Bug#4514: sendmail security hole

To: submit@bugs.debian.org
Subject: Bug#4514: sendmail security hole
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 19 Sep 1996 05:32:27 +0200 (MET DST)
Message-id: <[🔎] 199609190332.FAA30328@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4514@bugs.debian.org

Package: sendmail
Version: 8.7.5-4

See the recent CERT Advisory CA-96.20 for more information.
It says that Debian is not vulnerable because it uses smail,
but that's not completely true, smail is the default but
sendmail is also available, and I'm not convinced that smail
has no bugs - it's just that it is not as widely used and
reviewed as sendmail...

The recommended fix is to upgrade to sendmail 8.7.6.  Because
I needed it and it is not available yet as a Debian package,
I packaged it myself (using the Debian 8.7.5-4 diff; the only
change was the new version number in debian.rules).  Until
the "real" release, the package is temporarily available from
ftp://ftp.ists.pwr.wroc.pl/pub/linux/debian-local/

5e9de8e223c9c4f833697684d97b7b2d  sendmail-8.7.6-1.deb
01daf0115f3da981c2ecd25e699bcf94  sendmail-8.7.6-1.diff.gz
0f9ef40205226e7f56a17b9cdd3f87ed  sendmail-8.7.6-1.tar.gz

Note that I am not the official maintainer, and this package
is not supported by me in any way.  When the official package
is available, I think it should go into the "stable" tree.

While we are at it: the CERT advisory recommends using smrsh
(sendmail restricted shell) which is part of the sendmail
source distribution - it is not part of the binary package,
maybe it should?

Marek

Reply to:

Prev by Date: Bug#4513: libpng
Next by Date: Re: Purpose of source packages?
Previous by thread: Bug#4513: libpng
Next by thread: Bug#4515: dpkg-source and WIFSIGNALED
Index(es):
- Date
- Thread