On Fri, 24 Mar 2006 Valdis.Kletnieks@xxxxxx wrote: > On Thu, 23 Mar 2006 03:59:20 CST, Gadi Evron said: > > Oh, sorry for not mentioning earlier - > > Operators that want to patch Sendmail, I'd suggest doing it soon. Now we > > not only do we face risk to our mail servers, but rather trusting other > > servers as well. > > Been there, done that. All the same issues we saw when 8.12.9 came out: Exactly. You just made my point. > > 8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > > So just like last time - I'm sure somebody will patch their external-facing > mailserver *first*, and that lets exploit mail get through the external > mailer and reach the internal mailserver (where before it would just have > 0wned the external server). > > Not that Sendmail is any different from any OTHER infrastructure software. > The exact same issues apply when an IOS bug is found, or an NTP bug, or..... > > (And if you think Sendmail didn't do a good job of releasing the info, I > shudder to think of what you thought of how Cisco handled the whole Lynn thing ;) > > >
