[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Re: Mail server
Dear All
Just to drive a point home here ..........
SuSE Security Announcement
Package: sendmail
Announcement-ID: SuSE-SA:2001:028
Date: Thursday, Aug 23rd 2001 18:10 MEST
Affected SuSE versions: 7.0, 7.1, 7.2
Vulnerability Type: local root compromise
Severity (1-10): 5
SuSE default package: yes
Other affected systems: systems using the sendmail package
Content of this advisory:
1) security vulnerability resolved: sendmail
problem description, discussion, solution and upgrade
information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade
information
Cade Cairns of Securityfocus discovered a vulnerability in the
sendmail program, the widely spread MTA used in Unix- and Unix-like
systems. A local user can write arbitrary data to the process memory,
resulting in user-controlled code to be executed as user root.
Please note that this is a _local_ vulnerability: Local shell
access is needed for the attacker to be able to take advantage of
this error. The /usr/sbin/sendmail program is installed set-uid root
in most installations. This special privilege is needed for the
sendmail program to operate properly. The attack pattern involves
running sendmail to make use of the setuid-bit.
Looks like it's a local thing in other words ..... internal attack on
a commercial network ? So, not reallt relevant to a home user who
wants a mail server.
Thanks
--
Richard
___________________________________________________________________
Sheffield Linux User's Group - http://www.sheflug.co.uk .
To unsubscribe from this list send mail to
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.