On Wed, 18 Oct 2000 15:46:47 PDT, "John L. Fjellstad" writes: >On Wed, Oct 18, 2000 at 11:25:40PM +0200, Robert Waldner wrote: > >> or down-/upgrade to 8.9.3, my current potato 8.9.3-21 isn´t vulnerable >> to this (or to any other from http://www.abuse.net/relay.html) relay >> attack. > >I would probably not use the 8.9 or earlier series of Sendmail. There >was a bug in Sendmail versions earlier than 8.10 that made it >possible for remote users to destroy your mailbox. Check >bugtraq for more information (do a search for sendmail, it was around >April this year).
I think you´re referring to the "unsafe fgets() problem", as in http://forum.securityportal.com/list-archive/bugtraq/2000/Apr/0181.html >Of course, knowing Debian, the fix has probably been backported. it is, from /usr/doc/sendmail/changelog.Debian.gz: --- sendmail (8.9.3-22) frozen; urgency=high * Fix unsafe fgets in mail.local, based on the upstream patch for 8.10.1 --- which of course means that you should upgrade to at least 8.9.3-22 or -23[0], the latter is already in stable. cheers, &rw 0: one may run into the same confusion as I did: 220 cruncher.Austria.EU.net ESMTP Sendmail 8.9.3/8.9.3/Debian 8.9.3-21; Thu, 19 Oct 2000 07:32:27 +0200 although it´s really [waldner:/usr/doc/sendmail] dpkg -l | grep sendm ii sendmail 8.9.3-23 A powerful mail transport agent. -- / Robert Waldner <[EMAIL PROTECTED]> | Phone: +43 1 89933 0 Fax x533 \ \ KPNQwest/AT tech staff | Diefenbachg. 35 A-1150 Wien /
