> > Well, it appears that someone has tried to take advantage of the (now) well > > known sendmail security hole that has been discussed here. This is a very > > good argument for full disclosure on security holes. > Wrong! You start broadcasting news about security holes, some unscrupulous > person(s) will abuse the security hole. It is up to agencies like CERT and > the manufacturers of the software to produce fixed versions of the software. No it isn't. Please join the ongoing flamewar on USENET and get off bugtraq. Bugtraq is pro-disclosure. Speaking of which, am I correct in assuming that the current sendmail hole cannot be exploited from the outside of a machine (e.g. by email)? Could someone please post more details as to how to test for this bug and what it could be used for? ------ Dave Hayes - Institutional Network & Communications - JPL/NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ...usc!elroy!dxh Never put off until tomorrow what you can do today. There might be a law against it by that time.