-----BEGIN PGP SIGNED MESSAGE----- lcamtuf> Unfortunately, there are some bugs fixed silently till 8.9.3 lcamtuf> release - and, just like in bash case, never mentioned in CHANGES lcamtuf> nor in security advisories. lcamtuf> - Sendmail 8.8.8 (fixed in 8.9.3, no info about other releases) won't lcamtuf> allow '-bd' parameter (run as daemon) if launched by luser. But '-bD' lcamtuf> parameter (run as daemon, but in foreground) works perfectly. This lcamtuf> has been fixed without any info in development history file. It has always been our practice to document changes in the RELEASE_NOTES file that accompanies the sendmail distribution. Security related fixes are always included at the top and marked with "SECURITY:" tags to make them extremely visible. Unfortunately, we missed this one but it certainly wasn't left out intentionally. lcamtuf> - there's unpublished, and theoretically harmless bug - when lcamtuf> Sendmail daemon receives HUP, it does execve(argv[0],...) to lcamtuf> restart itself. Unfortunately, 4th file descriptor (listen socket) lcamtuf> isn't closed before execve. As you note, in 8.9.3 this bug is theoretically harmless. It will be fixed in 8.10.0.Beta7 and future versions. lcamtuf> Facts. Many administrators still uses Sendmail 8.8.x (usually lcamtuf> 8.8.8) as more 'stable and secure' release, believing there are no lcamtuf> major bugs in it. We encourage users to upgrade to the latest version regardless of the contents of the release notes file. Those who rely on old versions do so at their own risk. As always, we encourage mailing bug reports, including documentation or release notes bugs, to sendmail-bugsat_private Security issues can be mailed to sendmail-securityat_private and encrypted with the sendmail-securityat_private PGP key: Type Bits KeyID Created Expires Algorithm Use pub 1024 0x16F4CCE9 1999-06-23 ---------- RSA Sign & Encrypt uid Sendmail Security <sendmail-securityat_private> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 for non-commercial use Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface Charset: noconv iQCVAwUBODpEq8ApykAW9MzpAQHTqQP9F0rrtXwZtLpPTtjuydRAqjxLVdohNBB4 n0wN1xkvmZTIx9fQpwJJSVwlGUQxWU8woF/dVjrZs0j9yvVRu9NYmWNcTjKeAP6t pW8iG4o+Zg63zKy7MirGmcgsmI3eNv5iepXq9Tb7G0z5ZK7eo4HSjJeuXB2XeyjZ kI8E9zt+hm0= =csx0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:52 PDT