The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sendmail < 8.8.3

"Alan Cox writes:"
> 
> As you are hopefully all aware by now there is a vulnerability in all
> sendmail 8.7/8.8 software. Eric Allman has released 8.8.3 of the package
> to resolve this. While this bug requires local shell access it is being
> actively exploited.
> 
> Can you all please provide me with the site, and preferably MD5 or PGP
> signatures for the fixed packages tomorrow (Tuesday) in time for the
> CERT advisory.

[...]

Below are the details.  Thanks for coordinating the advisory.

Ron

-------------------------------------------------------------------------------

Subject: Caldera Security Advisory 96.06: Vulnerability in sendmail

Caldera Security Advisory SA-96.06
November 18th, 1996

Topic: Vulnerability in sendmail

I. Problem Description

	The sendmail program is the default MTA (Mail Transport Agent)
	for the Caldera Network Desktop.  To gain access to resources it
	needs, the sendmail program is installed as set-user-id root.

	A vulnerability in sendmail makes it possible start a program
	such as a shell that has root permissions on the local machine.

	Exploit programs for sendmail are known to exist for Linux
	systems on x86 hardware.  This problem likely exists for other
	Unix-like operating systems.

II. Impact

	On systems such as CND 1.0, an unprivileged user can obtain root
	access.  A shell account on the local machine is needed to
	exploit this vulnerability.  This particular vulnerability
	is not known to be exploitable by a remote user.

III. Solution

	Install a version of sendmail with the patch that prevents this
	vulnerability.

/etc/rc.d/init.d/sendmail.init stop
ncftp ftp://ftp.caldera.com/pub/cnd-1.0/updates/sendmail-8.7.1-2c1.i386.rpm
rpm -Uvh sendmail-8.7.1-2c1.i386.rpm
/etc/rc.d/init.d/sendmail.init start

	This particular version is same version as shipped with CND 1.0 but
	with the security patch applied.  (Newer versions of sendmail have
	been released by its author.)

	MD5 signatures of these packages (using the "md5sum" command):

	5471b0370e873b31c387dfdafbb02867  sendmail-8.7.1-2c1.i386.rpm
	e92cdeb8d75ea96f17ee04a1671e3c57  sendmail-8.7.1-2c1.src.rpm

IV. References

	This and other Caldera security resources are located at:

		http://www.caldera.com/tech-ref/cnd-1.0/security/

	Other sendmail related information can be found at:

		http://www.sendmail.org/

	and in the Usenet newsgroup

		comp.mail.sendmail

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com