[131] in Release_7.7_team
Re: Sendmail vulnerability
daemon@ATHENA.MIT.EDU (Ezra Peisach)
Sat Jul 16 14:23:32 1994
Date: Sat, 16 Jul 94 14:25:01 -0400
From: epeisach@nemesis.rose.brandeis.edu (Ezra Peisach)
To: release-77@MIT.EDU
a) sendmail in the release is not being compiled for any of the
supported platforms. The Vax and the RT's were the last that did. The
postmasters compiled sendmail for their servers, but it is not in the
release.
This means patching them is not an option
b) For all supported platforms, patches are available from the vendors.
I suggest getting them and installing them. Odds are they will be
compatible (although on the Ultrix side, I think the hostname hack in
sendmail.cf will have be changed....)
c) Upgrading to sendmail 8.6.8.... is appealing, but that requires
development time make sure sendmail compiles, functions and that the
configuration file work does the right things on clients and 'servers' -
discuss servers use mail. I've heard a rumor and did not verify it, but
frozen configuration files may be a thing of the past... This would
require rc.athena changes.... There are programs which used to work in
7.6 on the Suns and are now broken in 7.7 - the compilaton environment
is tricky....
d) If you go with the /usr/athena/lib/sendmail (yuck) - you will run
into trouble unless you can really make sure you get all the references
to /usr/lib/sendmail. Presumably you want to disable the
/usr/lib/sendmail, but then some third party program will try to use
/usr/lib/sendmail and you lose.... For instance in the mail message
describing what to change, don't forget emacs, and
/usr/athena/etc/mtstailor...
Ezra
