Re: procmail / Sendmail - five bugs

Subject: Re: procmail / Sendmail - five bugs
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Fri Jan 14 2000 - 02:33:48 CST

• Next message: Marc Esipovich: "Re: Administrivia #4883 (fwd)"
• Previous message: jason storm: "Re: Administrivia #4883 (fwd)"
• In reply to: Gregory Neil Shapiro: "Re: procmail / Sendmail - five bugs"
• Next in thread: CyberPsychotic: "Re: procmail / Sendmail - five bugs"
• Reply: 3APA3A: "Re: procmail / Sendmail - five bugs"
• Reply: CyberPsychotic: "Re: procmail / Sendmail - five bugs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Gregory,

Thursday, January 13, 2000, 8:14:55 PM, you wrote:

lcamtuf>> # maximum number of children we allow at one time
lcamtuf>> O MaxDaemonChildren=15

GNS> Yes, MaxDaemonChildren will avoid this sort of denial of service attack.
GNS> However, the fact that sendmail buffers up commands after a remote side
GNS> drops its connection is a bug. This bug will be fixed in the next 8.10.0
GNS> beta release.

 O MaxDaemonChildren=15 will avoid system crash and host rebooting but
 not sendmail DoS, because sendmail will not accept any connection
 until "frozen" child processes will be killed. The best way to avoid
 this vulnerability is to switch off ETRN feature by
 O PrivacyOptions=noetrn

--
Best regards,
 3APA3A
http://www.security.nnov.ru

• Next message: Marc Esipovich: "Re: Administrivia #4883 (fwd)"
• Previous message: jason storm: "Re: Administrivia #4883 (fwd)"
• In reply to: Gregory Neil Shapiro: "Re: procmail / Sendmail - five bugs"
• Next in thread: CyberPsychotic: "Re: procmail / Sendmail - five bugs"
• Reply: 3APA3A: "Re: procmail / Sendmail - five bugs"
• Reply: CyberPsychotic: "Re: procmail / Sendmail - five bugs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Fri Jan 14 2000 - 03:02:19 CST