[3357] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Robert P Cunningham)
Thu Oct 24 02:09:57 1996
Date: Wed, 23 Oct 96 17:56 WET
From: bob@lava.net (Robert P Cunningham)
To: alexf@iss.net, hallam@ai.mit.edu, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>Re: Sendmail. The latest, 8.8, is vulnerable. The vulnerability was
>posted to bugtraq and BoS on the 17th.
To be precise, version 8.8.0 of sendmail released by Eric Allman
on 9/26/96 had two security problems, at least one of which was
posted on bugtraq and elsewhere on 10/17/96. Eric's first fix that
day, 8.8.1 released on 10/17/96, fixed one loophole and attempted
to fix the other loophole as well, but the second fix was not
complete.
The latest version of sendmail, 8.8.2, released on 10/18/96 plugs
the 2nd loophole.
