Bugtraq mailing list archives

Re: SM 8.6.12

From: maf () net ohio-state edu (Mark A. Fullmer)
Date: Thu, 13 Jul 1995 10:02:02 -0400


Nathan Lawson writes:


I would like to know if anyone has heard of the newest holes in sendmail 8.6.12.
My details are sketchy, but once again, there is a remote, as well as local
hole.

Sendmail is convenient; convenience is evil!


A few weeks at the Cisco Networkers conference Bill Cheswick hinted at
a new found sendmail security problem in 8.6.12 which Eric had fixed in 8.7.

The 8.7 release notes contain:

    SECURITY: avoid denial-of-service attacks possible by destroying
        the alias database file by setting resource limits low.
        This involves adding two new compile-time options:
        HASSETRLIMIT (indicating that setrlimit(2) support is
        available) and HASULIMIT (indicating that ulimit(2) support
        is available -- the Release 3 form is used).  The former
        is assumed on BSD-based systems, the latter on System
        V-based systems.  Attack noted by Phil Brandenberger of
        Swarthmore University.

Is this the problem, or is it worse?  Eric?

--
mark
maf+ () osu edu

Current thread:

Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing, (continued)
- - - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing BioH (Jul 10)
    - Re: Exploit for Linux wu.ftpd hole Nathan Lawson (Jul 09)
  - Re: Exploit for Linux wu.ftpd hole Michael Shields (Jul 06)
    - Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 07)
- Why are we using priveleged images / state so much? (Was Re: Paul Robinson (Jul 06)
  - Re: Why are we using priveleged images / state so much? (Was Re: Dr. Frederick B. Cohen (Jul 06)
  - Details of linux select(2) bug? Karl Strickland (Jul 07)
  - SM 8.6.12 Nathan Lawson (Jul 08)
    - Re: SM 8.6.12 Karl Strickland (Jul 08)
    - Re: SM 8.6.12 Christopher A. Stewart (Jul 11)
    - Re: SM 8.6.12 Mark A. Fullmer (Jul 13)
    - Re: SM 8.6.12 Eric Allman (Jul 16)
    - inetd probs Mark (Jul 17)
    - Re: SM 8.6.12 Pat The Friendly RedNeck (Jul 17)
    - Re: SM 8.6.12 System Administrator (Jul 18)
    - ANNOUNCEMENT: Ssh (Secure Shell) remote login program Kayvan Sylvan (Jul 18)
    - HP bomb barded my email with it FAQ (fwd) Dr. Frederick B. Cohen (Jul 19)
    - Re: HP bomb barded my email with it FAQ (fwd) Allen J. Newton (Jul 20)
- Re: Exploit for Linux wu.ftpd hole Stan Barber (Jul 05)
- Re: Exploit for Linux wu.ftpd hole John Adams (Jul 05)
  - Re: Exploit for Linux wu.ftpd hole bt (Jul 05)

(Thread continues...)