Monday, March 3, 2003

Received another security notice from RedHat this afternoon:

During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root.

We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild.

Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly.

In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file.

Wow, that's one of the best looking security holes I've heard of in quite a while :-) Update time...
Permalink 1:13:00 PM - See Also:  Security 

In Brief view RSS
 Karen Kwiatkowski: I witnessed neoconservative agenda bearers within OSP usurp measured and carefully considered assessments, and through suppression and distortion of intelligence analysis promulgate what were in fact falsehoods to both Congress and the executive office of the president.
 Dave Winer: I'd like to make a constructive offer to the people who are working on Atom.
 Albert Delgado: I think Userland has the more important job of updating its products, from the kernel on out.
 Philip Miseldine: So, what I'm thinking is, why not provide a stylesheet (XSLT or something else, perhaps) that tells the aggregator how to consume your feed to produce descriptions.
 Davenet: A Bright Future for Syndication.
 Amit Singh: Mac OS X is perhaps one of the best examples of how a capable system can result through the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and even individuals.

activeRenderer News view RSS
 Release delayed
 Gallery: Gerald Gleason
 Mailing Lists
 Documentation en français
 Gallery: Wealth Bondage
 activeRenderer version 2.1 released

March 2003
Sun Mon Tue Wed Thu Fri Sat
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
Feb   Jul

© copyright 2002-2004
Precision IT Mgmt, Inc
check out Mozilla Firebird
Click to see the XML version of this web page. rss 2.0
feedback: Click here to send feedback.
last updated
3/20/04; 5:42:37 PM