Login
Newsletter
Werbung

Sicherheit: DoS-Problem in sendmail
Aktuelle Meldungen Distributionen
Name: DoS-Problem in sendmail
ID: CSSA-2001-034.0
Distribution: Caldera
Plattformen: Caldera alle
Datum: Sa, 13. Oktober 2001, 13:00
Referenzen: Keine Angabe
Applikationen: Sendmail

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera International, Inc. Security Advisory

Subject: Linux - sendmail queue run privilege problem
Advisory number: CSSA-2001-034.0
Issue date: 2001, October 05
Cross reference:
______________________________________________________________________________


1. Problem Description

There is a permission problem in the default setup of sendmail in all
OpenLinux versions, which allows a local attacker to cause a denial
of service attack effectively stopping delivery of all mails from
the current system.

This vulnerability also allows a local attacker to read the full headers
of all mails in the mail queue.


2. Vulnerable Versions

All sendmail versions on currently supported OpenLinux product are
vulnerable.


3. Solution

There are no fixed packages available.

Workaround:

OpenLinux 2.3, OpenLinux eServer 2.3.1 and OpenLinux eDesktop 2.4:

In /etc/sendmail.cf, change the line:

O PrivacyOptions=authwarnings

to read:

O PrivacyOptions=authwarnings,restrictqrun


OpenLinux Workstation and Server 3.1:

In /etc/mail/sendmail.cf, change the line:

O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb

to read:

O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb,restrictqrun


4. References

This and other Caldera security resources are located at:

http://www.caldera.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 10576.


5. Disclaimer

Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.


11. Acknowledgements

Caldera International wishes to thank Michal Zalewski for pointing out
this problem.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7vXbB18sy83A/qfwRAogdAKCo3+7TxdXQjpcUlju+AH2nGZP/+QCdFj7m
S3lXcUgF2b2ihvDBYKco6x8=
=zQ4+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com
Pro-Linux
Pro-Linux @Twitter
Neue Nachrichten
Werbung