From: Luke S. <lsc...@us...> - 2004-01-28 01:00:54
|
On Tue, Jan 27, 2004 at 03:05:21PM -0800, AthlonRob wrote: > Please don't top-post, it just plain sucks... > > On Tue, 2004-01-27 at 12:23, Don Seiler wrote: > > > My main focus is that no official notification has yet come from gaim > > that there is what could fairly be called a serious security flaw. The > > only acknowledgement that the flaw exists comes when a dev gives a > > backhanded response of "fixed in 0.76, it will will come when it's > > ready", as if this was just some minor cosmetic bug that we can wait > > for. > > Are these issues really so terribly serious we should all be patching > our gaims? If you're running gaim as root, then you really almost > deserve anything you get. If you're running it as a user, any damage > done will be not so huge. > > And that is all assuming somebody is able to utilize these security > holes and execute code remotely. More likely is they would be able to > potentially crash gaim. Gaim crashes frequently enough all by itself, > who is going to care if somebody remotely crashes it? > > As I read the report, it was a lot of "potentially" and "maybe" issues. > With no actual example of the code being utilized to do damage to > anybody, I really don't see how you can justify calling the issues a > 'serious security flaw' ... can you? most of these required that someone be between you and the server in quesiton, most frequenly yahoo which doesn't work for a majority of users anyway. > > Serious security flaws in the past include the Apache hole that had that > worm spreading around two years ago, Outlook Express automatically > executing code embedded in an email, Internet Explorer automatically > executing malicious code on websites, or the whole Windows/MSBlaster > hole. *nods* these are at least an order of magnitude more serious. luke |