Re: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail

Animesh Chakraborty · ‎03-30-2003

Did you take a backup?

Michael Tully · ‎03-30-2003

Hi Animesh,

I received this same message yesterday, and I don't believe there is a patch available yet. Usually there is a notification from HP as soon as one is available.

Regards
Michael

Anyone for a Mutiny ?

T G Manikandan · ‎03-30-2003

Just check this link

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd549c196a4bd71190080090279cd0f9,00.html

T G Manikandan · ‎03-30-2003

Also check this one

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x82599c196a4bd71190080090279cd0f9,00.html

Animesh Chakraborty · ‎03-30-2003

Hi TG,
Those are OLD!

Did you take a backup?

David Lodge · ‎03-31-2003

Looks like nothing from HP; but then again Sun only has a test patch.

Looks like the researcher *only* notified sendmail.org 11 days before going public; (instead of the normal 30 days) this seems to me as if the impact of this vulnerability hadn't been throughly considered.

Then again; if HP actually packaged sendmail sensibly - and didn't tie it in with the whole of INET-SVCS then one could mitigate this by installing the new version of sendmail and not waiting for HP :-)

The easy solution is to disable sendmail on all HP boxen.

dave

Berlene Herren · ‎03-31-2003

There will be a general release patch around 29 April that will address both Certs, CA-2003-12 and -07. Again, these will be for 8.9.3 on 10.20 and 11.0 and 8.11.1 for 11.0 and 11i.

I do not believe there will be any other release until then.

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

David Lodge · ‎03-31-2003

Why the delay in release? As both vulnerabilities have been critical and potentially exploitable. *And* the latest one has a risk that it could affect mailhosts within the defensive perimeter (as the buffer overflow affects headers)

Just curious.

dave

benoit Bruckert · ‎04-01-2003

Hi,
That's one of the reason why i'm building these kind of tools from sources (I can also with this , control many other specific parameters, compile option, and build the cf file from sources which is easiest to configure......).
And sendmail is easy to build from sources.....
I updated my servers today, and it works fine .....
hth
Benoit
________
"Conna??tre une langue ??trang??re, c'est acc??der ?? une autre civilisation, une autre mani??re de penser, contribuer ?? la paix par la compr??hension et le dialogue; c'est aussi s'offrir des possibilit??s ??conomiques et de loisirs nouveaux." Joachim Charles Hitzke

Une application mal pansée aboutit à une usine à gaze (GHG)

John Morris · ‎04-01-2003

When fixes are available they will be announced in an HP security bulletin. Until then we cannot give schedule information. We are working to make fixes available asap.

Yours truly,
John Morris
SOFTWARE SECURITY RESPONSE TEAM (SSRT)
Hewlett-Packard Company
HP Services

Join our (pre-merger) HP SECURITY BULLETIN MAILING LIST!
http://itrc.hp.com
In the left most frame select "Maintenance and Support"
Under the "Notifications" section (near the bottom of the page),
select "Support Information Digests".

JOIN OUR (pre-merger) COMPAQ CUSTOMER SECURITY BULLETIN MAILING LIST!
http://www.support.compaq.com/patches/mailing-list.shtml

Steven E. Protter · ‎04-01-2003

I think HP needs to make a committment to keep much more current on sendmail

My Red Hat Linux Servers are already patches with normal package distribution for Red Hat. Still we have no word on sendmail 8.12.x and a binary installation procedure that concerns my management.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Berlene Herren · ‎04-01-2003

BTW, when I put that info out there about a sendmail vulnerability patch, this was something I heard, and should have said that.

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

Scott_14 · ‎04-01-2003

As you we wait on a fix, one thing I have done a lot in the past, since sendmail seems to encounter updates from time to time, is just shutdown sendmail, and run it through cron, at intervals of your choice. I usually do this on all servers, and depending on your enviroment, set cron to push mail more often or less. just a suggestion if you are worried about things.

Animesh Chakraborty · ‎04-02-2003

Thanks for the update John.

While I was trying to install latest SAMBA (CISF/9000),found that the latest version available at HP web site is 2.2.5 where as others are already using 2.2.8.
Why HP is slow?
Now a days we can not compromise on security issue.
Can this SAMBA 2.2.5 address all latest vulnerabilities?

Did you take a backup?

Animesh Chakraborty · ‎04-07-2003

Did you take a backup?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail