|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Sendmail 8.6.12 hole & smrsh
Casper Dik (casper
Holland.Sun.COM)Thu, 12 Oct 1995 15:16:38 +0100
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Paul Ferguson: "Edupage, 12 October 1995 (fwd)"
- Previous message: Janis Lacis: "Sendmail 8.6.12 hole & smrsh"
- In reply to: Janis Lacis: "Sendmail 8.6.12 hole & smrsh"
>>Who knows what the root-shell-giving security hole is in Sendmail 8.6.12 >>that was incompletely patched in 8.7, and (supposedly) finally patched >>in 8.7.1? > >I wonder if the attack is still possible if there is a "smrsh" shell >installed instead of "sh" in sendmail.cf ? Yes. The syslog() hole exploits don't care whether you have installed smrsh or not. The only thing that helps is a patched syslog(), something you'll need anyway for your other daemons, or sendmail 8.7.1 and that only works if you have a syslog() with an internal buffersize with 1024 bytes (i.e., if you haev a smaller interner buffer, you may be out of luck anyway) Casper
- Next message: Paul Ferguson: "Edupage, 12 October 1995 (fwd)"
- Previous message: Janis Lacis: "Sendmail 8.6.12 hole & smrsh"
- In reply to: Janis Lacis: "Sendmail 8.6.12 hole & smrsh"