cvs commit: ports/net/delegate Makefile distinfo pkg-message
pkg-plist
Kris Kennaway
kris at obsecurity.org
Sat Feb 21 12:07:31 PST 2004
On Sat, Feb 21, 2004 at 09:02:44PM +0100, Clement Laforet wrote:
> On Sat, 21 Feb 2004 11:36:17 -0800
> Kris Kennaway <kris at obsecurity.org> wrote:
>
> > When I audited this software and added the warning, I concluded that
> > delegate was fundamentally insecure from the ground up and could not
> > be fixed just by patching a few things. How has this changed, and who
> > has audited the new software to verify it?
>
> Which version did you audit ? changes in 8.x fixed most of lacks of
> security in protocol implementations. Since advisories are 4 years old
> (and currently, except misconfiguration, there are few risks), I thought
> it was reasonnable to remove warnings.
> If you still consider that this software is insecure by concept, I can
> re-add them, but I wonder why you don't add the same to sendmail, bind
> or whatever port which got several advisories due to bad conception.
Because those were not written by someone with no concept of secure
coding. That's why I said "insecure from the ground up"; there were
literally hundreds of ways to exploit this software. A few of those
special cases probably made it into advisories and were fixed, but
claiming that the entire set of applications has been fixed requires
extraordinary proof.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-ports/attachments/20040221/f13e1246/attachment.bin
More information about the cvs-ports
mailing list