[ISN] Sendmail posts fix for email glitch

From: mea culpa (jerichoat_private)
Date: Thu Aug 13 1998 - 00:31:03 PDT

  • Next message: mea culpa: "[ISN] Upcoming security Conferences...."

    Forwarded From: "Prosser, Mike" <Mike_Prosserat_private>
    
    [If you are running Sendmail 8.9.1, this might interest you.  Supposedly
     a pre-emptive fix to the long file name problem in mail handlers
     -mike]
    
    Sendmail posts fix for email glitch 
    By Randy Weston <mailto:randywat_private>
    Staff Writer, CNET NEWS.COM
    August 11, 1998, 11:25 a.m. PT 
    
    The slew of email program security holes found in recent weeks is
    prompting one of the leading makers of server-based routing software to
    develop its own solution to the problem. 
    
    Sendmail <http://www.sendmail.com/> in Emeryville, California, is to post
    today a patch that can be installed on its email server software,
    preventing companies from having to undergo the laborious task of
    installing patches on sometimes thousands of PCs spread out around a
    company. 
    
    The patch cures security holes </News/Item/0,4,24668,00.html> that
    currently affect Netscape Communications' <http://www.netscape.com/>
    Communicator email system and Microsoft's <http://www.microsoft.com/>
    Outlook and Outlook Express email software.
    
    While the security flaw is not in the server software, Sendmail began
    developing the server-based patch at the urging of the nonprofit Computer
    Emergency Response Team <http://www.cert.org/>, or CERT. The organization
    is based at Carnegie Mellon University <http://www.cmu.edu/> and focuses
    on Internet security issues. According to Sendmail executives, the patch
    they developed truncates long headers before they arrive in end users'
    mailboxes based on the setting of a new option.
    
    The "long file name" security glitch affects the way email clients handle
    file attachments with extremely long file names. When a user attempts to
    download, open, or launch a file attachment that has a name greater than
    200 characters in length, the action might cause the email software to
    crash. At that point, a skilled hacker could possibly run arbitrary code
    in the computer's memory, according to a security bulletin posted recently
    by Microsoft.
    
    The patch, which is available for free, is for Version 8.9.1 of Sendmail's
    email routing system. Users can find the patch at Sendmail's Web site
    <http://www.sendmail.com/sendmail.8.9.1a.html>.
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:51 PDT