Bugtraq mailing list archives
Re: Sendmail 8.8.x - time to upgrade?
From: sendmail+gshapiro () SENDMAIL ORG (Gregory Neil Shapiro)
Date: Mon, 22 Nov 1999 23:41:02 -0800
-----BEGIN PGP SIGNED MESSAGE----- lcamtuf> Unfortunately, there are some bugs fixed silently till 8.9.3 lcamtuf> release - and, just like in bash case, never mentioned in CHANGES lcamtuf> nor in security advisories. lcamtuf> - Sendmail 8.8.8 (fixed in 8.9.3, no info about other releases) won't lcamtuf> allow '-bd' parameter (run as daemon) if launched by luser. But '-bD' lcamtuf> parameter (run as daemon, but in foreground) works perfectly. This lcamtuf> has been fixed without any info in development history file. It has always been our practice to document changes in the RELEASE_NOTES file that accompanies the sendmail distribution. Security related fixes are always included at the top and marked with "SECURITY:" tags to make them extremely visible. Unfortunately, we missed this one but it certainly wasn't left out intentionally. lcamtuf> - there's unpublished, and theoretically harmless bug - when lcamtuf> Sendmail daemon receives HUP, it does execve(argv[0],...) to lcamtuf> restart itself. Unfortunately, 4th file descriptor (listen socket) lcamtuf> isn't closed before execve. As you note, in 8.9.3 this bug is theoretically harmless. It will be fixed in 8.10.0.Beta7 and future versions. lcamtuf> Facts. Many administrators still uses Sendmail 8.8.x (usually lcamtuf> 8.8.8) as more 'stable and secure' release, believing there are no lcamtuf> major bugs in it. We encourage users to upgrade to the latest version regardless of the contents of the release notes file. Those who rely on old versions do so at their own risk. As always, we encourage mailing bug reports, including documentation or release notes bugs, to release notes bugs, to sendmail-bugs () sendmail org. Security issues can be mailed to sendmail-security () sendmail org and encrypted with the sendmail-security () sendmail org PGP key: Type Bits KeyID Created Expires Algorithm Use pub 1024 0x16F4CCE9 1999-06-23 ---------- RSA Sign & Encrypt uid Sendmail Security <sendmail-security () sendmail org> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 for non-commercial use Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface Charset: noconv iQCVAwUBODpEq8ApykAW9MzpAQHTqQP9F0rrtXwZtLpPTtjuydRAqjxLVdohNBB4 n0wN1xkvmZTIx9fQpwJJSVwlGUQxWU8woF/dVjrZs0j9yvVRu9NYmWNcTjKeAP6t pW8iG4o+Zg63zKy7MirGmcgsmI3eNv5iepXq9Tb7G0z5ZK7eo4HSjJeuXB2XeyjZ kI8E9zt+hm0= =csx0 -----END PGP SIGNATURE-----
Current thread:
- Sendmail 8.8.x - time to upgrade? Michal Zalewski (Jul 14)
- Re: Sendmail 8.8.x - time to upgrade? Gregory Neil Shapiro (Nov 22)