Абе за по-сигорно, ще се upgretna до 8.12.8 Само един въпрос ???
До сега sendmail съм го инсталирал и конфигурирал по това ръководство: http://www.lcpe.uni-sofia.bg/linuxdoc/sendmail/install.txt Благодаря на Веселин за това. Но при update нужно ли е всичко да се изпълнява говоря за т.1 до т.13 от Самата инсталация. --------- Оригинално съобщение -------- От: [EMAIL PROTECTED] До: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Тема: Re: Re[2]: lug-bg: sendmail <8.12.8 vulnerable Дата: 04/03/03 10:25 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tuesday 04 Mar 2003 12:17, Todor Lazarov wrote: > > > > Сериозен ли е проблема ??? > > Eto opisanieto na problema, pri tova e napisano mnogo po-razbrano > ot kolkoto CERT sa go napravili. Niakoi hora v CERT (osobeno redaktorite) > sa tzare na neiasnata misal:) > > > - --> > > Security Advisory - RHSA-2003:073-06 > - ------------------------------------------------------------------------------ > Summary: > Updated sendmail packages fix critical security issues > > Updated Sendmail packages are available to fix a vulnerability that > may allow remote attackers to gain root privileges by sending a > carefully crafted message. > > These packages also fix a security bug if sendmail is configured to use smrsh. > > Description: > Sendmail is a widely used Mail Transport Agent (MTA) which is included > in all Red Hat Linux distributions. > > During a code audit of Sendmail by ISS, a critical vulnerability was > uncovered that affects unpatched versions of Sendmail prior to version > 8.12.8. A remote attacker can send a carefully crafted email message > which, when processed by sendmail, causes arbitrary code to be > executed as root. > > We are advised that a proof-of-concept exploit is known to exist, but > is not believed to be in the wild. > > Since this is a message-based vulnerability, MTAs other than Sendmail > may pass on the carefully crafted message. This means that unpatched > versions of Sendmail inside a network could still be at risk even if > they do not accept external connections directly. > > In addition, the restricted shell (SMRSH) in Sendmail allows attackers to > bypass the intended restrictions of smrsh by inserting additional commands > after "||" sequences or "/" characters, which are not properly filtered or > verified. A sucessful attack would allow an attacker who has a local > account on a system which has explicitly enabled smrsh to execute arbitrary > binaries as themselves by utilizing their .forward file. > > All users are advised to update to these erratum packages. For Red Hat > Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable > to these issues. For all other distributions we have included a backported > patch which corrects these vulnerabilities. > > Red Hat would like to thank Eric Allman for his assistance with this > vulnerability. > > References: > http://www.cert.org/advisories/CA-2003-07.html > http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 > - ------------------------------------------------------------------------------ > > - ------------- > Taking Action > - ------------- > You may address the issues outlined in this advisory in two ways: > > - select your server name by clicking on its name from the list > available at the following location, and then schedule an > errata update for it: > https://rhn.redhat.com/network/systemlist/system_list.pxt > > - run the Update Agent on each affected server. > > > - --------------------------------- > Changing Notification Preferences > - --------------------------------- > To enable/disable your Errata Alert preferences globally please log in to RHN > and navigate from "Your RHN" / "Your Account" to the "Preferences" tab. > > URL: https://rhn.redhat.com/network/my_account/my_prefs.pxt > > You can also enable/disable notification on a per system basis by selecting an > individual system from the "Systems List". From the individual system view > click the "Details" tab. > > > - ---------------- > Affected Systems > - ---------------- > According to our records, this errata may apply to one or more of the > systems that you've profiled with Red Hat Network. To see precisely which > systems are affected, please go to: > https://rhn.redhat.com/network/errata/systems_affected.pxt?eid=1504 > > > > The Red Hat Network Team > > This message is being sent by Red Hat Network Alert to: > RHN user login: vlk_at_lcpe > Email address on file: <[EMAIL PROTECTED]> > > If you lost your RHN password, you can use the information above to > retrieve it by email from the following address: > https://rhn.redhat.com/forgot_password.pxt > > To cancel these notices, go to: > https://rhn.redhat.com/oo.pxt?uid=1793678&oid=2352664 > > - --> > > Pozdravi > Vesselin Kolev > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE+ZHVh+48lZPXaa+MRAoOEAKDu02pwcCSH8oHuAA/sy84ai3JaIQCfZf2a > s5lGGjxbjHlNvCrgEmAXrJk= > =Yn1d > -----END PGP SIGNATURE----- > > ============================================================================ > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > ============================================================================ ________________________________________________ Message sent using UebiMiau 2.7.2 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
