LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Slackware: 'sendmail' input validation vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Slackware This problem can be exploited by local users to gain rootaccess. It is not exploitable by remote attackers without shell access.

An input validation error in sendmail has been discovered by Cade Cairns of
SecurityFocus.  This problem can be exploited by local users to gain root
access.  It is not exploitable by remote attackers without shell access.
New packages based on sendmail.8.11.6 have been prepared for Slackware 7.1
and 8.0.

Detailed information about this security problem may be found here:
    http://www.securityfocus.com/bid/3163

New procmail packages have been prepared as well, based on procmail-3.21.
The ChangeLog notes that these problems were fixed as of procmail-3.20,
but it's not known how serious they really are:
     - SECURITY: don't do unsafe things from signal handlers:
       - ignore TRAP when terminating because of a signal
       - resolve the host and protocol of COMSAT when it is set
       - save the absolute path form of $LASTFOLDER for the comsat
         message when it is set
       - only use the log buffer if it's safe


WHERE TO FIND THE NEW PACKAGES:
-------------------------------

Updated packages for Slackware 8.0: 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/procmail.tgz 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/sendmail.tgz 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/smailcfg.tgz

Updated packages for Slackware 7.1: 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/procmail.tgz 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/sendmail.tgz 
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/smailcfg.tgz


MD5 SIGNATURES:
---------------

Here are the md5sums for the packages:

Slackware 8.0 packages:
56099f1bce9643e44342711878a7ceb0  ./packages/procmail.tgz
3d03fd648ecf40eed56ff915780fb8ab  ./packages/sendmail.tgz
1a13d98a11d0af853893a640909d8958  ./packages/smailcfg.tgz

Slackware 7.1 packages:
121f13cecaaac0efdc1b510b68e6c147  ./packages/procmail.tgz
7c0e57969057ba72e6b59e26aa39de04  ./packages/sendmail.tgz
9e30e9e07fce4001bbf7f330cb2f9d71  ./packages/smailcfg.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

First, kill any existing sendmail processes:

killall -9 sendmail

Then, as root, upgrade the sendmail package with upgradepkg:

upgradepkg sendmail.tgz

Then, restart sendmail:

/usr/sbin/sendmail -bd -q15m



- Slackware Linux Security Team
   http://www.slackware.com



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System
NIST to hypervisor admins: secure your systems
Quick PHP patch beats slow research reveal
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.