[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: on potato's proftpd



On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote:
> dear list,
> 
> look, i am really not here to start a flame war and heck no, i don't
> want one. please excuse if my behaviour has been leading you onto this
> belief (or maybe not). i am simply failing to grasp the arguments laid
> out by wichert. that is, i don't disagree with him per se, but i have
> the feeling that i am also not being understood. so, please read this
> last attempt to clarify and then either respond, or give me a straight
> "shut up" and i will. and i apologize up front to sven for posting
> parts of his personal reply to the list.
> 
> also sprach Sven Hoexter <sven@telelev.net> [2002.04.02.2240 +0200]:
> > Calm down :) It's "just" a DoS attack and if you use a Software you as
> > the admin should look at the normal flood of information and pick out what
> > you need. If you do so you know the problem and you can work around it in
> > different ways. One way is the Deny directiv or some of the Ulimit options
> > introduced into proftpd after the problem occured the first time.
> > In the Debian way the deny directiv is the working one.
> 
> well, i am calm, but i disagree. sure, it boils down to the question
> who debian's audience are, but for all i am concerned, debian's
> reputation _used_ to include "security", and the reason why i'd (as in
> "would" and "had") install(ed) debian was because i didn't need to be
> worrying about the obvious and hence i could spend my resources on
> other things. had i wanted to patch one-year-old bugs in software that
> installs from the "security archives", then i might have just chosen
> to "fly" redhat. i don't understand why you aren't understanding this.
> i am not at all against finding the real bug as well as investigating
> why:

See, paragraphs like this directly contradict you statement above that
you don't want a flame war.  Debian "used to include security"?
Apparently you no longer run Debian?  Does this mean you've wiothdrawn
your name for the NM queue?
 
Are you willing to abandon the hyperbole and put forward rational
arguments as to why your solution is best?

> > their is a patch that doesn't work and it seems like nobody proved
> > the patch after it was applied for the first time.
> 
> but give me at least one argument why these acts cannot combine with
> a *temporary* fix uploaded to the so-called "security archives".

The temporary patch is, well, temporary.  It only works on a new
install; otherwise the admin has to examine their config file by hand
to make the change.  Worst of all, since the bug was thought to be
fixed but isn't, the temporary fix may not in fact prevent the
exploit.  If the exploit is part of libc globbing code, it may be
exploitable in other code, not just proftpd.
 
> > With this I'm falling back to another topic: Is the way of keeping
> > exploit code behind bars realy good for the admin without the
> > special coding skills or just new stones in the proccess of running
> > a secure server?
> 
> exactly my point. debian's the "hacker OS", but it's also damn good.
> so why not take little steps such as this and keep it that way even
> for the ones that don't spend 20 hours a day in front of a computer
> and know assembler backwards...
> 
> > Just my personal thoughts about your flames with Wichert.
> 
> they really weren't intended to be flames. i am sorry if they felt
> that way. i am really just trying to be concise since i don't have
> much more to say than i did.

I have to wonder.

-- 
Nathan Norman - Micromuse Ltd.  mailto:nnorman@micromuse.com
Gil-galad was an Elven-king.            |  The Fellowship
Of him the harpers sadly sing:          |        of
the last whose realm was fair and free  |     the Ring
between the Mountains and the Sea.      |  J.R.R. Tolkien

Attachment: pgp1yhpai32l0.pgp
Description: PGP signature


Reply to: