SCIENTIFIC-LINUX-USERS Archives

March 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: sendmail errata
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Mon, 27 Mar 2006 11:52:02 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (41 lines) 
Matthew Wysocki wrote:
> Hello,
> 
> Is the recent sendmail update (8.13.1-3.RHEL4.3) a fix for the security 
> issue with sendmail versions before 8.13.6?  We just received a notice 
> from our campus IT dept that they will block our sendmail traffic until 
> it is upgraded.
> 
> -Matt Wysocki
> 
> PS - Thanks for all the hard work on SL!
> 

Yes.

But this is a backported fix, so although the version is still 
technically 8.13.1, it has been patched to fix that problem.

If your camput IT departement want's to look,
Our avisory for sendmail
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0603&L=scientific-linux-errata&X=10FFC25DA5FC5E1690&Y=dawson%40fnal.gov&P=3007
contains the fix for the CVE advisary CVE-2006-0058 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058

Which is
"Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows 
remote attackers to execute arbitrary code by triggering timeouts in a 
way that causes the setjmp and longjmp function calls to be interrupted 
and modify unexpected memory locations."

We got this errata for RedHat, and their advisory is at
https://rhn.redhat.com/errata/RHSA-2006-0264.html

Hope that helps convince your IT department that it's fixed.
Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________

ATOM RSS1 RSS2