Re: sendmail 8.14.4
Phil Oleson <oz@nixil.net> writes:
> [...] a customers PCI scan is reporting this as a problem. I know
> many of these scans tend to do version string checks and don't
> actually check if the problem is possible to exploit, [...]
It's much, much worse: the vulnerability lists used in these tools are
usually generated by blindly concatenating the contents of various
online vulnerability databases, with little or no quality control.
Pretty much anyone and his dog can issue an advisory - just write
something plausible-sounding and post it on bugtraq, and it will end up
in a database somewhere, and eventually trickle down to one or more
vulnerability scanners, even if nobody can reproduce it, and before you
know it somebody has to make a public statement like this:
http://maycontaintracesofbolts.blogspot.com/2008/07/old-history.html
although it won't do much good, because the people who write those
scanners don't give a shit as long as they get their money and / or
fame.
It is MHO that most "security experts" associated with "the end of the
Internet is nigh, film at 11" press reports are frauds and narcissistic
media whores. Unfortunately, journalists don't understand the tech and
are too clueless and / or pressed for time to seek confirmation or
clarification from reliable sources, so you end up with hagiographies
like this:
http://www.seattlepi.com/local/373426_insecure04.html
Google has ~10k hits for "+Kaminsky +saved +the +Internet". Food for
thought.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)