Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

Sendmail Vulnerability

Venkatesan_5
Frequent Advisor

Sendmail Vulnerability

Hi, we have a HPUX11.31 server with SAP application running on it.

Issue details:
We are using Sendmail to receive incoming mails to SAP application. We have received Security Alert for sendmail from security team.

Alert: There is a bug in sendmail that can allow any body to send a crafted email with code that can give them root access.

we have sendmail version 8.13.34 loaded in 11.31.
)#what /usr/sbin/sendmail | grep version
Sendmail version 8.13.3 - Revision 1.003:: HP-UX11.31 - 8th December,2008

)#swlist -l product | grep -i send
Sendmail C.8.13.3.4 Mail Transfer Protocol daemons and utilities

Does this version still have this bug or do I need to update it to 8.13.3.5 as per the reference given below

https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=SMAIL813

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813


Kindly help me with your inputs...

Thanks in Advance.
4 REPLIES
RickT_1
Valued Contributor

Re: Sendmail Vulnerability

This vulnerability only applies if you have STARTTLS enabled. I'm sending you the document so you can see exactly what the vulnerability is and decide how best to handle it. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860

This should answer all of your questions.

Rick
Rita C Workman
Honored Contributor

Re: Sendmail Vulnerability

There was a fix done around mid-2010. Version 8.13.3.4.1.
So anything from this version...on will have the fix.

Regards,
Rita
Zinky
Honored Contributor

Re: Sendmail Vulnerability

Always HAVE the latest SendMail version as best practice. WHatever your OS vendor provides as the latest should always be on your system.

Or if you BUILD your own Sendmail, always build from the latest Sendmail.Org sources.
Hakuna Matata

Favourite Toy:
AMD Athlon II X6 1090T 6-core, 16GB RAM, 12TB ZFS RAIDZ-2 Storage. Linux Centos 5.6 running KVM Hypervisor. Virtual Machines: Ubuntu, Mint, Solaris 10, Windows 7 Professional, Windows XP Pro, Windows Server 2008R2, DOS 6.22, OpenFiler
Venkatesan_5
Frequent Advisor

Re: Sendmail Vulnerability

Hi Rick,
As per your suggestion the tests are sucessful. We shall decide on updating it to the latest version.