On Fri, 24 Mar 2006 [EMAIL PROTECTED] wrote: > On Thu, 23 Mar 2006 03:59:20 CST, Gadi Evron said: > > Oh, sorry for not mentioning earlier - > > Operators that want to patch Sendmail, I'd suggest doing it soon. Now we > > not only do we face risk to our mail servers, but rather trusting other > > servers as well. > > Been there, done that. All the same issues we saw when 8.12.9 came out:
Exactly. You just made my point. > > 8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > > So just like last time - I'm sure somebody will patch their external-facing > mailserver *first*, and that lets exploit mail get through the external > mailer and reach the internal mailserver (where before it would just have > 0wned the external server). > > Not that Sendmail is any different from any OTHER infrastructure software. > The exact same issues apply when an IOS bug is found, or an NTP bug, or..... > > (And if you think Sendmail didn't do a good job of releasing the info, I > shudder to think of what you thought of how Cisco handled the whole Lynn > thing ;) > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
