Re: sendmail & localhost rDNS

To: debian-security@lists.debian.org
Subject: Re: sendmail & localhost rDNS
From: "Bernhard R. Link" <brlink@debian.org>
Date: Mon, 10 Aug 2009 14:35:06 +0200
Message-id: <[🔎] 20090810123506.GA4460@pcpool00.mathematik.uni-freiburg.de>
Mail-followup-to: debian-security@lists.debian.org

* Lupe Christoph <lupe@lupe-christoph.de> [090810 13:53]:
> On Monday, 2009-08-10 at 13:46:38 +0200, Thomas Liske wrote:
> 
> > last week, there was an article on heise security about MTAs[1] which  
> > relay mails for hosts having a reverse resolution of 'localhost'. Doing  
> > a small test shows that sendmail on etch seems to be vulnerable, too. I  
> > need to have a localhost RELAY line in my access file (which is not  
> > default AFAIK).
> 
> > Will there be a DSA on this issue, since it seems to turn Sendmail  
> > installations with allowed localhost RELAYing into Open Relays?
> 
> Are you saying you want a DSA for a package that does not have that
> particular vulnerability, but allows a user to create it?
> 
> "Doctor, it hurts when I do this!" "Don't do it, then."

"Help, help my computer does funny things!" "Don't power it up, then."

Almost all security holes need to user to do something. (If only to
power up the machine, to install some packages, to connect to the
internet, to give accounts to users). The question cannot be that
something has to be done do make people vulnerable, but whether properly
sane and educated people can guess that something opens a security
problem.

Hochachtungsvoll,
	Bernhard R. Link

Reply to:

Follow-Ups:
- Re: sendmail & localhost rDNS
  - From: Lupe Christoph <lupe@lupe-christoph.de>

Prev by Date: RE: [SECURITY] [DSA 1854-1] New APR packages fix arbitrary code execution
Next by Date: Re: sendmail & localhost rDNS
Previous by thread: Re: sendmail & localhost rDNS
Next by thread: Re: sendmail & localhost rDNS
Index(es):
- Date
- Thread