Matthew Wysocki wrote:
> Hello,
>
> Is the recent sendmail update (8.13.1-3.RHEL4.3) a fix for the security
> issue with sendmail versions before 8.13.6? We just received a notice
> from our campus IT dept that they will block our sendmail traffic until
> it is upgraded.
>
> -Matt Wysocki
>
> PS - Thanks for all the hard work on SL!
>
Yes.
But this is a backported fix, so although the version is still
technically 8.13.1, it has been patched to fix that problem.
If your camput IT departement want's to look,
Our avisory for sendmail
http://listserv.fnal.gov/scripts/wa.exe?A2=ind0603&L=scientific-linux-errata&X=10FFC25DA5FC5E1690&Y=dawson%40fnal.gov&P=3007
contains the fix for the CVE advisary CVE-2006-0058 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
Which is
"Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows
remote attackers to execute arbitrary code by triggering timeouts in a
way that causes the setjmp and longjmp function calls to be interrupted
and modify unexpected memory locations."
We got this errata for RedHat, and their advisory is at
https://rhn.redhat.com/errata/RHSA-2006-0264.html
Hope that helps convince your IT department that it's fixed.
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________