-Advisory-16.UNIX.sendmail-6-Dec-1994.UPDATE

-Advisory-16.UNIX.sendmail-6-Dec-1994.UPDATE

Post by [8LGM] Security Te » Wed, 25 Jan 1995 15:37:52



This advisory has been sent to:

        comp.security.unix

===============================================================================
                  [8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994.UPDATE

PROGRAM:

        sendmail(8)

UPDATE:

        After further investigation, it has been discovered that SVR4 based
        ports include sendmail(8) based on SMI code.  This code therefore
        is affected by the problem discussed in:

        [8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994

        Any systems running SMI sendmail(8) should follow advice given in
        this advisory, and remove any set bits on sendmail(8).

        To give more time to administrators to fix this problem, and due
        to other problems being published this week, the exploit script
        will now be posted at 00:00GMT on Monday 6th February 1995.

        To retrieve these details, send a mail containing the line:

                send [8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994-EXPLOIT


        to be sent before this date will be directed to /dev/null.

FIX:

        We recommend that security conscious sites upgrade immediately
        to UCB Sendmail 8.6.9, as Suns sendmail is generally recognised
        as being broken.  Your options are:

        1. Obtain patch from your vendor.

        2. Build and install sendmail 8.6.9, available from:
           ftp.cs.berkeley.edu:/ucb/sendmail/sendmail.8.6.9.*

        3. Remove set bits from any SMI sendmail(8) binaries.

FEEDBACK AND CONTACT INFORMATION:


                                                 processed automatically;
                                                 just send any message)



8LGM MAILING LIST:


        address you mail from will automatically be added to the list.

        If you need to subscribe to an address you cannot mail from

        to be added to the list.  Due to our mail volume, we appreciate
        it if you can use 8lgm-request instead; thus if you need to
        subscribe an alias, please look into using, say sendmail -f,
        if possible.

8LGM FILESERVER:

        All [8LGM] advisories may be obtained via the [8LGM] fileserver.

===========================================================================

--
-----------------------------------------------------------------------