HPE Community
Operating System - HP-UX
1846185 Members
4216 Online
110254 Solutions
New Discussion

Verifying Sendmail Patch Level

 
Gus Larsson
Advisor

‎08-18-2003 06:31 AM

‎08-18-2003 06:31 AM

Verifying Sendmail Patch Level

Hello all,
Is there a foolproof way to determine whether a version of Sendmail is fully patched? I'm fairly certain I applied the "manual updates" in March and April 2003 when several vulnerabilities were published, but how can I be sure? How can I convince the IS department around here that I am protected against various specific exploits? (Namely, remote buffer overflows, DNS handling overflow, smrsh error, "-bt overflow attack", local buffer overlow, etc...the list goes on).

I am running HP-UX 11.0 on a J5600 workstation. Telnetting to port 25 shows 8.11.1/8.11.1. The date of /usr/contrib/sendmail/usr/sbin/sendmail is April 4, 2003. Even if I were to download the July 2003 "special release" version from software.hp.com, how can I know for certain that the above vulnerabilities have been patched?

Thanks for any assistance,
Gus
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎08-18-2003 06:36 AM

‎08-18-2003 06:36 AM

Re: Verifying Sendmail Patch Level

swlist -l product |grep -i sendmail

It will show all patches.

To do more, you are going to have to download some hacking instructions(I will not post that stuff here) and demonstrate to your management/auditors that you can withstand attack.

You also might want to set up httpd and dns in a chroot jail where users other than root start and own the daemons.

The best way to keep up is to get itrc security updates, and watch here for posts by Berlene Herren, she posts the warnings for HP the minute they are ready.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎08-18-2003 06:38 AM

‎08-18-2003 06:38 AM

Re: Verifying Sendmail Patch Level

Gus,

There was some discussion after the initial announcement of the vulnerabilities and the associated fix about how to tell if your version was OK:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x5c669c196a4bd71190080090279cd0f9,00.html



Pete


Pete
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎08-18-2003 06:40 AM

‎08-18-2003 06:40 AM

Re: Verifying Sendmail Patch Level

what /usr/sbin/sendmail

Massimo
0 Kudos
Reply
Gus Larsson
Advisor

‎08-18-2003 07:51 AM

‎08-18-2003 07:51 AM

Re: Verifying Sendmail Patch Level

Thanks for the replys. I'm not sure that any of the proposed methods will prove to the corporate IT folks that my version is not vulnerable, but at least the "what /usr/sbin/sendmail" shows a revision number. That way at least I'll be assured that I am protected, and I'll be able to evaluate my other systems similarly.

BTW, I don't see any of that "JAG" stuff when I run the "what ...sendmail" command, even though I just loaded the July 2003 special release. Here is what I get:

/etc/mail> what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.11.1 (Berkeley) - Revision 1.4 - 2003/05/05

I guess that maybe the JAG identifier (?) isn't included in all releases.

Gus
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎08-19-2003 11:17 AM

‎08-19-2003 11:17 AM

Re: Verifying Sendmail Patch Level

Try this:

echo \$Z | /usr/sbin/sendmail -bt -d

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.