HPE Community
Operating System - HP-UX
1832973 Members
2717 Online
110048 Solutions
New Discussion

Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

 
SOLVED
Go to solution
Sammy_2
Super Advisor

‎03-28-2006 02:27 AM

‎03-28-2006 02:27 AM

Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Got an email from my security dept. about this vulnerability. I got the patch for Solaris. But what is HPUX 11.11 equivalent of this patch. My sendmail version is


# what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 10/10/2003 (PHNE_29774)


Check these site for security vulnerability.

US-CERT Technical Cyber Security Alert TA06-081A:
http://www.us-cert.gov/cas/techalerts/TA06-081A.html

Sendmail MTA Security Vulnerability:
http://www.sendmail.com/company/advisory/

See also http://www.frsirt.com/english/advisories/2006/1049
good judgement comes from experience and experience comes from bad judgement.
0 Kudos
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎03-28-2006 02:44 AM

‎03-28-2006 02:44 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Shalom Sammy,

The vulnerability is in ALL sendmail versions before 8.13.3

HP may decide to release a patch versus a whole new sendmail, as may other vendors.

To deal with the vulnerability you must either upgrade sendmail or install a certified patch set.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Arunvijai_4
Honored Contributor

‎03-28-2006 02:46 AM

‎03-28-2006 02:46 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Hi Sammy,

Yes, This Vulnerability exists on all versions of Sendmail prior to 8.13.3. You can download the latest source from http://www.sendmail.org/8.13.6.html and install yourself.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Kent Ostby
Honored Contributor

‎03-28-2006 02:47 AM

‎03-28-2006 02:47 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

PHNE_29774 is the latest version of the 11.11 sendmail patch at this time.

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Kent Ostby
Honored Contributor

‎03-28-2006 02:49 AM

‎03-28-2006 02:49 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Sammy --

You can go to this website and get a utility to run on your HP-UX box which will tell you all of the current security patches you need to install:

http://docs.hp.com/en/B2355-90950/ch08s19.html?jumpid=reg_R1002_USEN
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Kent Ostby
Honored Contributor

‎03-28-2006 02:49 AM

‎03-28-2006 02:49 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Sorry.. that's the page that tells you how to run it.

The command should already be on your system.

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Steven E. Protter
Exalted Contributor

‎03-28-2006 02:51 AM

‎03-28-2006 02:51 AM

Solution

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Shalom again,

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813

This one is probably NOT vulnerable according to my reading of the docs.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Sammy_2
Super Advisor

‎03-28-2006 03:08 AM

‎03-28-2006 03:08 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

Thanks to all.
Does this mean HP (unlike Sun) does not have a patch to address this particular vulnerability issue ?
Kent,
does this new version of patch fix this particular problem ? At this porint, I don't want install all security patches but just this problem.
SEP,i am gathering that since we don;t have a patch we may have to upgrade sendmail by swremove old sendmail and
swintall new one.
good judgement comes from experience and experience comes from bad judgement.
0 Kudos
Sammy_2
Super Advisor

‎03-28-2006 08:06 AM

‎03-28-2006 08:06 AM

Re: Vulnerability in sendmail(1M) Versions Prior to 8.13.6 ??

I am not running sendmail on any of our servers. So that is one better than actually installing a patch. All servers only send mails (no incoming) and thus dont need sendmail daemon. much safer.
Thanks toall
good judgement comes from experience and experience comes from bad judgement.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.