[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    sendmail 8.8.5 released
From:       Eric Allman <eric () Sendmail ! ORG>
Date:       1997-01-21 16:50:29
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

Content-Type: text/plain; charset=us-ascii

FTP://ftp.sendmail.org/pub/sendmail/sendmail.8.8.5.tar.gz
FTP://ftp.cs.berkeley.edu/ucb/src/sendmail/sendmail.8.8.5.tar.gz

This release fixes a nasty security bug that allows an external
attacker to get root privileges.  This problem appeared in 8.8.3.
It is essential that you upgrade ASAP if you are running 8.8.3 or
8.8.4.  If you cannot upgrade immediately, turn off the F=9 flag
on the local and prog mailers.  You can do this by editing the
/etc/sendmail.cf file and look for the lines beginning Mlocal and
Mprog.  Find the field beginning "F=" and delete the digit "9"
from the following string.  Then restart the sendmail daemon.
If your configuration file does not include the F=9 flag, then
you are not vulnerable.  A CERT Advisory on this vulnerability
will be released soon.

I believe this to be the problem claimed by bob2@seanet.com in a
posting to comp.security.unix on January 9.  However, despite the
claim in the posting that an exploit script was sent to me and to
CERT, neither of us received any such message.  The delay between
that posting and this release is a direct cause of time spent trying
to find the problem and verify whether this is the vulnerability
that poster had in mind.  Since he declined to answer any e-mail,
we spent a considerable amount of time trying to assure ourselves
that there wasn't another problem.

I've had people tell me that there is a perception that I don't
care about security.  That isn't true -- in fact, security is one
of my top concerns.  However, I can't do it alone.  Sendmail has
always been a part time project for me, something done in my
so-called free time.  I need the help of you out there to improve
the security of sendmail.  Finding a hole and then not passing it
on to someone who can fix it doesn't help improve the net.  We're
all in this together -- please, let's start working as a team.

It has been suggested to me that I try to organize "tiger teams"
of hackers to do critical security-related code reviews.  I haven't
had time to organize such a thing myself, and I haven't been able
to find someone else who was willing to organize the process.
However, my time commitments have recently changed enough that I
would be willing to attempt this if members of the hacker community
were willing to volunteer their time.  Please let me know if you
have energy to help out.

eric



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMuUWiyPkYtS/e6QhAQFtLgQAjl2HW4velzs4I5POCZaJY/QbTbYW/fLC
oIxlRRyjeEcfNYCqqSN1kX2QkwNmlDya6uhXdK5DXvysEu5DebPmWniDkeDu+T+y
e3ON0Mmv3cVwccpYoq7bak3+e6EEg9sf586inPbD002OzZDYgKGfs/CUg6k0X+Gi
LfemAMJwHGs=
=EjSW
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]