Yikes! FreeBSD samba-3.0.26a_2,
1 is forbidden: "Remote Code Execution...
tedm at toybox.placo.com
Fri Dec 14 20:39:17 PST 2007
> -----Original Message-----
> From: Modulok [mailto:modulok at gmail.com]
> Sent: Friday, December 14, 2007 5:29 PM
> To: Ted Mittelstaedt
> Cc: WD at us-webmasters.com; samba at lists.samba.org; remko at freebsd.org;
> Timur at freebsd.org; FreeBSD-Questions at freebsd.org
> Subject: Re: Yikes! FreeBSD samba-3.0.26a_2, 1 is forbidden: "Remote
> Code Execution...
> Which is ever so irritating...
> In 40 years of lessons learned from the school of hard knocks in
> relation to the design and evolution of both programming languages and
> the software designs they implement, one truth has emerged: data
> hiding increases the robustness of a program. Functions hide data,
> classes hide data, namespaces hide data, the very concept of scope,
> hides data. Yet, when we pull back and look at a slightly larger
> picture of the interactions of programs themselves, we fail short of
> carrying this idea through to a higher level. Package X depends on
> package Y, but package Y depends on package Z, but package Z cannot be
> installed because of a name conflict with package W. Update program X
> and you could break what appears to be an un-related program J. Tough
> Code re-use is a good thing. Intricate, far-reaching dependencies are
> not. While package managers attempt to mitigate the underlying issue,
> using code re-use as an excuse for the fragility of a system design,
> is unfortunate. I do not pretend to have all of the answers, but I
> feel that current state of things could be much improved.
The rot started years ago when Sun and others introduced the concept
of dynamically loaded libraries. Time was that everything was
statically compiled. An update to a library file would break nothing.
But at the time, they had a problem - limited ram - available. This
solved it with the tradeoff that updating would require recompiling
a lot of stuff.
Fast forward to today, when 2-4GB of RAM in a computer is standard.
There's no penalty to statically linking all your libraries into
a binary that isn't going to see more than 2-3 simultaneous instances
in memory. But the thinking is still ossified back in the 80's as
by default every program you build will dynalink.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.17.2/1184 - Release Date: 12/14/2007
More information about the freebsd-questions