[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Two questions about task-harden.

On Thu, 23 Aug 2001, Scott K. Ellis wrote:

> > To be fair, the sendmail code has improved a lot recently and it actually
> > quite decent now, and other mailers such as postfix and exim have not
> > been around long enough or are used as often as sendmail to have received
> > the same amount of scrutiny.
> Of course, there is the latest sendmail vunerability that SuSE is reporting.
> http://www.linuxsecurity.com/advisories/suse_advisory-1568.html

To be fair, I'll assume you didn't read the damn thing:
	The error itself is a result of a comparison between a signed and an
	unsigned integer when checking user-supplied data from the sendmail
	command line: A high unsigned value is being considered a negative
	signed value. A subsequent comparison is being evaluated the wrong way.

	These errors are expected to make up a new class of vulnerabilities for
	programs written in C in the near future.

Nor, I'll bet, did you notice the last sendmail update for Debian:
sendmail (8.11.6+8.12.0.Beta19-0) unstable; urgency=high

  * New upstream beta (security & signal handling)
  * Refit patches
  * Sendmail now does fsync(dir) on renames - less chance of loosing files!!!
 -- Richard A Nelson (Rick) <cowboy@debian.org>  Mon, 20 Aug 2001 20:30:00 -0500

I didn't want to say more in the changelog - was awaiting the sendmail
announce to bugtraq.

In other words - slink, stable woody, and unstable(sid) are *NOT* vulnerable,
and testing won't be as soon as it propogates the updates.

I intend to audit the code after we're out of Beta

Rick Nelson
<lux> if macOS is for the computer illiterate, then windoze is for the
      computer masochists

Reply to: