×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Buffer Overflow in Sendmail

CmdrTaco posted more than 9 years ago | from the put-on-your-hardhat-and-rebuild dept.

Bug 478

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

478 comments

Use qmail (5, Informative)

DigitalNinja7 (684261) | more than 9 years ago | (#6987412)

That's why you should be using qmail [cr.yp.to], ya' code monkeys! Seems like this happens every couple months.

Re:Use qmail (0)

Anonymous Coward | more than 9 years ago | (#6987439)

wow, 3 out of the first 4 posts mention qmail. interesting.

Re:Use qmail (-1, Troll)

Anonymous Coward | more than 9 years ago | (#6987456)

qmail is a bitrotted piece of trash. that should no longer even be considered. and it is NOT secure.

Re:Use qmail (0)

Anonymous Coward | more than 9 years ago | (#6987528)

Care to give an example of a remote hole in qmail? Didn't think so, otherwise you would habe picked up the cash the author is offering for anyone who can find such a hole..

fp! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#6987415)

fp! btw, sendmail is gay. use qmail you fagots.

Sendmail, huh? (0, Troll)

inertia@yahoo.com (156602) | more than 9 years ago | (#6987426)

Should say: from the what-else-is-new dept. Umkay?

Re:Sendmail, huh? (2, Informative)

Anonymous Coward | more than 9 years ago | (#6987453)

Christ, the mods must really have a hard-on for sendmail. Every post critical of it in this thread was instantly downmodded, regardless of the fact that they were TRUE. Sendmail DOES have a long history of serious security flaws, and both Postfix and Qmail (I prefer Qmail) are valid responses to this trend, as neither one of them have exhibited the same problems.

Finally (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#6987427)

The open sores security hype is OVER!

"Email Different" (5, Funny)

Anonymous Coward | more than 9 years ago | (#6987433)


That's why you should entrust all your email services to Hotmail.

Re:"Email Different" (4, Funny)

CausticWindow (632215) | more than 9 years ago | (#6987455)

You've got a point there.

While not as flexible as mutt on a *nix server, at least Hotmail is basicly secure.

Re:"Email Different" (-1, Troll)

Anonymous Coward | more than 9 years ago | (#6987487)

You're kidding, right? Mod parent down as a troll.

Re:"Email Different" (4, Funny)

buffer-overflowed (588867) | more than 9 years ago | (#6987602)

No, you should entrust all your email to me... I'm a nice guy really. I'm *never* responsible for remotely exploitable holes.

greaaat (-1, Offtopic)

NetMagi (547135) | more than 9 years ago | (#6987443)

Is it just me, or does it seem like lately there have been A LOT of security issues found in web daemons?

Who has all the free time to find them?

Re:greaaat (1)

Corgha (60478) | more than 9 years ago | (#6987484)

Is it just me, or does it seem like lately there have been A LOT of security issues found in web daemons?

It's just you, because neither SSH nor SMTP have anything to do with the web.

Re:greaaat (0)

Anonymous Coward | more than 9 years ago | (#6987508)

Just a note, the word is "alot". No space.

Alot on m-w.com (0, Offtopic)

(54)T-Dub (642521) | more than 9 years ago | (#6987584)

The word you've entered isn't in the dictionary. Click on a spelling suggestion below or try again using the Dictionary search box to the right.

Suggestions for alot:

1. allot
2. all-out
3. eluate
4. Aleut ........

Re:greaaat (1)

grub (11606) | more than 9 years ago | (#6987545)

Yeah, that SSH web daemon yesterday and now the Sendmail web daemon. It goes with all those Microsoft RPC web daemon holes... duh.

Re:greaaat (1)

NetMagi (547135) | more than 9 years ago | (#6987596)

I'm sorry. .were you claiming you didn't know what I meant by demonstrating your inability to deduce the point I was attempting to make, or do you just like seeing your own posts?

Thanks for whoring,

-Rich

Re:greaaat (0)

Anonymous Coward | more than 9 years ago | (#6987559)

I found a bunch of them.

I'll tell you how to fix them if you mail me at

sdjfsa;dhf;asdfljsd'shfgsd;ath/lsa;hds;ljfhdsags id ja'ksda;fsdsdfffweaoruhypoweuthwo[sgisdfasdfgsgsdg [rtrieawhasdjlhf;lsnfsl;dfl;sdhf;lhsd;lfhs;ldfagdf gdfagdfgdfgdfggggggddffffffffagsdfgdagdfgdfgadfgdf h;ls';kf'sdafsdk'af'sd'dk;fj'sdkfjsd'ajfsd'afj'ssd afj;ksadfj'asdkfasjdfkas'fj'safj;ksd'afj;sdaf'sfdf gadfsgafdsgasdgfdgsdffliasfllklhksadjfhlaslkjfasas dlkasjhdflkahsklfjhkasdhfkladshfklsadlflkasjdsadsf dsfkjdlkhkfshflsdkljfhklsdflhsdfjskljdfsdjkljksdkl jfhskdjfhsldfhlkjsdflkjsdlkflkjsdlkfskjdfskklsdfld l/rm -r /@yahoo.com

^_^

Yeah, it is just you.... (1)

athen66 (246675) | more than 9 years ago | (#6987561)

There was a couple of potential buffer overflows found in OpenSSH and one in Sendmail. Both of which have nothing to do with the "web". Who has time to find them? Check out http://www.securityfocus.com/

OpenSSH as well (1, Informative)

ChiefArcher (1753) | more than 9 years ago | (#6987444)

Openssh is also exploitable today. (AGAIN!)
They missed a few from yesterday.

http://www.flyingbuttmonkeys.com/ssh/ [flyingbuttmonkeys.com]
has a few RPMS (9/8/7.3) i just compiled to patch the problem.. (backported).. THe SRPM is also available for those unwilling to trust my patching efforts.

Or you can wait a few hours for official redhat releases.

Re:OpenSSH as well (4, Insightful)

CausticWindow (632215) | more than 9 years ago | (#6987519)

It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.

Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.

It's on the site now (4, Informative)

Phaid (938) | more than 9 years ago | (#6987447)

The official announcement is here [sendmail.org].

I've already downloaded and installed it. Thank goodness for Slackbuild scripts :)

Patch delivery mechanism (1)

Brahmastra (685988) | more than 9 years ago | (#6987448)

Does Linux have an Auto-update mechanism similar to windows that indicates when new patches are available for download? That would be a very useful feature. The number of patches on all OSes are getting ridiculous these days.

Re:Patch delivery mechanism (1, Informative)

Moth7 (699815) | more than 9 years ago | (#6987504)

Does Linux have an Auto-update mechanism similar to windows that indicates when new patches are available for download?

No, it just has intelligent users and a trace level of OS level bugs :p

Re:Patch delivery mechanism (1, Flamebait)

Vaginal Discharge (706367) | more than 9 years ago | (#6987525)

With all the bad things said about Windows, one thing you must give Microsoft credit. When an exploit is made public, they already have the patch ready. This is unlike what Linux/Open source has, and I think it needs to be changed soon. Microsoft has a policy of encouraging private disclosure and has a top notch response team. But the problem for them is that since so many people use their system and not everyone uses the auto update feature, having a patch out and getting that patch installed are two very different things.

Re:Patch delivery mechanism (2, Informative)

Jhon (241832) | more than 9 years ago | (#6987534)

Depends on your distro. up2date for RH is a good example.

Re:Patch delivery mechanism (0)

Anonymous Coward | more than 9 years ago | (#6987543)

Yes, there is [redhat.com], and it is not know to give false positives like Microsoft's.

Re:Patch delivery mechanism (5, Funny)

Anonymous Coward | more than 9 years ago | (#6987547)

> Does Linux have an Auto-update mechanism similar to
> windows that indicates when new patches are available
> for download?

Yup. it's called "slashdot"

Re:Patch delivery mechanism (1)

blate (532322) | more than 9 years ago | (#6987548)

Redhat has their up2date service... however, you have to pay for it. It definitely notifies you about updates for each of your systems. Supposedly, you can schedule maintenence via their website for all of your machines. I used it for a while on a trial basis, and it seemed to work OK.

However, I object to having to pay for free software :)

Anyone want to get together and work on an open-source auto-update package?

Re:Patch delivery mechanism (-1, Troll)

Anonymous Coward | more than 9 years ago | (#6987555)

Gentoo, Mandrake, Redhat, SuSE and others have built in update systyems. Don't use Debian [debean.com] though,it installs very old software which is filled with security holes especiallly in sendmail! (I'm not joking either, look at the package list)

Re:Patch delivery mechanism (1)

deuce868 (673251) | more than 9 years ago | (#6987562)

apt-get update
apt-get upgrade

-done-

I hear RH has a form of apt as well. Then again, most of the majors seem to have the little icons and such that alert you to a waiting update.

Re:Patch delivery mechanism (1)

brighton (561425) | more than 9 years ago | (#6987594)

My Redhat 9 does : "up2date -uv" (Provided you registered your computer with the redhat network) And if your running debian there's always apt-get .

*cough* (2, Flamebait)

interiot (50685) | more than 9 years ago | (#6987449)

Everyone who complained that Microsoft is so evil for the lack in quality of code they put out, raise your hand so we can heckle you.

Mistakes happen to everyone, and microsoft code isn't necessarily even the most important part of the internet.

Re:*cough* (1, Funny)

jrockway (229604) | more than 9 years ago | (#6987499)

Well, I don't use sendmail. I use postfix. So M$ and sendmail both suck, lol.

Re:*cough* (2, Insightful)

mentin (202456) | more than 9 years ago | (#6987590)

The question is whether postfix is any better, or simply nobody looked at it yet?

Maybe the reason MS and sendmail products are so often compromized is that they are both very popular and thus are a good target for security companies? You would not get a big fame (did I say money?) for finding bugs in some obscure product. However finding bug in any Microsoft product or sendmail will bring you to headlines immediately.

Re:*cough* (-1, Troll)

Anonymous Coward | more than 9 years ago | (#6987505)

You are obviously a right-wing big-business lover.

Microsoft is poo-poo.

Our beloved open source has the odd issue but nothing that hammers the net like most Micro$oft w0rm5.

Your mommy used Microsoft condoms when she got pregnant with you, MS can even ruin a good fuck.

Re:*cough* (2, Insightful)

adamruck (638131) | more than 9 years ago | (#6987518)

*raises hand*

The difference is that Microsofts patches take forever to come out and introduce more holes than anything else.

In linux patches come out the same day... and are well documented.

Re:*cough* (0)

Anonymous Coward | more than 9 years ago | (#6987566)

What does sendmail have to do with Linux?

Re:*cough* (0)

Anonymous Coward | more than 9 years ago | (#6987580)

Right...maybe you should try to have just the slightest idea of what you're talking about before you post next time. k thx.

The only reason people ever find the holes is because Microsoft has already released the patches to fix them.

Go home and die.

Re:*cough* (2, Insightful)

koreth (409849) | more than 9 years ago | (#6987597)

The difference is that Microsofts patches take forever to come out and introduce more holes than anything else.

Really? What holes were introduced by, say, the Blaster worm patch? Or any other patches you care to name?

Can't argue about the speed of patches, exactly, but I'd point out that MS almost always releases a patch before the bug in question is widely exploited -- the problem with the last few worms/viruses was more with unpatched systems than lack of responsiveness on MS's part. MS could come out with a patch within a nanosecond of an exploit's discovery and there would still be millions of people who wouldn't bother applying it. That's hardly a problem that's unique to Windows -- I bet you can still find lots of Apache installations out there with known security holes.

Why? (1)

autopr0n (534291) | more than 9 years ago | (#6987520)

It's possible that Microsoft and Sendmail are both bad at security. Sendmail is a horrible piece of software anyway.

Re:*cough* (3, Insightful)

bluGill (862) | more than 9 years ago | (#6987572)

Sendmail has never had a good reputation for code quality. MS doesn't either. Whats your point?

Re:*cough* (2, Insightful)

Anonymous Coward | more than 9 years ago | (#6987578)

The difference is that not only is the news of the bug breaking now, nor that it's exploitable, but that IT'S ALREADY FIXED

Hand raised, hand raised!!! (1)

heironymouscoward (683461) | more than 9 years ago | (#6987588)

It was me who complained, yes, beloved, it was meeee, all meeee.

Heckle, I command thee.

And yet, strangely, I feel compelled to agree with you that Microsoft code is not the most important part of the Internet. Very true. In fact, if the only code out there was Microsoft's there would be no Internet.

OK, you can heckle now, I'm mentally prepared.

13th post? (0)

Anonymous Coward | more than 9 years ago | (#6987457)

Use Microsoft Exchange Server!

Re:13th post? (0)

Anonymous Coward | more than 9 years ago | (#6987483)

has you tried http://www.exchangetrial.com ? makes the effort worth it.

I personally use qmail though.

-thewalled

Sendmail's future (3, Interesting)

nepheles (642829) | more than 9 years ago | (#6987466)

Is it perhaps time for a code rewrite in Sendmail, or maybe a quiet, dignified retirement? It appears, from empirical evidence, that Sendmail is insecure by design. And that's not a good idea for a mail server, in today's world of spam

Re:Sendmail's future (2, Informative)

bourne (539955) | more than 9 years ago | (#6987587)

Is it perhaps time for a code rewrite in Sendmail...

IIRC 8.9 was the code rewrite.

maybe a quiet, dignified retirement?

At this point, I'd settle for a noisy drag-it-out-back-and-shoot-it.

Secure alternatives exist - Postfix [postfix.org], qmail [qmail.org]. Other alternatives with better security track records and lower target profiles exist - Exim [exim.org], Courier [sourceforge.net].

Time and past time to move. How many holes is it going to take?

Yay! (5, Funny)

Greyfox (87712) | more than 9 years ago | (#6987470)

I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!

in other news. . (0)

Anonymous Coward | more than 9 years ago | (#6987471)

A buffer overflow has been found in my brain whereby I get fucking angry every time a new bug is found that requires me to update 8 damned machines.

Re:in other news. . (0)

Jenolen (636487) | more than 9 years ago | (#6987595)

Sounds like you used an unchecked variable.
I suggest you use bash, cron, and NFS to write a simple update system that when you throw a new file in /usr/updates (for example) the next time cron runs the bash script it will check for files in that share and install them. Come on... It's not hard to push updates from one machine to all... And why are you running 8 mailservers open to the outside world? Do you work for hotmail? I would suggest having two mailservers open to the outside world and setup in DNS with MX records. Firewall off sendmail on the other boxes from the LAN and just use it as daemons to send mail out of the box.

But that's just IMHO...

Nothing New (1)

gregarican (694358) | more than 9 years ago | (#6987472)

There have been published sendmail exploits for years. Recently this is the second or third one that's been announced. Although most of the first posts have been flamed out I agree that there are alternative mail client choices out there. No big deal.

Same with the Micro$loth world. Hate Outlook Express? Use something else. God knows I would.

Lazy Story Submitter (3, Informative)

Peridriga (308995) | more than 9 years ago | (#6987474)

Just point to the ftp site?
Aight... I'll fill in the blanks

ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTE S


8.12.10/8.12.10 2003/09/24
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen.
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
Problem noted by Thomas Schulz.
Add several checks to avoid (theoretical) buffer over/underflows.
Properly count message size when performing 7->8 or 8->7 bit MIME
conversions. Problem noted by Werner Wiethege.
Properly compute message priority based on size of entire message,
not just header. Problem noted by Axel Holscher.
Reset SevenBitInput to its configured value between SMTP
transactions for broken clients which do not properly
announce 8 bit data. Problem noted by Stefan Roehrich.
Set {addr_type} during queue runs when processing recipients.
Based on patch from Arne Jansen.
Better error handling in case of (very unlikely) queue-id conflicts.
Perform better error recovery for address parsing, e.g., when
encountering a comment that is too long. Problem noted by
Tanel Kokk, Union Bank of Estonia.
Add ':' to the allowed character list for bogus HELO/EHLO
checking. It is used for IPv6 domain literals. Patch from
Iwaizako Takahiro of FreeBit Co., Ltd.
Reset SASL connection context after a failed authentication attempt.
Based on patch from Rob Siemborski of CMU.
Check Berkeley DB compile time version against run time version
to make sure they match.
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
in the kernel.
When a milter adds recipients and one of them causes an error,
do not ignore the other recipients. Problem noted by
Bart Duchesne.
CONFIG: Use specified SMTP error code in mailertable entries which
lack a DSN, i.e., "error:### Text". Problem noted by
Craig Hunt.
CONFIG: Call Local_trust_auth with the correct argument. Patch
from Jerome Borsboom.
CONTRIB: Better handling of temporary filenames for doublebounce.pl
and expn.pl to avoid file overwrites, etc. Patches from
Richard A. Nelson of Debian and Paul Szabo.
MAIL.LOCAL: Fix obscure race condition that could lead to an
improper mailbox truncation if close() fails after the
mailbox is fsync()'ed and a new message is delivered
after the close() and before the truncate().
MAIL.LOCAL: If mail delivery fails, do not leave behind a
stale lockfile (which is ignored after the lock timeout).
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
Portability:
Port for AIX 5.2. Thanks to Steve Hubert of University
of Washington for providing access to a computer
with AIX 5.2.
setreuid(2) works on OpenBSD 3.3. Patch from
Todd C. Miller of Courtesan Consulting.
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
on all operating systems. Patch from Robert Harker
of Harker Systems.
Use strerror(3) on Linux. If this causes a problem on
your Linux distribution, compile with
-DHASSTRERROR=0 and tell sendmail.org about it.
Added Files:
devtools/OS/AIX.5.2

What a surprise (0)

Anonymous Coward | more than 9 years ago | (#6987475)

No surprise, "MS" Sendmail is buggy and has been...use Postfix

Fix this at the language level? (2, Interesting)

ajiva (156759) | more than 9 years ago | (#6987476)

You'd think that it would be easy to fix this at the language level. It can't be that hard to create a string library that automatically ignores everything past the end of the string.

Re:Fix this at the language level? (2, Funny)

interiot (50685) | more than 9 years ago | (#6987506)

Yes, in order to make sendmail even more convoluted, I recommend it be rewritten in perl. Or maybe javascript, that would work too.

Re:Fix this at the language level? (1)

mOdQuArK! (87332) | more than 9 years ago | (#6987577)

I vote to have it written in Brainfuck (http://www.muppetlabs.com/~breadbox/bf). A simpler language makes a program easier to read, right?

Re:Fix this at the language level? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#6987583)

Creating a string library that automatically ignores everything past the end of the string is easy. Getting programmers to use it is the hard part.

Re:Fix this at the language level? (0)

Anonymous Coward | more than 9 years ago | (#6987601)

... or build proper string handling right into the language, like PL/1 or even BASIC for cryin' out loud.

It's amazing (0)

Anonymous Coward | more than 9 years ago | (#6987480)

The lengths some people will goto to try and damage Sendmail's pride.

Jack Tripper (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#6987481)

I just heard some sad news on talk radio - the father of gay sitcoms Jack Tripper was found dead in his Los Angeles appartment this morning. Janet and Chrissy were seen sobbing widly outside. There weren't any more details yet. I'm sure we'll all miss him, even if you weren't a fan of his work there's no denying his contribution to popular culture. Truly an American icon.

sendmail == microsoft (1, Interesting)

autopr0n (534291) | more than 9 years ago | (#6987482)

Seriously, it seems like these guys have about as many security holes per line of code as MS (but obviously MS has a lot more code). Anyway, why does anyone use sendmail anymore? The difference between configuring sendmail and configuring postfix is like the difference between banging your head on the wall and having sex with the most beautiful woman on earth [google.com].

Nice week for open source (4, Insightful)

gmuslera (3436) | more than 9 years ago | (#6987489)

Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.

Re:Nice week for open source (1)

__past__ (542467) | more than 9 years ago | (#6987603)

Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?)
Hey, this is the year of Linux on the Desktop! So, of course, it's KDE [kde.org] (local root exploit in KDM, among other things).

Acutally their is a BIND9 patch today... (3, Insightful)

HaeMaker (221642) | more than 9 years ago | (#6987605)

A fix for the "all your misspellings are beloning to us" Verisign hack.

Another one? (0, Redundant)

1010011010 (53039) | more than 9 years ago | (#6987490)

Geez, am I suddenly running MS-Linux? What's up?

Anyway, updates thoughtfully provided and hosted [flyingbuttmonkeys.com], ala yesterday, god damn it. PATCH! NOW! Unless you think "arbitrary code execution" is a feature. And NO, I'm not talking about ActiveX.

How does an overflow work? (2, Interesting)

jumpingfred (244629) | more than 9 years ago | (#6987500)

Does anyone have a good explanation of how a buffer overflow allows you to execute arbitrary code? It seems to me that the memory that gets overwritten is some what random. It is either the stack or some memory in dynamic store. It seems like each time you sent in the overflow data it will be writing a different area of memory so you don't know if you code will get executed or not. Since you have to start executing at the right place you would almost never be able to execute your code.

Re:How does an overflow work? (1)

Vaginal Discharge (706367) | more than 9 years ago | (#6987589)

Not if it is well crafted. Sometimes if you explore the code, or disassemble it, you may be able to find a suitable place where there is a jump instruction. You just simpily create your overflow message long enough to overwrite the jump instruction with a different address, ie. point back to the overflow stuff that contains your malicious code. It generally requires some clever cracking, and might take a while. But nonetheless as we have seen, it works.

Re:How does an overflow work? (0)

Anonymous Coward | more than 9 years ago | (#6987591)


Does anyone have a good explanation of how a buffer overflow allows you to execute arbitrary code?

1) excessive data is input with executable code at the end.

2) codes gets executed, usually spawning a shell or opening a hole of some sort.

3) ???

4) goatse.cx!

Just assume (0)

Anonymous Coward | more than 9 years ago | (#6987501)

Just assume that Sendmail is garbage.

Just assume that bind is garbage.

Stop using them.

Stop making unix/linux look bad.

I use... (0)

dark-br (473115) | more than 9 years ago | (#6987509)

postfix, you insensitive clod!

Ok, this is not a poll but anyways... *why* ppl still uses sendmail?

Re:I use... (4, Funny)

1010011010 (53039) | more than 9 years ago | (#6987598)


If you can edit a .cf file by hand, you've earned the right to run it. :) And the punishment of running it.

People still use sendmail.... (0)

Anonymous Coward | more than 9 years ago | (#6987600)

to keep other people from exploting all the undiscovered holes in postfix.

from the "truth in article title" department (0)

Tumbleweed (3706) | more than 9 years ago | (#6987526)

Bug found in Bugmail. News at 11. *yawn*

If you're surprised by this announcement, you ARE an idiot. Why does this program still get used? There are compatible replacements out there that aren't NEARLY so bug-ridden. WTF is wrong with you people?!

I'm gonna get trolled for this, but. . (1)

NetMagi (547135) | more than 9 years ago | (#6987527)

Ever wonder if microsoft has teams of people getting paid that do nothing but search for and anonymously submit bugs and proof of exploits in competing OS's. I mean hey. .in a way it's good this stuff gets discovered and patched. .but it's still bad press for linux when there is a new bug out every day. . Let's look at their code and start doing the same. . ohh wait. . we can't. . They don't let us see it. .We're just supposed to trust them it's all good. .

Not having sendmail is like not having VD (0, Flamebait)

shoppa (464619) | more than 9 years ago | (#6987529)

As the old saying goes...
Not having sendmail is like not having VD

Actually their site was just updated with info (0)

Anonymous Coward | more than 9 years ago | (#6987533)

Click here for sendmail 8.12.10 release notes [sendmail.org]

Also, a swedish CS student has posted [ctrl-c.liu.se] an exploit on his web site. (With some code deliberately hobbled to prevent skript kiddies from abusing it)

This is a really difficult one (4, Funny)

heironymouscoward (683461) | more than 9 years ago | (#6987541)

A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.

Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"

Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.

Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!

Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"

Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.

SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.

Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.

What Sendmail security problem? (-1, Flamebait)

smcavoy (114157) | more than 9 years ago | (#6987544)

I'll add my voice to the people ranting about how "I'm so glad I use postfix".

I remember being told Sendmail was insecure a long time ago, but all that's been fixed.

Do most Linux/*BSD's ship with sendmail as the default still?

sendmail vulnerability!?!?! (1)

4of12 (97621) | more than 9 years ago | (#6987552)


Gasp!

Why, this is totally unprecedented!

This hasn't happened since...uhm...well...for at least about 15 minutes now.

Before the Microsoft defenders say it... (3, Insightful)

ReelOddeeo (115880) | more than 9 years ago | (#6987558)

Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.

It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.

But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)

Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.

No doubt, sendmail also deserves some criticism.

I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?

Buffer Overflow=same old anti-MS exageration (1)

somethingwicked (260651) | more than 9 years ago | (#6987569)

Anytime a MS product and a competing product go head to head, everyone talks about the Anti-MS product working better...

Well, why is Sendmail's Overflow more "Buff" than Exchange's???

Will its "Buffer" Overflow run on a 64bit processor? Did it get "Buffer" legally, or like so many from the Open Source movement, is it on drugs of some kind that just make it SEEM "Buffer"?

Why would you want your Overflow to be "Buffer" anyways? We should be saving resources as much as possible and overflow is wasteful so really having Buff overflow is bad for the environment too...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...