[plug] This Mailing list

John Summerfield summer at OS2.ami.com.au
Sun Jan 30 07:43:00 WST 2000


> 
> You must be on the wrong lists.  Below are three *very recent* sendmail
> vulnerabilities.  If you doubt their authenticity, have a look at
> www.securityfocus.com which is where I got them from by doing a simple
> search on the word "sendmail".

It's a woeful web site; it's chwewing up about 3k/sec bandwidth just with 
ads and cookies.

I searched 'advisories' for sendmail; got lots of hits - 203 to be precise.

Here's one:
96)
   advisories: E-12 Network Monitoring Attacks Update.
                                                                  Score: 
45.2%, Hits: 1
                                                                      
[Size: 3.5 Kb]
   E-12: Network Monitoring Attacks Update Published: Fri Mar 18 1994 
Updated: Fri Mar 18 1994
   ADVISORY NOTICE E-12: Network Monitor...
   http://www.securityfocus.com/templates/advisory.html?id=849

While sendmail (on Solaris) gets mentioned, so does tar.

Finding any relevant to me is a chore I'm not going to bother with.

> 
> December 20th, 1999 (that's more recent than Feb 97, isn't it?)
> ================================================================
> Remote user may exhaust system resources and potentially force a reboot.
> 
> December 7th, 1999
> ===================
> Any local user can corrupt the aliases database.
> 
> November 5th, 1999
> ===================
> Any local user can gain complete control over the mail server.

These last two are going to bother home users no end.

Christian:
I'm glad you've produced some facts at last. While the last two are 
serious in some environments (most notably universities) but not all, they 
do show that bugs in sendmail do exist; if they apply to sendmail 8.9.3 
then some should be concerned.

I can't evaluate the first; I didn't see it - I don't know how the report 
I got was ordered, but it certainly was not by date. I speculate that a 
remote user would need more bandwidth than offered by a modem.


The incidents I saw were ancient and/or applied to old versions of 
sendmail.


Note:
If your system came with some other Mail Transport Agent (Brett: that's 
what MTA means; you will also see MUA for Mail User Agent [eg Netscape] 
and MDA (Mail Delivery Agent, the program sendmail uses to store incoming 
mail in users mailboxes) installed, I'd recommend equally seriously that 
you keep THAT one in place, unless you have a problem with it.


I also recommend against recompiling software just to optimise it for your 
CPU, upgrading to new releases of software just because they're there. 
Should anyone ask, I'd tell them not to bother with the new BIND that C 
mentioned; it's sure to be full of new bugs for quite a while - that's the 
nature of new software. Better to bolt the old one down in a cage for the 
short term, & updating to the latest and greatest new computer if your 
ancient 486 is doing the job well enough.

I have to say, though, a BP6, two sticks of Celery and 128M looks tempting.

-- 
Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.





More information about the plug mailing list