[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sendmail patches in work?

On Mon, 3 Sep 2001, Thomas Gebhardt wrote:

> I wonder whether a sendmail security patch (input validation
> error, BUGTRAQ ID: 3163) will be available soon?

	1) The version in unstable(sid) Beta19 isn't vulnerable
	2) The version in testing (held back by ia64) is vulnerable,
	   but *ONLY* if run suid root, which isn't the case unless
	   the administrator changes things.
	3) The version in slink, base potato isn't vulnerable
> It is reported that a working exploit is available on the net.
> So I consider to get an updated version from sendmail.org, if
> a debian package will not be available in the near future.

unstable was updated *BEFORE* the advisory (which I didn't get due
to my employers inept mail handling - sigh).

I marked the update as high, but until the ia64 build daemon completes
it, or sends me a message indicating why it fails (the excuses page doesn't
have any info on ia64 builds), I can't do anything more for the testing

In any case, the only problem is if you're on testing (Beta7?), and have
changed /usr/sbin/sendmail to be suid, you're not vulnerable.

Rick Nelson
Intel engineering seem to have misheard Intel marketing strategy. The phrase
was "Divide and conquer" not "Divide and cock up"
(By iialan@www.linux.org.uk, Alan Cox)

Reply to: