On Monday, 2009-08-10 at 14:35:06 +0200, Bernhard R. Link wrote: > * Lupe Christoph <l...@lupe-christoph.de> [090810 13:53]: > > On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote:
> > > last week, there was an article on heise security about MTAs[1] which > > > relay mails for hosts having a reverse resolution of 'localhost'. Doing > > > a small test shows that sendmail on etch seems to be vulnerable, too. I > > > need to have a localhost RELAY line in my access file (which is not > > > default AFAIK). > > > Will there be a DSA on this issue, since it seems to turn Sendmail > > > installations with allowed localhost RELAYing into Open Relays? > > Are you saying you want a DSA for a package that does not have that > > particular vulnerability, but allows a user to create it? > > "Doctor, it hurts when I do this!" "Don't do it, then." > "Help, help my computer does funny things!" "Don't power it up, then." That's not what I meant. Admitted, the quote is more funny than exact (and it isn;t particularly funny...). What I mean is that a lot of software allows the user to shoot himself in various body parts. One such example is rm. As in "rm * .o". Oooops. More related to the OP, sendmail allows you to configure an open relay in a number of ways, not all of them as easily identified as the "localhost" problem. It has a built-in write-only language... But why would the posssibility to configure the package to open a relay warrant a DSA? It would IMNSHO only when the package came preconfigured to do that. > Almost all security holes need to user to do something. (If only to > power up the machine, to install some packages, to connect to the > internet, to give accounts to users). The question cannot be that > something has to be done do make people vulnerable, but whether properly > sane and educated people can guess that something opens a security > problem. I interpret this to mean that there should be DSAs for all problems *made possible* by Debian packages, rather than those *caused* by the package. Lupe Christoph -- | There is no substitute for bad design except worse design. | | /me | -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
