sendmail 8.14.4
Phil Oleson
PCI scan is reporting this as a problem. I know many of these scans tend to do version
string checks and don't actually check if the problem is possible to exploit, but I just
wanted your thoughts on if this is something the security team feels it needs to deal with
or not?
-Phil.
8.14.4/8.14.4 2009/12/30
SECURITY: Handle bogus certificates containing NUL characters
in CNs by placing a string indicating a bad certificate
in the {cn_subject} or {cn_issuer} macro. Patch inspired
by Matthias Andree's changes for fetchmail.
Dag-Erling Smørgrav
> [...] a customers PCI scan is reporting this as a problem. I know
> many of these scans tend to do version string checks and don't
It's much, much worse: the vulnerability lists used in these tools are
usually generated by blindly concatenating the contents of various
online vulnerability databases, with little or no quality control.
Pretty much anyone and his dog can issue an advisory - just write
something plausible-sounding and post it on bugtraq, and it will end up
in a database somewhere, and eventually trickle down to one or more
vulnerability scanners, even if nobody can reproduce it, and before you
know it somebody has to make a public statement like this:
http://maycontaintracesofbolts.blogspot.com/2008/07/old-history.html
although it won't do much good, because the people who write those
scanners don't give a shit as long as they get their money and / or
fame.
It is MHO that most "security experts" associated with "the end of the
Internet is nigh, film at 11" press reports are frauds and narcissistic
media whores. Unfortunately, journalists don't understand the tech and
are too clueless and / or pressed for time to seek confirmation or
clarification from reliable sources, so you end up with hagiographies
like this:
http://www.seattlepi.com/local/373426_insecure04.html
Google has ~10k hits for "+Kaminsky +saved +the +Internet". Food for
thought.
DES
--
Dag-Erling Smørgrav - d...@des.no