Mail

[Chuck Swiger]

Robert Huff wrote:
> Chuck Swiger writes:
[ ... ]
> 	Would you care to nominate an inherently network-accessible
> program with such a track record?  For example: 5.2.1 was released
> in late February; there are currently 12 security advisories*, of
> which I would consider at least 5 to be part of the core system.
> (As opposed to things in the base system, like BIND.)

http://cr.yp.to/qmail/guarantee.html:

"In March 1997, I offered $500 to the first person to publish a verifiable 
security hole in the latest version of qmail: for example, a way for a user to 
exploit qmail to take over another account.

My offer still stands. Nobody has found any security holes in qmail."

Note that the author has chosen to view this guarantee as applicable to 
remotely exploitable holes resulting in being able to run programs as some 
user, rather than denial-of-service exploits (say, filling up the drive due to 
a mailbomb), and that there have been security issues with commonly used 
patches to qmail.  Then again, anything which uses SSL (ie, qmail+TLS) has 
been vulnerable to the horde of OpenSSL issues...

People who think that installing qmail today are likely to not be hacked due 
to a security hole in qmail over the next two years do indeed have some reason 
for their belief.

-- 
-Chuck