Bugtraq mailing list archives
Re: sendmail 8.12.8 available
From: Nico Erfurth <masta () perlgolf de>
Date: Tue, 04 Mar 2003 18:21:45 +0100
Florian Weimer wrote:
Claus Assmann <ca+bugtraq () sendmail org> writes:Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.8. It contains a fix for a critical security problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that is part of this announcement.Would people be willing to share filter rules for other MTAs to block offending messages on relays? Thanks,
I'm not sure how the exploit works, but if I understood the LSD-analysis correctly, it uses the comment for the payload, and needs many <> in a parsed header. With exim4, this ACL should/could help.
First it checks for the header-syntax, that will reject the <><><><> used in the LSD-POC-code. The second condition should refuse to accept comments longer than 20 chars.
acl_data = check_message check_message: require message = Invalid header syntax (Maybe sendmail exploit) verify = header_syntax deny message = Ohh, this looks like the sendmail-exploit condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: \ $h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}} No warranty ;) Nico Erfurth
Current thread:
- sendmail 8.12.8 available Claus Assmann (Mar 03)
- Re: sendmail 8.12.8 available Florian Weimer (Mar 03)
- Re: sendmail 8.12.8 available Nico Erfurth (Mar 04)
- Message not available
- Re: sendmail 8.12.8 available Bennett Todd (Mar 07)
- Re: sendmail 8.12.8 available Florian Weimer (Mar 03)
- Re: sendmail 8.12.8 available Mordechai T. Abzug (Mar 04)
- Re: sendmail 8.12.8 available Neil W Rickert (Mar 06)