[12700] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Sendmail 8.8.x - time to upgrade?

daemon@ATHENA.MIT.EDU (Gregory Neil Shapiro)
Tue Nov 23 14:13:56 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <14394.17678.413872.927325@horsey.gshapiro.net>
Date:         Mon, 22 Nov 1999 23:41:02 -0800
Reply-To: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
From: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
X-To:         Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <lcamtuf.4.05.9907150718270.458-100000@nimue.ids.pl>

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Unfortunately, there are some bugs fixed silently till 8.9.3
lcamtuf> release - and, just like in bash case, never mentioned in CHANGES
lcamtuf> nor in security advisories.

lcamtuf> - Sendmail 8.8.8 (fixed in 8.9.3, no info about other releases) won't
lcamtuf> allow '-bd' parameter (run as daemon) if launched by luser. But '-bD'
lcamtuf> parameter (run as daemon, but in foreground) works perfectly. This
lcamtuf> has been fixed without any info in development history file.

It has always been our practice to document changes in the RELEASE_NOTES
file that accompanies the sendmail distribution.  Security related fixes
are always included at the top and marked with "SECURITY:" tags to make
them extremely visible.  Unfortunately, we missed this one but it certainly
wasn't left out intentionally.

lcamtuf> - there's unpublished, and theoretically harmless bug - when
lcamtuf> Sendmail daemon receives HUP, it does execve(argv[0],...) to
lcamtuf> restart itself. Unfortunately, 4th file descriptor (listen socket)
lcamtuf> isn't closed before execve.

As you note, in 8.9.3 this bug is theoretically harmless.  It will be fixed
in 8.10.0.Beta7 and future versions.

lcamtuf> Facts. Many administrators still uses Sendmail 8.8.x (usually
lcamtuf> 8.8.8) as more 'stable and secure' release, believing there are no
lcamtuf> major bugs in it.

We encourage users to upgrade to the latest version regardless of the
contents of the release notes file.  Those who rely on old versions do so
at their own risk.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugs@sendmail.org.  Security issues can be
mailed to sendmail-security@sendmail.org and encrypted with the
sendmail-security@sendmail.org PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-security@sendmail.org>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
Charset: noconv

iQCVAwUBODpEq8ApykAW9MzpAQHTqQP9F0rrtXwZtLpPTtjuydRAqjxLVdohNBB4
n0wN1xkvmZTIx9fQpwJJSVwlGUQxWU8woF/dVjrZs0j9yvVRu9NYmWNcTjKeAP6t
pW8iG4o+Zg63zKy7MirGmcgsmI3eNv5iepXq9Tb7G0z5ZK7eo4HSjJeuXB2XeyjZ
kI8E9zt+hm0=
=csx0
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post