cancel
Showing results for 
Search instead for 
Did you mean: 

New sendmail issue?

SOLVED
Go to solution
Gerald Miller_1
Occasional Advisor

New sendmail issue?

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail addresses a new issue that is supossedly different from the one in CA-2003-07.

The advisory did not have any comment from HP, and I was wondering if a new patch was needed for our HP-UX 11.00 systems.

Thanks!
If it compiles, it's good. If it boots up, it's perfect.
8 REPLIES
Denver Osborn
Honored Contributor

Re: New sendmail issue?

Here's a snipit from that CERT Advisory;
____________________________________________
Hewlett-Packard
SOURCE: Hewlett-Packard Company HP Services Software Security Response Team

x-ref: SSRT3531

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.
____________________________________________

I've looked at our security bulletins and have not seen one for this yet. I'm sure that if/when an issue is found that a security bulletin will be issued regarding any potential problem w/ a recommended action to resolve.

To view security bulletins; start at the ITRC - http://www.itrc.hp.com -> click "maint and support" -> click "support info digests" at bottom of page, below notifications. Click "HP Security Bulletins Archive" at the bottom of page to view all sec bulletins.

Hope this helps,
-denver
Gerald Miller_1
Occasional Advisor

Re: New sendmail issue?

Denver,
Thanks for the help there... I didn't even bother to check the CERT site... I thought maybe they'd send me an email when they updated, but I guess not.

Thanks for the information.
If it compiles, it's good. If it boots up, it's perfect.
Berlene Herren
Honored Contributor
Solution

Re: New sendmail issue?

There will be a general release patch around 29 April that will address both Certs, CA-2003-12 and -07. Again, these will be for 8.9.3 on 10.20 and 11.0 and 8.11.1 for 11.0 and 11i.

I do not believe there will be any other release until then.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Steven E. Protter
Exalted Contributor

Re: New sendmail issue?

So those of us who went to the 8.11.x release sd-ux depots are left hanging?

That hardly seems to be a balanced approach.

Sendmail is becoming a very large security issue draining my resources from a complex server rollout project.

My resources refers to my time.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Animesh Chakraborty
Honored Contributor

Re: New sendmail issue?

Hi Gerald,
See my posting on same issue here:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc43eb941255cd71190080090279cd0f9,00.html
Did you take a backup?

Re: New sendmail issue?

Hmmm,

Comment 1) HP does seem to take its time patching what is in effect Open Source software. OTOH I built Sendmail 8.12.8 on an 11.00 box (selectively patched). My first issue was with PMTU. I was missing a Cumulative ARPA patch and mail to sites using CISCO PIX firewalls and the 'Mail Guard' feature turned on stalled in the queue. Once that was fixed after running for 36 hours I started seeing kernel memory leaks.

I suspect my GNU toolchain..but haven't verified that as the problem yet.

I fell back to HP 8.11.1 + JagGae58098 and that worked fine.

Comment 2) Don't make it easy to find hackable targets!!!

WHY does sendmail (from HP or sendmail.org) have to identify its version in the smtp greeting , the help message, and any message headers. HP's case is even worse since the most recently applied patch is also identified.

An administrator can modify the greeting message, and can modify the headers, and can remove the version from the help file. BUT if you remove the whole help file sendmail will generate a HARD CODED message telling you help is not available - with it's version embedded in the message.

Berlen H. please pass these last comments along to see if the next patch can obscure version/patch info from the outside world.

TIA,

Scott.
Christopher Caldwell
Honored Contributor

Re: New sendmail issue?

To obscure the version / patch ID, modify this line in sendmail.cf:

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

Christopher Caldwell
Honored Contributor

Re: New sendmail issue?

Yup --

see

SECURITY BULLETIN: HPSBUX0304-253

You need sendmail.811.11.11.r2.