[luau] Security - Sendmail Remote Hole
Warren Togami
warren at togami.com
Mon Mar 3 11:09:01 PST 2003
This hole is very serious. Please patch your server if you have
sendmail is running. Many people run sendmail for no good reason too,
turn it off if you don't need it. Sendmail is mainly an e-mail server
to RECEIVE mail or sometimes to send mail from server applications (like
web scripts), most end-users do NOT need Sendmail to send mail.
http://slashdot.org/article.pl?sid=03/03/03/198255&mode=thread&tid=126&tid=95&tid=172
ISS Discovers A Remote Hole In Sendmail
randal writes "A security vulnerability in the Sendmail Mail Transfer
Agent (MTA) has been identified by ISS. This bug can give an attacker
the ability to gain remote root access to the targeted system. There is
no known exploit code of this vulnerability in the wild at this time,
but everyone should upgrade immediately. This issue affects all versions
since 5.79. Open Source sendmail users can get source for the newest
version (8.12.8) as well as patches for 8.9, 8.11, and 8.12 from
sendmail.org. Commercial Sendmail customers can find patches at
sendmail.com/security. Most major OS vendors will be releasing patches
immediately." Update: 03/03 19:23 GMT by T: Reader Patchlevel points out
that RedHat and OpenBSD have already issued patches.
http://www.redhat.com/support/alerts/sendmail_vulnerability.html
How the Sendmail vulnerability affects Red Hat Linux users
"Since this is a message-based vulnerability, MTAs other than Sendmail
may pass on the carefully crafted message. This means that unpatched
versions of Sendmail inside a network could still be at risk even if
they do not accept external connections directly."
Warren Togami
warren at togami.com
More information about the LUAU
mailing list