[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] QPOP Vulnerability - Again

Subject: Re: [cobalt-security] QPOP Vulnerability - Again
From: Chris Adams <cmadams@xxxxxxxxxx>
Date: Wed, 19 Jul 2000 18:55:34 -0500

Once upon a time, Jeff Lovell <jlovell@xxxxxxxxxx> said:
> Chris Adams wrote:
> > They still have not released an official fix to the web site security
> > hole (originally I was thinking it was just with Front Page sites, but
> > it is with all sites).  With the normal setup, any user on a RaQ can
> > overwrite all the sites on the RaQ.  They tossed a "quick-fix" into the
> > experimental directory, but they have not really fixed it.
> 
> Hmm, that should have been posted a while ago.  I'll check into that.

Good.  No offense, but anything in the experimental directory makes me
nervous.  I don't consider it a true fix until it is an official package
(I know those can have problems too, but it is less likely).

> > Now there are known security problems with proftpd again - I wonder if
> > those patches will ever make their way out of Cobalt?
> 
> Yes, there is a recently discovered bug in proftpd, and the proftpd
> developers has release 1.2.0rc1.  But there is a problem with it the
> new version breaks some chmod functionality  We are waiting
> for the proftpd developers to address this problem.

Okay.

> > I believe the current version of BIND on the RaQ2 is still open to
> > security holes as well - they fixed this one for the RaQ1 but not the
> > RaQ2!
> 
> The NXT bug was not exploitable against 8.2.1, only 8.2 and greater.

Well, that is not what the ISC says.  They also list other security
problems with 8.2.1 at:

http://www.isc.org/products/BIND/bind-security-19991108.html

It is the ISC's position that anything before 8.2.2-P3 has security
problems (8.2.2-P5 fixes some bugs as well).

I think a major frustration with Cobalt is that there doesn't seem to be
any relationship with the users of the product.  Cobalt provides these
lists as unofficial places where we can have discussions, but there is
virtually no Cobalt representation on the lists.  You and a couple of
others pop in here every once in a while, answer a few things, then pop
back out again.  I understand that people are busy, and that this is not
an official support area, but developing a good relationship with your
customers should be a priority.  I have been on other unofficial lists
provided by manufacturers, and there was a presence by the company on
their list.  Let your customers know what is going on, and they will
feel better.  If there is a problem and it is going to take a month to
fix it, tell us.  When you don't, there is a feeling that Cobalt is not
listening and that no fix will ever be produced.  That drives people
away, looking for other solutions (I've felt that way several times over
the last year or so that I've been working with Cobalt products).
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.

Follow-Ups:
- Re: [cobalt-security] Service [was: QPOP Vulnerability - Again]
  - From: Jeff Lovell

References:
- Re: [cobalt-security] QPOP Vulnerability - Again
  - From: Gossi The Dog
- Re: [cobalt-security] QPOP Vulnerability - Again
  - From: Jan P Tietze
- Re: [cobalt-security] QPOP Vulnerability - Again
  - From: Chris Adams
- Re: [cobalt-security] QPOP Vulnerability - Again
  - From: Jeff Lovell

Prev by Date: Re: [cobalt-security] QPOP Vulnerability - Again
Next by Date: Re: [cobalt-security] Service [was: QPOP Vulnerability - Again]
Previous by thread: Re: [cobalt-security] QPOP Vulnerability - Again
Next by thread: Re: [cobalt-security] Service [was: QPOP Vulnerability - Again]

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index