HPE Community
Operating System - HP-UX
1829880 Members
5746 Online
109993 Solutions
New Discussion

sendmail 8.11.1

 
Peter Gillis
Super Advisor

‎08-14-2003 05:13 PM

‎08-14-2003 05:13 PM

sendmail 8.11.1

Hi, (op sys ux 11.00)
Have upgraded to sendmail 8.11.1. but appear still to be vulnerable to the remote buffer overflow problem. Have the following patches loaded: PHKL_18799 PHNE_17190 PHNE_24419 PHNE_26304 AND SMAIL-811. Am I still missing something?
Also, is there a way to disable the use of smrsh in sendmail?

Thanks, Maria.
0 Kudos
Reply
3 REPLIES 3
Paulo A G Fessel
Trusted Contributor

‎08-15-2003 06:09 AM

‎08-15-2003 06:09 AM

Re: sendmail 8.11.1

Unless you have very specific features enabled in sendmail, I think it's interesting that you consider changing your mail system to Postfix. It's absolutely safer than sendmail, understands sendmail's configuration files and is faster and lighter than sendmail.

The link for Postfix is http://www.postfix.org. Binaries for HP-UX and other information can be found at http://www.stahl.bau.tu-bs.de/~hildeb/postfix.

HTH
Paulo Fessel
L'employé propose, le boss dispose.
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎08-15-2003 07:32 AM

‎08-15-2003 07:32 AM

Re: sendmail 8.11.1

Go here:

http://www.software.hp.com/ISS_products_list.html

And download security_patch_check and run it once a week or so. Be sure to always run it with the -r option to refresh the catalog.

mark
the future will be a lot like now, only later
0 Kudos
Reply
Jairo Campana
Trusted Contributor

‎08-15-2003 07:48 AM

‎08-15-2003 07:48 AM

Re: sendmail 8.11.1

SMRSH IN SENDMAIL
If Sendmail is using smrsh, then the only programs that can be executed are those under the /etc/smrsh/ directory. Perhaps the best solution to run the wrapper from the aliases file is to create a symbolic link from /etc/smrsh/wrapper to /usr/local/majordomo-1.94.5/wrapper. [root@kes smrsh]# ln -s /usr/local/majordomo-1.94.5/wrapper wrapper

A second solution is to actually move the wrapper into the /etc/smrsh/ directory. [root@kes smrsh]# mv /usr/local/majordomo-1.94.5/wrapper ./

If security is not a major concern, the secure shell can be disabled. One fairly crude method is simply to delete /usr/sbin/smrsh and copy or link /bin/sh in its place. [root@kes sbin]# rm -f smrsh
[root@kes sbin]# ln -s /bin/sh smrsh

A better (but more difficult) method is to edit sendmail.cf. Change the reference from /usr/sbin/smrsh Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
T=X-Unix,
A=sh -c $u

to /bin/sh Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
T=X-Unix,
A=sh -c $u


Advantage: This will prevent this class of vulnerability being
exploited on your system without requiring a new version of
sendmail(8) to be installed. Mailing to unauthorised programs
will no longer work.
Disadvantage: If a program is not authorised by smrsh, any attempt
to use it via mail will cause an error reply to be generated.
System administrators should check their aliases and all
.forward files for any configuration that mails to a program.
These configurations will generate an error reply on every
message mailed if that program is not authorised for use by smrsh.
If the .forward file contains something similar to:
\user, "| /usr/ucb/vacation user"
then mail will still be delivered to "user", but an error reply
(not the vacation message) will be returned to the sender if
vacation is not authorised for use by smrsh.
legionx
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.