From owner-freebsd-ports Fri Jun 9 19:19:58 2000 Delivered-To: freebsd-ports@freebsd.org Received: from BSDpc.geek4food.org (adsl-216-103-105-71.dsl.snfc21.pacbell.net [216.103.105.71]) by hub.freebsd.org (Postfix) with ESMTP id 2572E37B631; Fri, 9 Jun 2000 19:19:56 -0700 (PDT) (envelope-from andy@geek4food.org) Received: from mega.geek4food.org (mega.geek4food.org [192.168.1.57]) by BSDpc.geek4food.org (Postfix) with ESMTP id A873B13B; Fri, 9 Jun 2000 19:19:55 -0700 (PDT) Received: from mega.geek4food.org (localhost.geek4food.org [127.0.0.1]) by mega.geek4food.org (8.9.3/8.9.3) with ESMTP id TAA84496; Fri, 9 Jun 2000 19:19:55 -0700 (PDT) (envelope-from andy@geek4food.org) Message-Id: <200006100219.TAA84496@mega.geek4food.org> To: Will Andrews Cc: John Holland , ports@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Hylafax security audit In-reply-to: Your message of "Fri, 09 Jun 2000 12:05:36 EDT." <20000609120536.N6343@argon.gryphonsoft.com> Date: Fri, 09 Jun 2000 19:19:55 -0700 From: Andy Sparrow Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -------- Your message dated: Fri, 09 Jun 2000 12:05:36 EDT >Probably not. But someone might prove me wrong. Well, I believe a number of people are /considering/ it, although no-one's actually coming up with patches yet. Maybe we just need a leader (baaa!). :-) >No, the hylafax people are completely ignoring this problem. There is, apparently, a known cgi-bin exploit in the docs for the current beta, which isn't fixed yet in CVS. *sigh* It's my take that they'd welcome some people subscribing to their devel list and helping out, but that security isn't their main concern. Actually, I think it makes sense to lock down a dedicated server and only provide restricted logins on that box - which seems to me to remove most of the security issues. For a SOHO workstation install, HylaFAX is kinda overkill anyway, and other, simpler, software exists (like sendfax and efax). I'm not saying that that's their stance, just an observation. Cheers, AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message