Re: Two questions about task-harden.
On Thu, 23 Aug 2001, Scott K. Ellis wrote:
> > To be fair, the sendmail code has improved a lot recently and it actually
> > quite decent now, and other mailers such as postfix and exim have not
> > been around long enough or are used as often as sendmail to have received
> > the same amount of scrutiny.
>
> Of course, there is the latest sendmail vunerability that SuSE is reporting.
>
> http://www.linuxsecurity.com/advisories/suse_advisory-1568.html
To be fair, I'll assume you didn't read the damn thing:
The error itself is a result of a comparison between a signed and an
unsigned integer when checking user-supplied data from the sendmail
command line: A high unsigned value is being considered a negative
signed value. A subsequent comparison is being evaluated the wrong way.
These errors are expected to make up a new class of vulnerabilities for
programs written in C in the near future.
Nor, I'll bet, did you notice the last sendmail update for Debian:
sendmail (8.11.6+8.12.0.Beta19-0) unstable; urgency=high
* New upstream beta (security & signal handling)
* Refit patches
* Sendmail now does fsync(dir) on renames - less chance of loosing files!!!
[snip]
-- Richard A Nelson (Rick) <cowboy@debian.org> Mon, 20 Aug 2001 20:30:00 -0500
I didn't want to say more in the changelog - was awaiting the sendmail
announce to bugtraq.
In other words - slink, stable woody, and unstable(sid) are *NOT* vulnerable,
and testing won't be as soon as it propogates the updates.
I intend to audit the code after we're out of Beta
--
Rick Nelson
<lux> if macOS is for the computer illiterate, then windoze is for the
computer masochists
Reply to: