[19375] in bugtraq
Re: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1
daemon@ATHENA.MIT.EDU (Claus Assmann)
Mon Feb 26 17:58:44 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
Message-ID: <20010223134101.A9204@zardoc.endmail.org>
Date: Fri, 23 Feb 2001 13:41:01 -0800
Reply-To: Claus Assmann <ca+bugtraq@ZARDOC.ENDMAIL.ORG>
From: Claus Assmann <ca+bugtraq@ZARDOC.ENDMAIL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010222140935.A3706@turbolinux.com>; from
security@TURBOLINUX.COM on Thu, Feb 22, 2001 at 02:09:35PM -0800
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Thu, Feb 22, 2001, security@TURBOLINUX.COM wrote:
I've sent yesterday an e-mail to security@TURBOLINUX.COM but got
no reply up to now. So I'll try it here.
> Vulnerable Packages: All versions previous to 8.11.2-5
> Date: 02/21/2001 5:00 PDT
> TurboLinux Advisory ID#: TLSA2001003-1
> 2. Impact
>=20
> A user can gain root privileges.
Does TurboLinux have any proof for this claim or is it just a guess?
If the former: why has sendmail-security@sendmail.org not been contacted?
If the latter: why isn't this explicitly stated here?
BTW: Another advisory (TLSA2000013-1) from TurboLinux also made a
wrong claim about sendmail. It would be nice to be more careful.
PS: The segfault problem has been fixed in 8.11.2 as the RELEASES_NOTES
clearly say.
--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOpbY7c8etQMiMnoBAQGKHAQAucArg5oKoKnKWog216WLMBroxuhry2dy
yG5CKrMhq6TL3UShdPLix83UNbd0IY+iTCp3fj/IjaygLDdR6WfYXH8ZmY3F4Nj/
2b3CFuvSOgUC2V6FfvHQOon+LC2s/u18zfQ/+vGzFWGBcPZdvrUx5ruhZwnhuol7
q9RXs/We+e0=
=ppga
-----END PGP SIGNATURE-----
--+HP7ph2BbKc20aGI--
