Appliance Servers
1748028 Members
4915 Online
108757 Solutions
New Discussion юеВ

Sendmail Critical Vulnerability

 
Craig Jungers
Occasional Advisor

Sendmail Critical Vulnerability

There is a new critical vulnerability for all versions of sendmail prior to 8.12.8. This means that all of our SA1100s are vulnerable (my SA1100 uses version 8.10.2 - you can check by telnetting to port 25 of your appliance and reading the version) and since most of us use them for email we need to update ASAP. I have downloaded the newest version (from http://www.sendmail.org) but I'm unsure about how to compile it and install it without compromising the somewhat unorthodox directory structure of the SA1100. Can I just build a new binary and install it with unchanged config files? Does anyone have any information on this???
13 REPLIES 13
Sean_71
Occasional Advisor

Re: Sendmail Critical Vulnerability

Hi Craig can you let the group no if you do managed to upgrade this. I was under the impression if the rpm -Uvh would update the binaries. But please don't quote me on this. I tried to update perl on mine and it ended up corrupting the image, this is properly because the or the admin scripts are written in perl. However this ended up being a library thing. What we need to do, if for a group of us to try and update the whole image to the newest redhat 8 while maintaning it fuctionality, and make it publicly available though ftp. I for one would be quite happy to pay a small fee towards covering people efforts, and hosting costs to provide such a images
Sean

who dares wins
Craig Jungers
Occasional Advisor

Re: Sendmail Critical Vulnerability

I compiled the sendmail package with no errors but found that simply substituting the binary (new sendmail) for the old binary didn't work. I tried to restart sendmail without success. So now I'm looking at what exactly needs to be changed in order to get the new package working. If anyone else has looked at this your comments and suggestions would be much appreciated.
BR699722
Occasional Advisor

Re: Sendmail Critical Vulnerability

hi,

just compiling the new sendmail sources and replacing the binaries won??t work, cause Sendmail 8.12 uses two mailqueues. So you have to rebuild the sendmail.cf and make some other configuration changes.

The easiest way is to patch your current Sendmail with an rpm-package from redhat (if you have the redhat-distribution installed)
Download the patch and install it with "rpm -u package-name". Then restart sendmail. Be sure to make an backup copy of /etc/mail (whole directory) and /etc/sendmail.cf


HtH
Thomas
Robert-Jan Goossens
Honored Contributor

Re: Sendmail Critical Vulnerability

Hi Craig,

follow next link to the HPUX forum, the link is specified call about sendmail Vulnerability.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x82599c196a4bd71190080090279cd0f9,00.html

Robert-Jan.
Craig Jungers
Occasional Advisor

Re: Sendmail Critical Vulnerability

How do I determine what version of Red Hat my server is running? I can easily determine the kernel version, the sendmail version, etc. but finding the version of Red Hat (in order to get the correct rpm) is proving difficult.
Robert-Jan Goossens
Honored Contributor

Re: Sendmail Critical Vulnerability

Hi,

if i'm not mistaken,

# uname -a
or
# uname -v

Robert-Jan.
Craig Jungers
Occasional Advisor

Re: Sendmail Critical Vulnerability

The uname -a command only returns the kernel version. On standard Linux boxes you can tell the Distro version when you telnet in, but not with the HP boxes. Any other ideas? I think it must be one of the RH v.6 distros but really would like to be sure.
Robert-Jan Goossens
Honored Contributor

Re: Sendmail Critical Vulnerability

Hi,

how about downloading and installing sysinfo ?

http://www.magnicomp.com/sysinfo/sysinfo.shtml

Hope it helps,

Robert-Jan.
Sean_71
Occasional Advisor

Re: Sendmail Critical Vulnerability

I beleive that all the sa1100/1120 are based upon Redhat 6.2 server install with a few core component changed such as sendmail and apache.

who dares wins