Re: Sendmail 8.8.x - time to upgrade?

From: Gregory Neil Shapiro (sendmail+gshapiroat_private)
Date: Mon Nov 22 1999 - 23:41:02 PST

Next message: Mnemonix: "Re: WordPad/riched20.dll buffer overflow"

Previous message: CyberPsychotic: "Re: Caldera Pine Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Unfortunately, there are some bugs fixed silently till 8.9.3
lcamtuf> release - and, just like in bash case, never mentioned in CHANGES
lcamtuf> nor in security advisories.

lcamtuf> - Sendmail 8.8.8 (fixed in 8.9.3, no info about other releases) won't
lcamtuf> allow '-bd' parameter (run as daemon) if launched by luser. But '-bD'
lcamtuf> parameter (run as daemon, but in foreground) works perfectly. This
lcamtuf> has been fixed without any info in development history file.

It has always been our practice to document changes in the RELEASE_NOTES
file that accompanies the sendmail distribution.  Security related fixes
are always included at the top and marked with "SECURITY:" tags to make
them extremely visible.  Unfortunately, we missed this one but it certainly
wasn't left out intentionally.

lcamtuf> - there's unpublished, and theoretically harmless bug - when
lcamtuf> Sendmail daemon receives HUP, it does execve(argv[0],...) to
lcamtuf> restart itself. Unfortunately, 4th file descriptor (listen socket)
lcamtuf> isn't closed before execve.

As you note, in 8.9.3 this bug is theoretically harmless.  It will be fixed
in 8.10.0.Beta7 and future versions.

lcamtuf> Facts. Many administrators still uses Sendmail 8.8.x (usually
lcamtuf> 8.8.8) as more 'stable and secure' release, believing there are no
lcamtuf> major bugs in it.

We encourage users to upgrade to the latest version regardless of the
contents of the release notes file.  Those who rely on old versions do so
at their own risk.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugsat_private  Security issues can be
mailed to sendmail-securityat_private and encrypted with the
sendmail-securityat_private PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-securityat_private>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
Charset: noconv

iQCVAwUBODpEq8ApykAW9MzpAQHTqQP9F0rrtXwZtLpPTtjuydRAqjxLVdohNBB4
n0wN1xkvmZTIx9fQpwJJSVwlGUQxWU8woF/dVjrZs0j9yvVRu9NYmWNcTjKeAP6t
pW8iG4o+Zg63zKy7MirGmcgsmI3eNv5iepXq9Tb7G0z5ZK7eo4HSjJeuXB2XeyjZ
kI8E9zt+hm0=
=csx0
-----END PGP SIGNATURE-----

Next message: Mnemonix: "Re: WordPad/riched20.dll buffer overflow"
Previous message: CyberPsychotic: "Re: Caldera Pine Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:52 PDT