'Re: sendmail 8.12.9 available'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: sendmail 8.12.9 available
From:       Dan Harkless <bugtraq () harkless ! org>
Date:       2003-03-29 20:55:54
[Download RAW message or body]


Claus Assmann <ca+announce@sendmail.org> writes:
> We apologize for releasing this information today (2003-03-29) but
> we were forced to do so by an e-mail on a public mailing list (that
> has been sent by an irresponsible individual) which contains
> information about the security flaw.
[...]
>       SECURITY: Fix a buffer overflow in address parsing due to
>               a char to int conversion problem which is potentially
>               remotely exploitable.  Problem found by Michal Zalewski.
>               Note: an MTA that is not patched might be vulnerable to
>               data that it receives from untrusted sources, which
>               includes DNS.

Since this was publically disclosed before a patch was available, I'm sure a
lot of people would be interested in knowing whether attempts to exploit
this are detectable in the syslog in sendmail's default configuration.

--
Dan Harkless
bugtraq@harkless.org
http://harkless.org/dan/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic