Re: Sendmail Vulnerability

Venkatesan_5 · ‎01-24-2011

Hi, we have a HPUX11.31 server with SAP application running on it.

Issue details:
We are using Sendmail to receive incoming mails to SAP application. We have received Security Alert for sendmail from security team.

Alert: There is a bug in sendmail that can allow any body to send a crafted email with code that can give them root access.

we have sendmail version 8.13.34 loaded in 11.31.
)#what /usr/sbin/sendmail | grep version
Sendmail version 8.13.3 - Revision 1.003:: HP-UX11.31 - 8th December,2008

)#swlist -l product | grep -i send
Sendmail C.8.13.3.4 Mail Transfer Protocol daemons and utilities

Does this version still have this bug or do I need to update it to 8.13.3.5 as per the reference given below

https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=SMAIL813

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813

Kindly help me with your inputs...

Thanks in Advance.

RickT_1 · ‎01-25-2011

This vulnerability only applies if you have STARTTLS enabled. I'm sending you the document so you can see exactly what the vulnerability is and decide how best to handle it. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860

This should answer all of your questions.

Rick

Rita C Workman · ‎01-25-2011

There was a fix done around mid-2010. Version 8.13.3.4.1.
So anything from this version...on will have the fix.

Regards,
Rita

Zinky · ‎01-25-2011

Always HAVE the latest SendMail version as best practice. WHatever your OS vendor provides as the latest should always be on your system.

Or if you BUILD your own Sendmail, always build from the latest Sendmail.Org sources.

Hakuna Matata

Favourite Toy:
AMD Athlon II X6 1090T 6-core, 16GB RAM, 12TB ZFS RAIDZ-2 Storage. Linux Centos 5.6 running KVM Hypervisor. Virtual Machines: Ubuntu, Mint, Solaris 10, Windows 7 Professional, Windows XP Pro, Windows Server 2008R2, DOS 6.22, OpenFiler

Venkatesan_5 · ‎01-28-2011

Hi Rick,
As per your suggestion the tests are sucessful. We shall decide on updating it to the latest version.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Sendmail Vulnerability

Sendmail Vulnerability