CERT: Sendmail Distribution Contained Trojan Horse

Scoria writes "According to a CERT advisory published this afternoon, the public distribution of Sendmail 8.12.6 contained a trojan horse from September 28 to October 6. For more detailed information, please consult advisory CA-2002-28." This sounds very much like what happened to OpenSSH.

A Sad Day for Egg Troll

[egg+troll]

Its a sad day when Sendmail becomes the BitchX of email servers. Perhaps they'll merge with OpenSSH now?

We knew...

[McFly69]

We always knew it was a piece of insecure crap. so no surprise. Qmail or even mailx is MUCH more secure.

Re:Over a week?

[Zeinfeld]

What amazed me is I wasn't even aware anyone really used Unix anymore. Man, look at all the security holes in *that* software's history.

The computer security industry has tended to regard the Linux community obsession with Microsoft security holes as a case of people living in glass houses throwing stones.

Sendmail has been notorious for security bugs from the very first release. There was a time when over half of all CERT advisories related to sendmail.

It is like that idiot Forrester who went as far as the Supreme Court trying to get Lautenberg kicked off the ballot because he was substituted 35 days before the ballot - missing the 51 day deadline. According to the New York Times Forrester was himself substituted 40 days before the primary election, missing the same exact deadline he now claims to be sacrosanct. Why don't the 'liberal media' tell us these facts, oh yes because the whole liberal media thing is a crock intended to intimidate reporters into not reporting facts that are unfavorable to Republicans.

Point is, don't believe what you read on the news or on slashdot. People have an agenda. There are plenty of bugs found in UNIX systems but when slashdot is ten times more likely to report a Microsoft bug than a Linux one you can soon be conned into thinking Linux is secure rather than making the conclusion I draw, that both platforms have problems.

The whole point of the Web was to give people access to alternative news sources so they can form their own judgement. Problem is that most people would rather be spoonfed their prejudices by the likes of Fox News than know what really goes on.

BIND has also been a mess and stayed that way until DEC paid Paul Vixie to basically rewrite the code from scratch. There are still a bunch of security issues with Bind but they are generally caused by the lack of authentication in the DNS protocol these days.

The fact that UNIX managed to clean up its act suggests that Microsoft can too. It would be nice if in the meantime the Linux community would take note of the fact that they are not imune from security problems and that many of the issues facing Microsoft are actually issues of scale - if everyone switched to Linux it would be much easier to get linux viruses to propagate.

At the end of the day the concentration on 'end-to-end' security at the exclusion of all other means is a crock. You cannot have end to end security unless you have trusted hardware. Nobody on Slashdot seems to be particularly keen on Palladium except people such as myself who spend their whole time trying to design secure architectures.