Re: Why Linux, Why Debian
On Sat, Feb 14, 2004 at 08:37:36PM +0000, Andrew Suffield wrote:
> On Sat, Feb 14, 2004 at 08:48:44PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> > On Fri, Feb 13, 2004 at 06:41:19PM +0000, Andrew Suffield wrote:
> > > > > I think that regular Debian equals or beats the exact claims made as
> > > > > to openbsd's "security" (which aren't much - just regarding holes in
> > > > > the default install that can lead to a remote root compromise). Note
> > > > > that this mostly says "We have a default install that doesn't do
> > > > > anything, too".
> > > >
> > > > Umm.. it's really a default install with no network services, which is
> > > > usually quite ok for most users. Our "default" general install is much more
> > > > bloated.
> > >
> > > And precisely how many network services does it include? Anything that
> > > doesn't listen on a network port can't be a remote root issue.
> > >
> > > (I checked first. Did you?)
> >
> > Well, I was drawing from experience (I've hardened a number of Debian
> > systems).
> >
> > Ok, let me see, in woody:
> >
> > 1) exim listens to all remote ports, is installed as the default MTA and
> > run by inetd
>
> Can't remember any remote root holes in exim.
Then your memory is playing with you. There have been two security
advisories since the woody release on exim; DSA-097 (Uncontrolled
program execution) and DSA-376 (buffer overflow; but at the time of the
DSA, the thing was not believed to be exploitable).
Regardless, as any security expert will tell you: any open port is a
potential breakin, especially if they're not known.
--
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
-- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Reply to: