[supinfo at caldera.com: Security Update [CSSA-2001-032.0] Linux - sendmail instant root exploit]

Scot Mc Pherson behomet at home.com
Sat Aug 25 08:22:55 PDT 2001


sendmail is only vulnerable if you run it in debug mode...That article isn't
exactly new news either...its been pretty well known and documented. You
should never be granting shell access to a sendmail server....ever...


Scot Mc Pherson
~Linux is a journey, not a guided tour~



----- Original Message -----
From: Thomas -Balu- Walter <tw at itreff.de>
To: <lfs-security at linuxfromscratch.org>
Cc: <boehme at fh-muenster.de>; <team at itreff.de>
Sent: Saturday, August 25, 2001 6:27 AM
Subject: [supinfo at caldera.com: Security Update [CSSA-2001-032.0] Linux -
sendmail instant root exploit]


> Actually this is the final reason for me to switch to qmail...
>
> I was kinda satisfied with sendmail over the last years, since no bugs
> were found - now I am proved wrong...
>
> Thank god I am playing with qmail for some weeks now.
>
> http://www.securityfocus.com/templates/article.html?id=244
>
>      Ba-:(-lu
>
> ----- Forwarded message from Caldera Support Info
<supinfo at caldera.com> -----
>
> From: Caldera Support Info <supinfo at caldera.com>
> To: announce at lists.caldera.com, bugtraq at securityfocus.com,
>         linux-security at redhat.com, linuxlist at securityportal.com
> Subject: Security Update [CSSA-2001-032.0] Linux - sendmail instant root
exploit
> Date: Fri, 24 Aug 2001 13:57:21 -0600
> User-Agent: Mutt/1.2.5i
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
____________________________________________________________________________
__
>    Caldera International, Inc.  Security Advisory
>
> Subject: Linux - sendmail instant root exploit
> Advisory number: CSSA-2001-032.0
> Issue date: 2001, August 24
> Cross reference:
>
____________________________________________________________________________
__
>
>
> 1. Problem Description
>
>    Sendmail contains an input validation error, so local users may be
>    able to write arbitrary data to process memory, possibly allowing the
>    execution of code/commands with elevated privileges. This allows
>    a local attacker to gain access to the root account.
>
>
> 2. Vulnerable Versions
>
>    System                       Package
>    -----------------------------------------------------------
>    OpenLinux 2.3                 not vulnerable
>
> ...
> --
> Unsubscribe: send email to lfs-security-request at linuxfromscratch.org
> and put unsubscribe in the subject header of the message
>
>

-- 
Unsubscribe: send email to lfs-security-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message



More information about the lfs-security mailing list