From owner-freebsd-security@FreeBSD.ORG Mon Jan 18 14:12:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 754F9106568B for ; Mon, 18 Jan 2010 14:12:28 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3967E8FC1B for ; Mon, 18 Jan 2010 14:12:27 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id C298F1FFC22; Mon, 18 Jan 2010 14:12:26 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id B7E078448A; Mon, 18 Jan 2010 15:12:24 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Phil Oleson References: <4B50FF48.2070801@nixil.net> Date: Mon, 18 Jan 2010 15:12:24 +0100 In-Reply-To: <4B50FF48.2070801@nixil.net> (Phil Oleson's message of "Fri, 15 Jan 2010 16:50:32 -0700") Message-ID: <86pr5733jr.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: sendmail 8.14.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2010 14:12:28 -0000 Phil Oleson writes: > [...] a customers PCI scan is reporting this as a problem. I know > many of these scans tend to do version string checks and don't > actually check if the problem is possible to exploit, [...] It's much, much worse: the vulnerability lists used in these tools are usually generated by blindly concatenating the contents of various online vulnerability databases, with little or no quality control. Pretty much anyone and his dog can issue an advisory - just write something plausible-sounding and post it on bugtraq, and it will end up in a database somewhere, and eventually trickle down to one or more vulnerability scanners, even if nobody can reproduce it, and before you know it somebody has to make a public statement like this: http://maycontaintracesofbolts.blogspot.com/2008/07/old-history.html although it won't do much good, because the people who write those scanners don't give a shit as long as they get their money and / or fame. It is MHO that most "security experts" associated with "the end of the Internet is nigh, film at 11" press reports are frauds and narcissistic media whores. Unfortunately, journalists don't understand the tech and are too clueless and / or pressed for time to seek confirmation or clarification from reliable sources, so you end up with hagiographies like this: http://www.seattlepi.com/local/373426_insecure04.html Google has ~10k hits for "+Kaminsky +saved +the +Internet". Food for thought. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no