Date: Mon, 23 Nov 1998 16:25:37 -0800 (PST) From: John Polstra <jdp@polstra.com> To: Terry Lambert <tlambert@primenet.com> Cc: hackers@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <XFMail.981123162537.jdp@polstra.com> In-Reply-To: <199811231852.LAA21705@usr02.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> You need to look at Bugtraq as well I did already. > Also, I think the point of PAM is to let people use modules other > than the ones that we use... so that argument is rather pointless. What argument? I have no intention of taking responsibility for bugs in modules that other people wrote. If you want to use them, it's up to you to convince yourself that they're OK. > Here is a bug that will be common in network applications like ftpd > linked to use PAM: > > http://geek-girl.com/bugtraq/1998_1/0111.html This is a bug in the Solaris ftpd, and has nothing to do with PAM. > I don't know if you are using the rhost module, but if so, this may > be relevent: I didn't use any of the Linux modules. > Also, PAM can become vulnerable based on libc implementation, since > it is a consumer of libc; here's one example: > > http://geek-girl.com/bugtraq/1997_2/0228.html This is about a Linux libc bug, combined with a stupid blunder by a Linux system "administrator". Anyway, everything that is linked with libc is vulnerable to bugs in it. PAM is not special in that sense. > Also, is our qpopper port still vulnerable to: > > http://geek-girl.com/bugtraq/1998_2/0657.html > > ??? I have no idea. What is the relevance to PAM? --- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Nobody ever went broke underestimating the taste of the American public." -- H. L. Mencken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.981123162537.jdp>