[PLUG] Re: tinydns problems... help?
Wil Cooley
wcooley at nakedape.cc
Fri Feb 11 18:59:08 UTC 2005
On 2005-02-11, Rich Burroughs <rich at paranoid.org> wrote:
> I think there are things you can do to run BIND more securely, and those
> have thankfully become more standard practice, but that's not the same
> as saying it's "just as secure." There have been quite a few holes in
> BIND in the pasr that led to root compromises. Now, you don't have to
> run it as root, and you can run it chrooted, and those things help
> greatly limit the damage that can be done. But there were some big
> problems in the code in the past, and I would argue that's not "just as
> secure."
But BIND 9 was total rewrite by someone skilled in writing secure C, which Paul
Vixie readily claims he is incapable of. Have there been any root exploits for
BIND 9? I don't know; there have been a few non-root exploits, but not many.
> Yeah, I don't buy that either :) I can't believe that there are not some
> skilled people out there with black hats on who have gone through that
> code very throroughly. It wouldn't be just about the money - someone
> could make a bit of a name for themselves by collecting a bounty on one
> of Dan's programs, which are usually regarded as very secure.
>From what I've read, there are those who claim to have found exploits in
qmail, but he dismisses them and won't pay. I cannot really say whether
it's true or not.
Wil
--
Wil Cooley wcooley at nakedape.cc
Naked Ape Consulting http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
More information about the PLUG
mailing list