Re: Sendmail patches in work?
On Mon, 3 Sep 2001, Thomas Gebhardt wrote:
> I wonder whether a sendmail security patch (input validation
> error, BUGTRAQ ID: 3163) will be available soon?
1) The version in unstable(sid) Beta19 isn't vulnerable
2) The version in testing (held back by ia64) is vulnerable,
but *ONLY* if run suid root, which isn't the case unless
the administrator changes things.
3) The version in slink, base potato isn't vulnerable
> It is reported that a working exploit is available on the net.
> So I consider to get an updated version from sendmail.org, if
> a debian package will not be available in the near future.
unstable was updated *BEFORE* the advisory (which I didn't get due
to my employers inept mail handling - sigh).
I marked the update as high, but until the ia64 build daemon completes
it, or sends me a message indicating why it fails (the excuses page doesn't
have any info on ia64 builds), I can't do anything more for the testing
In any case, the only problem is if you're on testing (Beta7?), and have
changed /usr/sbin/sendmail to be suid, you're not vulnerable.
Intel engineering seem to have misheard Intel marketing strategy. The phrase
was "Divide and conquer" not "Divide and cock up"
(By email@example.com, Alan Cox)