[2050] in bugtraq
Re: SM 8.6.12
daemon@ATHENA.MIT.EDU (Eric Allman)
Sun Jul 16 15:11:17 1995
Date: Sun, 16 Jul 1995 09:25:17 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Eric Allman <eric@CS.Berkeley.EDU>
X-To: maf@net.ohio-state.edu
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Mail from "Mark A. Fullmer" <maf@net.ohio-state.edu> dated Thu,
13 Jul 1995 10:02:02 EDT
<199507131402.KAA02492@bedbugs.net.ohio-state.edu>
Frankly, I would like to know myself. I haven't spoken to Ches
about it -- perhaps I'll find someone who knows something about
this at IETF next week.
eric
Re:
: From: "Mark A. Fullmer" <maf@net.ohio-state.edu>
: Subject: Re: SM 8.6.12
: Date: Thu, 13 Jul 1995 10:02:02 -0400 (EDT)
: Nathan Lawson writes:
: >
: >I would like to know if anyone has heard of the newest holes in sendmail 8.6
.12.
: >My details are sketchy, but once again, there is a remote, as well as local
: >hole.
: >
: >Sendmail is convenient; convenience is evil!
:
: A few weeks at the Cisco Networkers conference Bill Cheswick hinted at
: a new found sendmail security problem in 8.6.12 which Eric had fixed in 8.7.
:
: The 8.7 release notes contain:
:
: SECURITY: avoid denial-of-service attacks possible by destroying
: the alias database file by setting resource limits low.
: This involves adding two new compile-time options:
: HASSETRLIMIT (indicating that setrlimit(2) support is
: available) and HASULIMIT (indicating that ulimit(2) support
: is available -- the Release 3 form is used). The former
: is assumed on BSD-based systems, the latter on System
: V-based systems. Attack noted by Phil Brandenberger of
: Swarthmore University.
:
: Is this the problem, or is it worse? Eric?
:
: --
: mark
: maf+@osu.edu
:
