Date: Fri, 14 Dec 2007 14:34:38 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "W. D." <WD@US-Webmasters.com>, <samba@lists.samba.org> Cc: Remko Lodder <remko@freebsd.org>, Timur@freebsd.org, FreeBSD-Questions@freebsd.org Subject: RE: Yikes! FreeBSD samba-3.0.26a_2, 1 is forbidden: "Remote Code Execution... Message-ID: <BMEDLGAENEKCJFGODFOCMEDHCFAA.tedm@toybox.placo.com> In-Reply-To: <20071214164358.5D01A13C461@mx1.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of W. D. > Sent: Friday, December 14, 2007 8:37 AM > To: samba@lists.samba.org > Cc: Remko Lodder; Timur@freebsd.org; FreeBSD-Questions@freebsd.org > Subject: Re: Yikes! FreeBSD samba-3.0.26a_2,1 is forbidden: "Remote Code > Execution... > > > I neet to get a fileserver going right away. I would like > to use Samba. Perhaps I should just load Windows on it? > Samba is a VERY EASY package to manually compile. It is NOT necessary to use the FreeBSD ports system to install it. It would probably be a good idea to look at the FreeBSD samba port and see what dependencies it calls for, then install those, before compiling Samba. But, you just follow the instructions in the Samba distribution and it will work fine. This happens from time to time with the FreeBSD ports system, and there isn't any way to avoid it. Most open source software today is written to depend on other open source software packages. People don't like spending programming time reinventing the wheel. As a result you have a large dependency list which has deep roots as the dependent programs themselves have even more dependencies. If just one single program in that mess gets updated it will affect entire trees and many other programs. This really isn't any different with commercial software. Most commercial software today uses many commercial libraries. When one of those libraries has a security hole, all the commercial programs that are built with that library now have that same security hole. That is why it is so easy to crack into Windows systems, because most of the time those commercial software developers don't "mark their stuff forbidden" like the Open Source community does. Money is at stake. Instead they just quietly release "updates" that close those holes months after the fact. In the meantime the spammers have been having a field day breaking into Windows systems and setting them up as zombies. > It seems to me that leaving a port broken like this is > very "unprofessional". I would expect more from the folks > maintaing FreeBSD. > It is much more "unprofessional" to do as the "professionals" do and simply pretend the problem doesen't exist, then release an update when they get around to it. I will close by saying that the crackers and criminals out there who find and exploit these security holes are the real ones causing the problem, they are the real people you should be "expecting more" from. They don't have your server schedule in mind when they release cracking scripts. If your a real IT manager, you should be very aware of this already, and be used to it. Railing against a bunch of wannabe criminals that break into things doesen't help, nor does bitching about the results of those criminal's actions to people who are trying to protect your ass from being exposed to them. All you can do is just sit back, wait for the dust to clear, and proceed forward when the fight between the black and white hats is over with for the moment. Ted No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.17.2/1184 - Release Date: 12/14/2007 11:29 AM
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCMEDHCFAA.tedm>