Linux/Sendmail Pro Security Alert (fwd)
Derek Martin
derek at cerberus.ne.mediaone.net
Thu Jun 8 10:31:54 EDT 2000
I received this yesterday from an employee of Sendmail Inc. FYI.
Personally I think it's a marketing ploy... ;)
---------- Forwarded message ----------
Date: Wed, 07 Jun 2000 18:42:25 -0700
From: Tasha Lockyer <tasha at sendmail.com>
To: rhlcustomers at sendmail.com
Subject: Linux/Sendmail Pro Security Alert
LINUX/SENDMAIL PRO SECURITY ALERT
The Problem
A serious bug has been discovered in the Linux kernel that can be used
by local users to gain root access. The problem, a vulnerability in the
Linux kernel capability model, exists in kernel versions up to and
including version 2.2.15. This problem will affect programs that drop
setuid state and rely on losing saved setuid, even those that check that
the setuid call succeeded.
How This Affects You
Because this vulnerability can be used to attack any setuid root program
that attempts to cede special permission, all sendmail users can be
exploited. Please note that this is NOT a sendmail security issue, but
rather a Linux issue that can manifest itself in the sendmail program.
As a result, this problem can be exploited on Sendmail Pro for Red Hat
Linux.
How To Fix It
To resolve this issue, upgrade your Linux kernel to version 2.2.16
immediately. If you are currently unable to obtain an upgrade from your
vendor, we strongly recommend that you upgrade from Sendmail Pro to
Sendmail Switch. Sendmail Switch 2.0.5 for Red Hat Linux includes a
check for this vulnerability in the kernel and if it is present, refuses
to run, thus making it impossible to use sendmail to exploit the
problem. Sendmail Single Switch is available only on the Sendmail Store
for the special promotional price of $99. To purchase this product,
please go to:
http://www2.sendmail.com/store/
For more information on the Sendmail Switch product line, please see:
http://www2.sendmail.com/products/routing/
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
derekm at mediaone.net | derek at cerberus.ne.mediaone.net
------------------------------------------------------
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list