[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] New Sendmail vulnerability :o(
- Subject: [cobalt-security] New Sendmail vulnerability :o(
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 30 Mar 2003 01:44:38 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi all,
There is a new Sendmail vulnerability. The news made it to BugtraQ a moment
ago:
http://www.securityfocus.com/archive/1/316760
http://www.securityfocus.com/archive/1/316773
CVE: CAN-2003-0161
CERT: VU#897604
--------------------------- excerpt: ---------------------------
********************************************************
*** FORCED RELEASE -- VENDOR NOTIFIED AS OF 03/18/03 ***
********************************************************
There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
ISS vulnerability announcement.
[...]
The impact is believed to be a root compromise.
-----------------------------------------------------------------
I'm now rolling up a new (second) unofficial Sendmail patch for different Sun
Cobalt appliances. They should be available shortly on
http://www.solarspeed.net
--
With best regards,
Michael Stauber