weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/11/88)
In article <27203@tut.cis.ohio-state.edu>, karl@triceratops (Karl Kleinpaste) writes: >I submit as an example, yet again, the recent discovery of a security >hole in ftpd. I've not seen anyone post an explicit description of the FTPD bug, for what I suspect is the following scenario: Those sysadmins who run anon FTP installed the fix, but a goodly number of others didn't. Which could be serious when such a site decides to run anon FTP later on. In contrast, the SENDMAIL bug has been described exactly, because I think the general feeling is that no one left this unpatched--which just might be true on the ARPANET, but is probably false elsewhere. And the FTPD bug is much more serious. So I simply don't have the same confidence that you do when you write: >The system works when given a decent chance to try to work. It hasn't worked if those sysadmins not directly affected don't realize that they have to act as if they were so affected. Did everyone patch their news software when the white-space-in-message-IDs bug was dis- covered? Or mostly just those hit by it? Will we find out the hard way when line noise hits a sendsys? Ugh. And besides, why was the SENDMAIL bug left open for so long? You all have heard the current FTPD bug fix started with RTM himself acting responsibly? Ironic, no? Not that I know what it means.... ucbvax!garnet!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720