[126] in Release_7.7_team
Sendmail vulnerability
daemon@ATHENA.MIT.EDU (Matt Braun)
Fri Jul 15 18:04:25 1994
To: release-77@MIT.EDU
Cc: holes@MIT.EDU
Date: Fri, 15 Jul 1994 18:03:38 EDT
From: Matt Braun <mhbraun@MIT.EDU>
The CERT has recently sent out an advisory regarding sendmail which includes
the versions we are running. This means that if we include the current
version of sendmail in the release, then we are opening our clients up to a
known vulnerability (even if they are not running a sendmail daemon).
The CERT advisory deals with 2 vulnerabilities, one of which we understand
fairly thoroughly (and can patch) and the other which is relatively unknown.
As I see it we have 3 choices:
1) Do nothing (make our clients vulnerable
2) Patch our sendmail (5.61) so that it is not susceptible to the hole.
3) Upgrade to a newer version of sendmail (8.6.8 or later, 8.6.9 is the
latest)
The problem with 1) is obvious. 2) depends on being able to get from the CERT
the information we need to patch the second hole. The problem with 3) is that
sendmail 8 might break some sendmail.cf's.
Matt
