[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Re: Mail server



Dear All

Just to drive a point home here ..........


                        SuSE Security Announcement

        Package:                sendmail
        Announcement-ID:        SuSE-SA:2001:028
        Date:                   Thursday, Aug 23rd 2001 18:10 MEST
        Affected SuSE versions: 7.0, 7.1, 7.2
        Vulnerability Type:     local root compromise
        Severity (1-10):        5
        SuSE default package:   yes
        Other affected systems: systems using the sendmail package

    Content of this advisory:
        1) security vulnerability resolved: sendmail
           problem description, discussion, solution and upgrade 
information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade 
information

    Cade Cairns of Securityfocus discovered a vulnerability in the 
sendmail program, the widely spread MTA used in Unix- and Unix-like 
systems. A local user can write arbitrary data to the process memory, 
resulting in user-controlled code to be executed as user root.
    Please note that this is a _local_ vulnerability: Local shell 
access is needed for the attacker to be able to take advantage of 
this error. The /usr/sbin/sendmail program is installed set-uid root 
in most installations. This special privilege is needed for the 
sendmail program to operate properly. The attack pattern involves 
running sendmail to make use of the setuid-bit.
    

Looks like it's a local thing in other words ..... internal attack on 
a commercial network ?  So, not reallt relevant to a home user who 
wants a mail server.

Thanks


-- 
Richard
___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.