[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bug w sendmail'u ???



Witam,

Dnia Wed, Apr 02, 2003 at 11:21:25PM CEST, Marcin Rosowski napisał:

: ..chłopaki z "Security Team" coś chyba zapomnieli o sendmail'u - na 
: stronie opiekuna "http://people.debian.org/~cowboy/"; mozna pobrać 
: patch'owane wersje odporne na błąd, który wykrył ostatnio Michał Zalewski.
Pozwole sobie zaspamowac:

----
From: Noah Meyerhans <noahm@debian.org>
To: Debian Security List <debian-security@lists.debian.org>
Cc: 
Bcc: 
Subject: Re: Is there a security update for the new sendmail exploit in woody?
Reply-To: 
In-Reply-To: <1049295455.32755.7.camel@fermie.phas.ucalgary.ca>
Old-Return-Path: <frodo@unblinking-eye.lcs.mit.edu>
X-Spam-Status: No, hits=-3.7 required=4.0 tests=IN_REP_TO,PGP_SIGNATURE_2,QUOTED_EMAIL_TEXT,REFERENCES, SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT version=2.43

On Wed, Apr 02, 2003 at 07:57:35AM -0700, Tom Clements wrote:
> --Sendmail Users Face Second Major Security Flaw
> (31 March 2003)

Yes, it's on its way.  Expect it very soon.  I think the updated
packages have all (or almost all) completed building.

> Most versions of sendmail do not adequately check the length of
> e-mail addresses, and a carefully crafted address can trigger a
> stack overflow and potentially allow the attacker to take control of
> the system.

Sendmail developers published a patch to address this vulnerability.  If
you can't wait for the new packages, you can always download the source
for the current packages, apply the patch, and build new packages
yourself.  Note that there is no *known* exploit for this vulnerability,
though, and there have been no reports of compromises due to it.  I'm
sure somebody will correct me in short order if I'm sharing outdated
info here.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 
: 
: Marcin
: 
: 
: -- 
: To UNSUBSCRIBE, email to debian-user-polish-request@lists.debian.org
: with a subject of "unsubscribe". Trouble? Contact 
: listmaster@lists.debian.org



PS. Co nie zmienia faktu, ze sendmail jest wogole glupi bo umozliwia
wysylanie maili bez tresci ;< (Fajnie OE i inne MUA sie zachowuja
wtedy).

-- 
Pozdrawiam,
TTC

  .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
.:: Tomasz T. Ciaszczyk [ ciacho<at>ciacho.pl ] >> http://ciacho.pl <<
.::
.:: You cannot kill time without injuring eternity.
.:: -- Thoreau
  `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Attachment: pgpbjI9ANHZr_.pgp
Description: PGP signature


Reply to: