain too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On Thu, 23 Mar 2006, Theo de Raadt wrote: Sendmail is, as we know, the most used daemon for SMTP in the world. This is an International Infrastructure vulnerability and should have been treated that way. It wasn't. It was handled not only poorly, but irresponsibly. You would probably expect me to the be last person to say that Sendmail is perfectly within their rights. I have had a lot of problems with what they are doing. But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. So does anyone owe you anything, let alone a particular process which you demand with such length? So you are basically saying open source free software can't be trusted to hold high standards or be reliable or secure if I don't pay for it? Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Dear non-paying user -- please remember your place. Or run something else. OK? Luckily within a few months you will be able to tell Sendmail how to disclose their bugs because their next version is going to come out with a much more commercial licence. Then you can pay for it, and then you can complain too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On Thu, 23 Mar 2006, Eric Allman wrote: snip mostly relevant good replies by Mr. Allman Talk to the vendors. I've seen quite a few of their advisories come by. After or before it hit the news? You may be able to alert vendors, but the problem with critical infrastructure is that is widely deployed around the world. Releasing the way you did is irresponsible. You can do non-disclosure for a while or full disclosure, you can't do both. Commentary == personal opinion Yes, that's true. If it's exploitable and people don't update, then those people who choose to ignore the problem will be vulnerable. You could say that about every vulnerability that has ever existed. Indeed. And yet blaming the user is not how you solve the problem, is it? The Internet being insecure is a give, do you blame the Internet for telnet not being secure, or do you create SSH? How long before enough Sendmail servers globally are patched? A mounth! Are you suggesting that it would have been better for us to have released the problem without giving vendors any time at all to get it integrated? I think that would be seriously irresponsible. I agree, my point is that if you release, do it as soon as you can as you ARE critical infrastructure. If you want to let vendors get something done, wait a whole lot longer than a month. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
So you are basically saying open source free software can't be trusted to hold high standards or be reliable or secure if I don't pay for it? I don't think his argument had anything to do with open source. He was talking about payment, or lack thereof. You can give away binaries for free as well. And I'm not implying that the rest of your conclusions about his statement is accurate, either. Just had to point out that one flaw. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
[EMAIL PROTECTED] wrote: Posting a private email to a mailing list is pretty slimeball Ryan. And what private email was that? Or did you just assume that because you didn't see Theo's reply before mine that it went just to me? I believe you'll find that it has been posted to the list now. BB P.S. It's rather amusing that YOU would complain about someone posting private emails. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Gadi Evron wrote: So you are basically saying open source free software can't be trusted to hold high standards or be reliable or secure if I don't pay for it? No, he's saying: If you know a better way why don't you do it instead of yapping about what's wrong. Theo does have the chat skills of a rhinoceros in heat but he does have a point. If his project is mis-managed you're free to fork and do it better. So if you know better then either contribute, create something better or be ignored. It's bsd, just download the source, fix the problems and release a better version. That way you'd contribute, instead of just yap. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Theo de Raadt wrote: After or before it hit the news? You may be able to alert vendors, but the problem with critical infrastructure is that is widely deployed around the world. Releasing the way you did is irresponsible. Taking our freely available software and creating a mono-culture is something that the administrators did. We don't get paid (or we don't get paid enough). I see, so why don't you go work for commercial vendors? With that kind of security attitude I wonder why anybody believes OpenBSD is the most secure OS around. Most arguments against open source in big organizations are that they have no backing, serious tech support, etc. That brought about a myriad of third-party companies which provide with this service. I often find open source to be a lot more responsive than many commercial companies, but it's still done based on good will and free time. That doesn't scale well in the board room. You better quit now as you are making a horrible attempt at protecting open source, which I strongly believe in. If a commercial giant * up, or an open source product does, makes no difference to me. When people say: you can't comment unless you go and do on your own, move along. People will move along. Sometimes I will ignore input from non-contributors,. but ignoring input, especially of the critical type, from your users makes you not suitable for these users or to grow and scale as something for the infrastructure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Sendmail is, as we know, the most used daemon for SMTP in the world. This is an International Infrastructure vulnerability and should have been treated that way. It wasn't. It was handled not only poorly, but irresponsibly. You would probably expect me to the be last person to say that Sendmail is perfectly within their rights. I have had a lot of problems with what they are doing. But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. So does anyone owe you anything, let alone a particular process which you demand with such length? Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Dear non-paying user -- please remember your place. Or run something else. OK? Luckily within a few months you will be able to tell Sendmail how to disclose their bugs because their next version is going to come out with a much more commercial licence. Then you can pay for it, and then you can complain too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On 3/23/06, Theo de Raadt [EMAIL PROTECTED] wrote: Sendmail is, as we know, the most used daemon for SMTP in the world. This is an International Infrastructure vulnerability and should have been treated that way. It wasn't. It was handled not only poorly, but irresponsibly. You would probably expect me to the be last person to say that Sendmail is perfectly within their rights. I have had a lot of problems with what they are doing. I think people expect you to be as you are. But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. So does anyone owe you anything, let alone a particular process which you demand with such length? Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Dear non-paying user -- please remember your place. I seem to recall that DARPA funded a good bit of your work. I also seem to recall that I and many others funded DARPA. Kindly submit to the will of us all. Or run something else. OK? Or simply cut off funding. The game can be played both ways. Luckily within a few months you will be able to tell Sendmail how to disclose their bugs because their next version is going to come out with a much more commercial licence. Then you can pay for it, and then you can complain too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Purple Bag Society of the Crown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Theo de Raadt wrote: But what did you pay for Sendmail? Was it a dollar, or was it more? Let me guess. It was much less than a dollar. I bet you paid nothing. Hey Theo, what did you pay for all the software you started with and/or still use in your project? How much did YOU pay for Sendmail? And you guys essentially resell it, right? So does anyone owe you anything, let alone a particular process which you demand with such length? I don't know... I seem to see a lot of criticism and demands coming from your direction: http://en.wikiquote.org/wiki/Theo_de_Raadt Now, the same holds true with OpenSSH. I'll tell you what. If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Really? No one? You wrote it by yourself with no support of any kind? And are you saying that you plan to slipstream your fixes? Dear non-paying user -- please remember your place. I seem to recall having donated some money, purchased shirts... I think I've got a number of OpenBSD CDs sets around the house that I purchased. Now I realize that you consider those donations, ever though most people would consider that some degree of having paid. But I'd be willing to bet that even if we worked out some contract that had the word paid in it, that you would still not confer upon me any right to complain. That I would still need to remember my place. So I think we can eliminate payment as a variable. This simplifies your argument from Don't criticize me if you haven't paid to simply Don't criticize me. Sucks to be held accountable, even when you give stuff away for free, doesn't it? Or run something else. OK? I don't know why they don't put you in charge of the fundraising efforts more often! http://undeadly.org/cgi?action=articlesid=20060321034114 And your timing is impeccable! Buy up! http://undeadly.org/cgi?action=articlesid=20060323091020 My order is on its way. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Theo de Raadt wrote: (who are you again?) Your customer. That does not make it right for our user community to attack developers for their freely given efforts. People who get attacked might stop trying to improve the code. Attacking commercial software developers makes them write better code, attacking free software developers makes them feel bad and quit. Got it. You could run other software, you know. And you could write your software without bitching at the people who help you pay your bills. I can't see that changing real soon either. But hey, you keep being you, and I'll keep buying your stuff in spite of your attitude, because it's good software. I use DJB's software under the same circumstances, so I'm used to it. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
