Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ISS Discovers A Remote Hole In Sendmail

timothy posted more than 11 years ago | from the patches-forthcoming dept.

Security 481

randal writes "A security vulnerability in the Sendmail Mail Transfer Agent (MTA) has been identified by ISS. This bug can give an attacker the ability to gain remote root access to the targeted system. There is no known exploit code of this vulnerability in the wild at this time, but everyone should upgrade immediately. This issue affects all versions since 5.79. Open Source sendmail users can get source for the newest version (8.12.8) as well as patches for 8.9, 8.11, and 8.12 from sendmail.org. Commercial Sendmail customers can find patches at sendmail.com/security. Most major OS vendors will be releasing patches immediately." Update: 03/03 19:23 GMT by T : Reader Patchlevel points out that RedHat and OpenBSD have already issued patches.Update: 03/03 20:45 GMT by T : Reader Claude Meyer links to an update from SuSE, too. Update: 03/03 22:52 GMT by T : djcatnip points out that Apple has released a software update to patch OpenSSL and Sendmail for Mac OS X 10.2.4, and the Slackware site says they have updated to 8.12.8 as well.

Sorry! There are no comments related to the filter you selected.

CmdrTaco discovers remote hole in ESR (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5425789)

fp niggles

Wow! They can see it from space! (-1)

Anonymous Coward | more than 11 years ago | (#5425793)

That hole must be even bigger than michaels!

(his err, mouth)

What ISS didn't discover (-1)

I VOMIT ON TODDLERS! (642865) | more than 11 years ago | (#5425795)

is that toddlers love that vomit!

Re:What ISS didn't discover (0)

Anonymous Coward | more than 11 years ago | (#5426051)

What is a toddler? I'm from Austria.

what? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5425797)

a sendmail vulnerabiltity? shit who'd have thought it.

ISS? (5, Funny)

europrobe (167359) | more than 11 years ago | (#5425804)

That has got to be a very remote hole if it took the International Space Station to find it...

Re:ISS? (2, Funny)

queenb**ch (446380) | more than 11 years ago | (#5425842)

I'm still waiting for the proof of concept so that I can test this on every mail server in sight. Hmmmm.......wonder if the FBI will by later.

Queen B

Re:ISS? (3, Funny)

pebs (654334) | more than 11 years ago | (#5425994)

The proof of concept is right here [iss.net] .

It's a Flash animation that demonstrates how to exploit the sendmail vulnerability. They went through all this trouble to make a flash animation just because they found a vulnerability? They must not find vulnerabilities very often and this is a big deal. Or maybe they just have an overstaffed graphics/web design department with too much time on their hands.

Re:ISS? (1)

gmuslera (3436) | more than 11 years ago | (#5425918)

If it was found by the International Space Station, maybe it should be a remote black hole.

Re:ISS? (0, Redundant)

iceT (68610) | more than 11 years ago | (#5425989)

I'd think it'd have to be a HUGE hole... ESPECIALLY if you can see it from space!

DAMN YOU (0)

Anonymous Coward | more than 11 years ago | (#5425993)

beat me to the pun

International Space Station? (-1, Offtopic)

DeadSea (69598) | more than 11 years ago | (#5425808)


The ISS discovered a remote black hole

The hole, in a distant galaxy is considered to be the biggest ever found. Unfortunatly, without the space shuttle, the scientists aboard the station may never get home to tell of it.

So what's new? (-1, Troll)

Mourgos (621534) | more than 11 years ago | (#5425809)

Anyone that uses sendmail knows that it will never be bug-free + exploitless.

Qmail is the way to go... now if only FreeBSD doesn't install a default MTA .....

Re:So what's new? (3, Insightful)

zapfie (560589) | more than 11 years ago | (#5425924)

Anyone that uses sendmail knows that it will never be bug-free + exploitless.

Hate to break it to you, but ANY program of medium to large size will never be bug free and exploitless. It's the nature of complicated projects.

Re:So what's new? (4, Insightful)

blakestah (91866) | more than 11 years ago | (#5426046)

Hate to break it to you, but ANY program of medium to large size will never be bug free and exploitless.

Find a bug in qmail that allows an outsider to do so much as change file permissions of a file he should not be allowed to. There has not ever been one, and there is cold hard cash offered.

Secure code is not impossible. However, if you start with sendmail or BIND and try to achieve security, well, good luck.

Re:So what's new? (0)

Anonymous Coward | more than 11 years ago | (#5426019)

ITYM Postfix. Good license, it installs to a sane location, and the author isn't an ass.

Since no one else will say it... (2, Insightful)

Anonymous Coward | more than 11 years ago | (#5425812)

Let's not forget that just because it's open source doesn't mean it's invulnerable.

Let's also not forget that it's not only Microsoft that has these problems. I expect everyone who normally bitches and moans at how awful Microsoft security it to bitch and moan just as much because of this sendmail hole.

Anything less is hypocrisy, but then again, this is Slashdot, where hypocrisy is elevated to an art form.

Re:Since no one else will say it... (0)

Anonymous Coward | more than 11 years ago | (#5425825)

Let's not forget that just because it's open source doesn't mean it's invulnerable.

Absolutely True. However, we have patches right now. Microsoft may or may not patch it in the near future.

Re:Since no one else will say it... (0)

Anonymous Coward | more than 11 years ago | (#5426005)

. However, we have patches right now

Note that this is not a funciton of open source, it is a function of ISS' responsible disclosure policy. This vuln has been known about by the appropriate vendors for 60 days... More than enough time to code and test a patch

Re:Since no one else will say it... (0)

Anonymous Coward | more than 11 years ago | (#5425835)

stupid security holes that should not have existed is what is complained about,

MS is a leader in that arena

so blah

Re:Since no one else will say it... (1)

buswolley (591500) | more than 11 years ago | (#5425901)

you arent insightful i hear that everytime a open source vulnerability pops up

Re:Since no one else will say it... (2, Insightful)

Wobin (94894) | more than 11 years ago | (#5425915)

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Re:Since no one else will say it... (5, Insightful)

NickDngr (561211) | more than 11 years ago | (#5425956)

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Apparently you didn't read the article. "Initial vendor notification: 1/13/2003." The vendor was notified a month and a half ago.

Re:Since no one else will say it... (4, Insightful)

MisterFancypants (615129) | more than 11 years ago | (#5425958)

I haven't seen Microsoft having a patch ready within 24 hours of a vulnerability being announced.

Then you haven't been looking hard enough. Not that Microsoft always gets fixes out within 24 hours, but neither does OSS. In both camps some bugs are harder to fix and verify than others.

International Space Station? (-1, Troll)

tui (20620) | more than 11 years ago | (#5425814)

When they said it would aid research in new areas, I never expected this! :)

hi (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5425841)

you are a retard.

that is all.

What? (2, Funny)

Koyaanisqatsi (581196) | more than 11 years ago | (#5425816)

Who else got confused by reading that "IIS Discovers A Remote Hole In Sendmail"?

Re:What? (1)

MisterFancypants (615129) | more than 11 years ago | (#5425934)

Who else got confused by reading that "IIS Discovers A Remote Hole In Sendmail"?

You didn't think that with all those viruses running around and combining in there that IIS WOULDN'T become sentient, did you?

Re:What? (3, Funny)

moonbender (547943) | more than 11 years ago | (#5426018)

According to that logic, and with all the bugs found in Sendmail during its history, it should long ago have evolved something like a hive mind and fixed its own holes.

Re:What? (0)

Anonymous Coward | more than 11 years ago | (#5426056)

My hard drive is just a 4th-level-cache between the CPU and the Internet.

So basically all you do is web browse all day long? More specifically, you browse Slashdot all day long. What a waste of a perfectly good PC that could be used for something productive. Get off your ass and write some damn code. Or at least add some content to that wimpy web page of yours.

Re:What? (1)

kipple (244681) | more than 11 years ago | (#5426041)

I was confused, too.

So, it seems that I'm not the only one who's expecting it?

Cross Upgrade to QMail (4, Informative)

shadwwulf (145057) | more than 11 years ago | (#5425817)

While you're at it check out Qmail [qmail.org] it's a lot more modular than sendmail and is much more secure.

Re:Cross Upgrade to QMail (2, Informative)

krog (25663) | more than 11 years ago | (#5425876)

QMail is fine for a four- or five-user machine, but the installations who currently require Sendmail's power for their mail service needs would likely be happier with Postfix [postfix.org] . It's far more powerful than QMail, while still being easy to set up and use.

Re:Cross Upgrade to QMail (4, Interesting)

nitehorse (58425) | more than 11 years ago | (#5425980)

Postfix sucks.

I can't set up per-user mail filtering with different tools (some of my users like maildrop, some still have working procmailrc recipes that they don't want to ever have to touch again, and that means not converting to maildrop), the MySQL backend is shitty and doesn't support per-user procmailrc files anyway (for vhosting setups, which is the only place it's really useful).

qmail really is the shit. It's a bit more finicky to install, yes, but the documentation for installation is good, and I've never had to touch a running qmail server except for the rare occasion when it ran out of disk space. qmail is very much a 'set-up and forget' technology; I have qmail servers that I haven't needed to patch for ANY sort of exploits for years.

Postfix is only slightly more flexible in some ways (for example, the MySQL backend) but those ways aren't difficult to integrate into qmail; it's just that nobody's bothered to do it yet. Also, djb's daemontools suite makes running Courier bearable.

Re:Cross Upgrade to QMail (0)

Anonymous Coward | more than 11 years ago | (#5425893)

Too bad it doesn't scale, huh? If someone wants to be an anti-Sendmail zealot, Postfix is a better alternative to suggest.

Re:Cross Upgrade to QMail (4, Informative)

mosch (204) | more than 11 years ago | (#5425897)

Or as another superior alternative, check out Weitse Venema's mailer, Postfix [postfix.org] . It was built from the ground up to be fast and secure, and it benefits from not being maintained by the notoriously finicky djb. (if you've never dealt with him, he's much like a Theo De Raadt, except he doesn't even have a good cause.)

Re:Cross Upgrade to QMail (0)

Anonymous Coward | more than 11 years ago | (#5425982)

And when installing Postfix you even get the sendmail feature of waiting for the next root hole.

Postfix when the SMTP rfc's just aren't enough.

Wait a second here..... (-1, Redundant)

brocheck (59415) | more than 11 years ago | (#5425820)

Was anyone else wondering why the international space station was hax0ring my sendmail?

And a hole in sendmail is not exactly ground breaking news, people.

Re:Wait a second here..... (0)

Anonymous Coward | more than 11 years ago | (#5425981)

wooaa I can see you're house from up here

Thanks! (1)

Johnny O (22313) | more than 11 years ago | (#5425823)

Thanks guys for finding and fixing the bug!
Updating now..... :-)

Yes! (4, Funny)

mao che minh (611166) | more than 11 years ago | (#5425831)

Yes! I have been longing for a another security alert in an open source application for some time. Now we can enjoy the always engaging and informative debates between Microsoft clowns and open source zealots concerning security in proprietary and open source code. It is difficult to find the same measure of eloquence in posts concerning other aspects of technology.

Re:Yes! (1)

Big_Monkey_Bird (620459) | more than 11 years ago | (#5425889)

But, they fixed it. That's the difference.

Bad Micro$oft (-1, Troll)

FoulBeard (112622) | more than 11 years ago | (#5425843)

M$ cant write code, and their OS and apps are unsecure. Im going to use a UNIX derivitive becuase its more secure.....

Oh wait did you say sendmail......

Re:Bad Micro$oft (1)

doobman (6198) | more than 11 years ago | (#5425971)

I know your being witty and all, but i just upgraded a production sendmail box w/o blinking. no downtime. no wonder MS boxes are never patched. They REQUIRE downtime (reboot) to apply.

Haters come out! (5, Funny)

DNS-and-BIND (461968) | more than 11 years ago | (#5425845)

I can summarize 90% of the comments in this story right now:

  • Sendmail sucks! Anything this old sucks by definition. Grep, TCP/IP, sendmail, ping all suck.
  • Switch to qmail! Qmail has no features, and it is written by a psychotic...why haven't you switched yet?
  • Switch to MS Exchange! You get calendaring, for God's sake!
  • Switch to $ANOTHER_MAILER_THAT_IS_NOT_SENDMAIL. Only sendmail has security holes! Other mailer software doesn't have holes.
Anyone else?

Re:Haters come out! (1)

FauxPasIII (75900) | more than 11 years ago | (#5425895)

Postfix doesn't even get it's own bullet ?

Switch to Postfix !

Re:Haters come out! (0)

Anonymous Coward | more than 11 years ago | (#5425899)

+1 Fucking hilarious

Re:Haters come out! (5, Funny)

Joe the Lesser (533425) | more than 11 years ago | (#5426013)

I love sendmail!! I forgive any security holes it may have. I even have it's picture framed on my desk.

Re:Haters come out! (1)

mrondello (261386) | more than 11 years ago | (#5426016)

You forgot:

* True patriots do not get their mail Hax0red

This is because all parcels exchanged by fascist, acronym bearing government agencies [usps.com] and private mail receptacles are monitored closely by heavily armed militiamen. Anything less and the terrorists will win.

Re:Haters come out! (2, Funny)

krray (605395) | more than 11 years ago | (#5426025)

I have a suggestion if you're worried about sendmail's security flaws ... and don't like Exchange or Postfix or QMail or some other:

Use Mail. You know ... the post office. There all you have to worry about is Anthrax.

Between the terrorists and Bill Gates ... this world does suck.

why do people still use sendmail? (0)

Anonymous Coward | more than 11 years ago | (#5425846)

this isnt meant as a flame or troll, but seriously, why? the first thing i do when i install a new system is to wipe sendmail off (or not install it if the option is there) and install qmail [qmail.org] , which has much better security record then sendmail

some things i'll just never understand i guess

Re:why do people still use sendmail? (3, Informative)

WetCat (558132) | more than 11 years ago | (#5425892)

Gateway configurations, sir.
Have you ever try to run 2 instances of qmail on
one machine for exampe?
qmail is very rigid and unfriendly to make configuration tricks and connections to anything
not usual.

oh sendmail my buddy (0)

SparafucileMan (544171) | more than 11 years ago | (#5425848)

This just in: Easy Hacking Available for Newbies for the Next Three Months

Debian fix avalible (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5425849)

apt -get install sendmail-security-fix [debian.org] more details here.

Recompiling now....while you're at it... (5, Informative)

numbski (515011) | more than 11 years ago | (#5425850)

While you're at it grab spamass-milter from http://savannah.nongnu.org/projects/spamass-milt/ , add this line to you site.config.m4:

APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')

Use CPAN to install SpamAssassin:

perl -MCPAN -e shell;
install Mail::SpamAssassin
quit

Then compile spamass-milter. Add this to your sendmail.mc file:

INPUT_MAIL_FILTER(`spamass-milter', `S=local:/var/run/spamass-milter.sock,F=')

Make sure that spamd, spamc, and spamass are all running as daemon processes, and if spamd fails add this to the beginning of the script:

$Sys::Hostname::host = 'my.hostname.com';

Ah...auto spam filtering. Tweak the files in /etc/spamassassin as to your liking for system wide, and in ~/spamassassin for users. Enjoy. :)

Impressive... (1)

inertia@yahoo.com (156602) | more than 11 years ago | (#5425851)

Protection mechanisms such as implementation of a non-executable stack do not
offer any protection from exploitation of this vulnerability. Successful
exploitation of this vulnerability does not generate any log entries.


So, I wonder how they noticed it.

most serious Sendmail problems are with Apple Mac (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5425853)

This flaw in sendmail mostly affects Apple computers. This is not good news. Apple is already on very shaky financial ground; this will only make matters worse. Frankly, many prominent industry analysts have crunched the numbers, concluding that Apple's outlook is bleak indeed.

In Apple's latest numbers released in January for its fiscal first quarter of 2003, revenue fell from a year earlier and all of the company's major computer lines saw diminished numbers. PowerMac sales were down 20%, while iBook sales fell 8%.

At the same time Apple's sales were falling, PC sales rose, though just slightly, according to figures from IDC released last month.

The last time Apple was in this state, it brought back co-founder Steve Jobs to fix its issues. He fostered the development of the iMac and secured a US$150-million investment from Microsoft. But there aren't any new iMacs in Apple's future and Microsoft, bolstered by its victory over the U.S. Department of Justice, is clearly not going to help the beleaguered computer maker this time.

So what have you got left? Apple is a company that controls around 3% of the computer market, has recently undergone a restructuring and is slowly fading into nothingness. Software makers don't even have Mac users on their radar and it's not like Apple can bring Mr. Jobs back to right the ship this time -- he's already there.

Stick a fork in 'em -- this Apple is cooked.

Errr, yeah, sure. Apple is *ALWAYS* dying. (1)

numbski (515011) | more than 11 years ago | (#5425888)

That's not stopping my company from buying 3 XServes in 3 months, me from buying an iBook and iMac for personal use, and me from pushing new users toward apple and away from PC's.

FYI, sendmail can be fixed. Hopefully Apple releases a patch today. :P

FYI: If you were kidding, I got it. If you weren't....ack. :)

Re:Errr, yeah, sure. Apple is *ALWAYS* dying. (0)

Anonymous Coward | more than 11 years ago | (#5425975)

FYI: I was not kidding. I offered an impartial analysis as I see it. I'm sorry if I stepped on your toes;
it wasn't my intention to dishearten anyone, although I can see why bad news might upset Apple fans.
Use whatever makes you feel happy. Que sera, sera.

Qmail sucks! (0, Troll)

bobcat (7235) | more than 11 years ago | (#5425854)

Yeah. That's it. Qmail sucks.

And postfix never did much for me, either. Don't even talk to me about Exim.

RedHat Network Rules (4, Interesting)

Shane (3950) | more than 11 years ago | (#5425856)

I was updated before I read the E-mail telling me I _WAS_ insecure.

Just when they made me take down qmail... (1)

Nonesuch (90847) | more than 11 years ago | (#5425860)

Great. The week they make me replace all of my quick little qmail relays with Sendmail, out comes a new vulnerability.

If only I could find a sweet little qmail patch to clean up the exploit code, perhaps I can convince management to let me bring back Qmail as a front-end processor to protect Sendmail.

Oh well, it's off to patch I go.

OpenBSD? (2, Interesting)

Elequin (137149) | more than 11 years ago | (#5425863)

Doesn't OpenBSD install with Sendmail active by default? I believe it does, but I don't think it listens to anything but localhost by default. If it does, this would be the second remote root exploit in OpenBSD in as many years.

Not bad once you think about it.

- Eric

Re:OpenBSD? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#5425936)

Umm...How is it a remote root exploit if it's only listening on localhost?

Re:OpenBSD? (1)

questionlp (58365) | more than 11 years ago | (#5425962)

FreeBSD has been shipping with Sendmail enabled but limited to only localhost connection since 4.5 or 4.6 (to completely disable it, set sendmail_enable to "NONE" in /etc/rc.conf; "NO" sets it to localhost only and "YES" sets it to default configuration).

I don't know about OpenBSD nor NetBSD.

Commodore 64 Security! (0)

Anonymous Coward | more than 11 years ago | (#5426008)

Not one remote hole in the unplugged install in 20 years.

Re:OpenBSD? (0)

Anonymous Coward | more than 11 years ago | (#5426011)

Who cares about this really?

I mean really?

Sure, the 4 or 5 OBSD supporters will reply, but that's it. Anyone who uses their machines for something are going to have to run actual services on their OS, such as a mail daemon and even (GASP) a web server!

Not bad once you think about it.

Yep. I've thought about it, and I could give a rat's ass.

Oh no... (2, Funny)

maxbang (598632) | more than 11 years ago | (#5425866)

Looks like it's time to add another three thousand pages to the Sendmail manual.

Still finding holes in sendmail? (0)

Anonymous Coward | more than 11 years ago | (#5425882)

How many lines of code does it take to send mail, 1,000 at most? This thing should be completely bug-free by now.

save time (1)

bumby (589283) | more than 11 years ago | (#5425883)

It would save both time and space to find the lines in sendmail which has _not_ got a vulnerability ;)

Open Source All (2, Insightful)

Anonymous Coward | more than 11 years ago | (#5425884)

Look at how fast open source software can patch security holes! Oh...wait, it's been almost 2 months since this has been discovered.

A better Fix (2, Offtopic)

gmuslera (3436) | more than 11 years ago | (#5425894)

Postfix [postfix.org] .

A remote root exploit for the maybe more used mail server in the planet, one that can bypass firewalls if connection with the smtp server is possible, or even with smtp proxies in the middle, is a nasty one. Specially when as it is so widely deployed, even with the months "needed" to make a worm of it, a big amount of vulnerable server will remain.

At least it cold be used as an opportunity to fix mail servers which have administrators that don't care and are used as open relays.

Bypasses _some_ SMTP proxies (4, Informative)

Nonesuch (90847) | more than 11 years ago | (#5426045)

I'm on hold with Cisco now, but it appears that the exploit code would make it past the PIX "protocol fixup" for SMTP. Not that I expect "fixup" on a PIX to offer much protection.

However, there are a number of SMTP proxy applications which do "deeper" checking of the message, and which would serve to protect vulnerable servers. Most of these are expensive, and slow.

Realistically, my solution for my servers is as follows:

  1. Upgrade sendmail to the latest release.
  2. Make configuration changes to run sendmail as a non-root user.
  3. Investigate running sendmail 'chroot'.

My problem right now is that the company-accepted standard for spam filtering is milter based, and can only run under Sendmail. If I "hide" the sendmail listener behind another MTA that directly faces the Internet, then my spam filter is ineffective, as I would lose all of the benefit of being able to reject senders and messages based on the remote IP (RBL) and other checks.

The worst drawback of putting the anti-spam Sendmail filter "inside" is that since the message has already been accepted by one of our mail servers, if the spam filter chooses to reject the message, it needs to generate and deliver a "bounce" message, just in case the reject was a "false-positive", to notify the sender.

If the spam filter is on the outermost edge and can talk directly to the sending host, it can return a 5xx "reject" SMTP result code, and it's up to the sending host to generate and deliver the bounce.

Salt in the wound (5, Funny)

LongJohnStewartMill (645597) | more than 11 years ago | (#5425909)

Be sure to watch the animation [iss.net] of the sendmail exploit. Talk about rubbing it in. Not only did they post their discovery, but they made a cartoon about it. That takes some time to make, so they must think they'll be able to use the cartoon again. They're probably right - it's sendmail.

root? (0)

Anonymous Coward | more than 11 years ago | (#5425910)

This bug can give an attacker the ability to gain remote root access to the targeted system.
The article describes what seems to be a standard buffer overflow... who runs their MTA as root?

I've heard horror stories of sendmail's security, but does it really lack even the basic, rudimentary security features that other MTAs such as Postfix [postfix.org] and qmail [qmail.org] have?

Guess it's time to change.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5425917)

That statement on OpenBSD's homepage [openbsd.org] to "Only two remote holes in the default install, in more than 7 years!"

It's gotta suck having to include buggy software (*cough* sendmail *cough*), I feel for them.

Re:Guess it's time to change.. (0)

Anonymous Coward | more than 11 years ago | (#5426024)

I guess they forgot about the OpenBSD ftp exploit too. Theo is a liar and a signifier.

Steps to world domination. (0)

Anonymous Coward | more than 11 years ago | (#5425920)

1) Uninstall Sendmail
2) Install gnu/hurd
3) use a 14.4k serial modem dialing into a $4.99 min afganistan isp
4) Install Qmail with tarpit
5) ???
6) NO VUNREABILTY (it's too slow and expensive for profit, but it works).

Wouldnt this... (0, Flamebait)

josh crawley (537561) | more than 11 years ago | (#5425935)

Be the SECOND remote root hole for OpenBSD users?

Re:Wouldnt this... (2, Insightful)

jackmama (34455) | more than 11 years ago | (#5426057)

No. Sendmail doesn't accept external connections in a default OpenBSD install.

Actually no... (4, Informative)

Sits (117492) | more than 11 years ago | (#5426060)

By default OpenBSD sets sendmail to only listen on localhost. However that does make it a local root hole in a default install.

obligatory 'sendmail is evil' post (0)

Anonymous Coward | more than 11 years ago | (#5425940)

Here's the obligatory 'sendmail is evil' yadda, yadda, yadda, post. We should be using something like qmail/postfix/exim/whatever

qualyguard (-1)

GetTragic (21640) | more than 11 years ago | (#5425943)

I wonder why my company is even paying for Qualysguard, pretty sad the first we hear about this is from slashdot

1337 (5, Funny)

Anonymous Coward | more than 11 years ago | (#5425947)

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-1337 to this issue


heh. leet.

Fed up with sendmail. (2)

Wakko Warner (324) | more than 11 years ago | (#5425957)

So I'm planning on getting rid of it once and for all. Can someone point me toward a very simple drop-in replacement for this bloated old pile of shit that doesn't take a day to set up?

I'd like something I can have up and running and doing EVERYTHING my sendmail config does in a few hours, at most.

Does something like this even exist, or am I stuck wasting a day either reinstalling sendmail or installing some other bloated, shitty, difficult-to-configure MTA?

- A.P.

Install postfix (0)

Anonymous Coward | more than 11 years ago | (#5426000)

It's very nice.

Re:Fed up with sendmail. (1)

clasher (2351) | more than 11 years ago | (#5426020)

Postfix [postfix.org] has been good to me and it has simple instructions (in the INSTALL file) for replacing sendmail. As long as you are using pretty standard settings in sendmail it is almost a drop in replacement.

Sysadmins parade of embarassement (0)

Anonymous Coward | more than 11 years ago | (#5425963)

Please answer me this one. John Doe wouldn'r switch apps because is whole new task to get into the new ones, but a fucking sys admin can't use something more secure, or he does that on purpose?

Why these people keep using a software that they know it has been (and probably still is) unsecure?

Proof (1, Funny)

skydude_20 (307538) | more than 11 years ago | (#5425967)

ISS Discovers A Remote Hole In Sendmail
Finally, proof that the work being in space is actually accomplishing something useful for everyone

A Remote Hole in Sendmail (1)

malia8888 (646496) | more than 11 years ago | (#5425974)

"Most major OS vendors will be releasing patches immediately." I am using the iron-on patch myself. It is much faster and secure than the downloadable patch. And, it is machine washable.

that's why my mail server is written in Prolog (0)

Anonymous Coward | more than 11 years ago | (#5425976)

Well, actually a combination of Snobol, Prolog and FORTH. Nothing can go wrong!

fp First Path! (1)

xinot (98923) | more than 11 years ago | (#5425977)

Wow! I managed to patch my system before the announcement got posted to /. Thanks Todd!

Spinoff (0)

InfoVore (98438) | more than 11 years ago | (#5425998)

"A security vulnerability in the Sendmail Mail Transfer Agent (MTA) has been identified by ISS."

Wow! So the three guys stuck up in the Internation Space Station found a Sendmail vulnerability. Just more proof that we should support manned space flight. Spin-offs!

I.V.

Slackware (3, Informative)

Phroggy (441) | more than 11 years ago | (#5426004)

Patch available from the usual place [slackware.com] .

Running Mail As Root Long Considered Harmful (4, Interesting)

billstewart (78916) | more than 11 years ago | (#5426026)

Look, how long have we known that running a mail system as root is dangerous, stupid, unnecessary, and avoidable? And how many times do we have to see root exploits in Sendmail before we get the hint? System III (predecessor to System V) was running email delivery as non-root, group- mail back in what, 1983? It just works, folks! The "let's make TCP/IP secure by making ports below 1024 root-only" strategy has its good points and its bad points, but if your operating system doesn't let you make exceptions for specific ports in the kernel, you can use a minimal wrapper for TCP services that opens port 25 and sets uid=mail, so it never processes any user input until it's Not Root.

Leave aside the issues of whether it's safe to run a massive program written in C with annually discovered buffer overflow exports, or the usual sendmail-basher fun about the need for Turing-machine-complete config files. If you don't want to get rooted, don't run stuff as root. Bad enough that it's possible to get rooted by non-privileged processes that leave trojans around where root can be tricked into running them, or use non-root processes to read files that maybe they shouldn't be reading (e.g. tricking a group-mail MTA into reading people's mailboxes.)

Read as ISS discovers Hole... (4, Funny)

msheppard (150231) | more than 11 years ago | (#5426035)

I mis-read that title as ISS (Space Station) discovers HOLE, and immediatly thought our worst fears of a problem with the space station with the shuttle fleet grounded might have happened.

Of course the Russian Soyez could always come to the rescue.

M@

FreeBSD also patched. (3, Informative)

Brooks Davis (22303) | more than 11 years ago | (#5426037)

FreeBSD the 3-STABLE (last release nearly three years ago!) , 4-STABLE, and 5-CURRENT branches, as well as the security branches for release 4.3, 4.4, 4.5, 4.6, 4.7, and 5.0 were updated immediatly follow the advisory's release.

-- Brooks

Monoculture (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5426038)

Now this is the obligatory "monoculture" is bad post.

Although this post is made somewhat jokingly, it is an important issue. Hopefully this won't become too much of a clich\'e.(I'm sure LWN will do an article on it. :>)

Some alternatives can be found on the Google directory [google.com] :

  • http://www.postfix.org/
  • http://www.exim.org/
  • ftp://ftp.uu.net/networking/mail/smail/
  • many more

The Sendmail Remote Exploit of the Week (3, Insightful)

lavalyn (649886) | more than 11 years ago | (#5426050)

Sendmail was always a good fun program to find remote exploits for, with its configuration file so incredibly cryptic and its architecture inherently unsafe. What other program treats local files like incoming mail? And has a .cf file that looks like raw /dev/random output?

In Soviet Russia.... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5426062)

SENDMAIL PATCHES YOU!!!!!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?