topic Re: New sendmail issue? in Operating System - HP-UX

New sendmail issue?

Gerald Miller_1 — Mon, 31 Mar 2003 15:45:11 GMT

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail addresses a new issue that is supossedly different from the one in CA-2003-07.

The advisory did not have any comment from HP, and I was wondering if a new patch was needed for our HP-UX 11.00 systems.

Thanks!

Re: New sendmail issue?

Denver Osborn — Mon, 31 Mar 2003 16:30:00 GMT

Here's a snipit from that CERT Advisory;
____________________________________________
Hewlett-Packard
SOURCE: Hewlett-Packard Company HP Services Software Security Response Team

x-ref: SSRT3531

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.
____________________________________________

I've looked at our security bulletins and have not seen one for this yet. I'm sure that if/when an issue is found that a security bulletin will be issued regarding any potential problem w/ a recommended action to resolve.

To view security bulletins; start at the ITRC - http://www.itrc.hp.com -> click "maint and support" -> click "support info digests" at bottom of page, below notifications. Click "HP Security Bulletins Archive" at the bottom of page to view all sec bulletins.

Hope this helps,
-denver

Re: New sendmail issue?

Gerald Miller_1 — Mon, 31 Mar 2003 17:55:05 GMT

Denver,
Thanks for the help there... I didn't even bother to check the CERT site... I thought maybe they'd send me an email when they updated, but I guess not.

Thanks for the information.

Re: New sendmail issue?

Berlene Herren — Mon, 31 Mar 2003 17:56:52 GMT

There will be a general release patch around 29 April that will address both Certs, CA-2003-12 and -07. Again, these will be for 8.9.3 on 10.20 and 11.0 and 8.11.1 for 11.0 and 11i.

I do not believe there will be any other release until then.

Berlene

Re: New sendmail issue?

Steven E. Protter — Wed, 02 Apr 2003 05:19:46 GMT

So those of us who went to the 8.11.x release sd-ux depots are left hanging?

That hardly seems to be a balanced approach.

Sendmail is becoming a very large security issue draining my resources from a complex server rollout project.

My resources refers to my time.

SEP

Re: New sendmail issue?

Animesh Chakraborty — Wed, 02 Apr 2003 08:52:22 GMT

Hi Gerald,
See my posting on same issue here:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc43eb941255cd71190080090279cd0f9,00.html

Re: New sendmail issue?

Scott Donaldson — Wed, 02 Apr 2003 20:30:10 GMT

Hmmm,

Comment 1) HP does seem to take its time patching what is in effect Open Source software. OTOH I built Sendmail 8.12.8 on an 11.00 box (selectively patched). My first issue was with PMTU. I was missing a Cumulative ARPA patch and mail to sites using CISCO PIX firewalls and the 'Mail Guard' feature turned on stalled in the queue. Once that was fixed after running for 36 hours I started seeing kernel memory leaks.

I suspect my GNU toolchain..but haven't verified that as the problem yet.

I fell back to HP 8.11.1 + JagGae58098 and that worked fine.

Comment 2) Don't make it easy to find hackable targets!!!

WHY does sendmail (from HP or sendmail.org) have to identify its version in the smtp greeting , the help message, and any message headers. HP's case is even worse since the most recently applied patch is also identified.

An administrator can modify the greeting message, and can modify the headers, and can remove the version from the help file. BUT if you remove the whole help file sendmail will generate a HARD CODED message telling you help is not available - with it's version embedded in the message.

Berlen H. please pass these last comments along to see if the next patch can obscure version/patch info from the outside world.

TIA,

Scott.

Re: New sendmail issue?

Christopher Caldwell — Thu, 03 Apr 2003 21:00:49 GMT

To obscure the version / patch ID, modify this line in sendmail.cf:

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

Re: New sendmail issue?

Christopher Caldwell — Fri, 04 Apr 2003 13:29:35 GMT

Yup --

see

SECURITY BULLETIN: HPSBUX0304-253

You need sendmail.811.11.11.r2.