Navigation
User login
Quote
Albert Einstein
Everything should be made as simple as possible, but not simpler.
Critical Sendmail Flaw, update/patch now
Tue, 03/04/2003 - 11:20 — charlie.collins
Sendmail < 8.12.8 has a critical flaw that affects header parsing. This was discovered by ISS and apparently has been known since Decemeber 2002 but was just now publicly disclosed because "critical infrastructure" organizations such as power companies, etc, were given the opportunity to address it before it was made public. I have HUGE issues with that approach, but thats another discussion, for now if you use sendmail (and somewhere along the line you DO) then patch it yourself and make someone aware of the issue who can.
See the linked 8.12.8 release notes and CERT for more. http://www.sendmail.org/8.12.8.html
This work is licensed under a Creative Commons License.
1998-2008 temple of the screaming penguin
TotSP Search
Community
Chatter
- Rankings for WeatherReporter
5 hours 40 min ago - bar and xy-graph
9 hours 3 min ago - Ohhh, let me know when they
1 day 11 hours ago - WTF?
2 days 6 hours ago - Cobb County's nocturnal habits
2 days 15 hours ago - I think you mean "Best Buy."
3 days 1 hour ago - So are there going to be any
3 days 2 hours ago - jimmy carteris the best
3 days 9 hours ago - iphone: saw that too
4 days 1 hour ago - Did you buy it already?
4 days 4 hours ago
Comments
Re: Critical Sendmail Flaw, update/patch now
What do you expect companies like ISS to do? If they wait and give people some time to fix it, then people bitch and moan. If they release it immediately (ala that Apache flap a few months back,) the people bitch and moan.
What are they to do? Can't please everybody. Hell in this case, I bet a lot of the same people bitch no matter what they do.
Re: Critical Sendmail Flaw, update/patch now
The bad part is my company doesn't bother w/ even the simpliest of security messure on boxes so we have a bunch of unix boxes out there running sendmail that don't need to. Now we have to go and patch them and/or disable the service. Of course that would imply they really give a rats ass about the security in the first place.
Re: Critical Sendmail Flaw, update/patch now
Well I guess I dont have the answers to everyones issues, but I would say publish it as soon as you know about it, patch ready or not. Thats the way open source security works, thats what makes it work (IMHO).
For example, what if someone else had discovered the flaw on December 10th, someone less reputable than ISS? If the warning had come out as soon as it was known about then sendmail could have been disabled, or conifigured differently or whatever to avoid the exploit.
I know this is a hotly debated topic by my vote is publish it when we know it exists, patch or not, no matter who you are.
And again I am not faulting ISS, I think the way they handled the previous Apache issue was correct and I think that on this one the Homeland Security Department got involved and that probably accounts for the delay (and several million of our tax dollars, for the same functions that ISS was doing fine on its own before, ISS and others, CERT, etc).