On Sat, 2003-05-03 at 02:36, Res wrote: > On Sat, 3 May 2003, Emmanuel Seyman wrote: > > > On Wed, Apr 30, 2003 at 11:34:03AM +1000, Res wrote: > > > > > > Sendmail is rather secure and rock stable, if you know what your doing, > > > > ??? > > I'm curious as what your definition of "rather secure and rock stable" > > entails. The last two releases of Sendmail are both bugfixes for critical > > security problems and the last one was only a month ago. > > really, well i must have missed the CERT email on that one last month. I believe these are the ones being referred to: http://www.cert.org/advisories/CA-2003-07.html "Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message." It was there for 15 years, mentioned earlier and dismissed. http://www.cert.org/advisories/CA-2003-12.html " There is a remotely exploitable vulnerability in sendmail that could allow an attacker to gain control of a vulnerable sendmail server. Address parsing code in sendmail does not adequately check the length of email addresses. An email message with a specially crafted address could trigger a stack overflow. This vulnerability was discovered by Michal Zalewski. This vulnerability is different than the one described in CA-2003-07. " -- Bill Anderson RHCE #807302597505773 bill@xxxxxxxxxxxxx
