Linux/Sendmail Pro Security Alert (fwd)

Randall Hofland rhofland at fastdial.net
Thu Jun 8 11:57:47 EDT 2000 

And a darn good one at that!

Derek Martin wrote:

> I received this yesterday from an employee of Sendmail Inc.  FYI.
> Personally I think it's a marketing ploy... ;)
>
> ---------- Forwarded message ----------
> Date: Wed, 07 Jun 2000 18:42:25 -0700
> From: Tasha Lockyer <tasha at sendmail.com>
> To: rhlcustomers at sendmail.com
> Subject: Linux/Sendmail Pro Security Alert
>
> LINUX/SENDMAIL PRO SECURITY ALERT
>
> The Problem
> A serious bug has been discovered in the Linux kernel that can be used
> by local users to gain root access.  The problem, a vulnerability in the
> Linux kernel capability model, exists in kernel versions up to and
> including version 2.2.15.  This problem will affect programs that drop
> setuid state and rely on losing saved setuid, even those that check that
> the setuid call succeeded.
>
> How This Affects You
> Because this vulnerability can be used to attack any setuid root program
> that attempts to cede special permission, all sendmail users can be
> exploited.  Please note that this is NOT a sendmail security issue, but
> rather a Linux issue that can manifest itself in the sendmail program.
> As a result, this problem can be exploited on Sendmail Pro for Red Hat
> Linux.
>
> How To Fix It
> To resolve this issue, upgrade your Linux kernel to version 2.2.16
> immediately. If you are currently unable to obtain an upgrade from your
> vendor, we strongly recommend that you upgrade from Sendmail Pro to
> Sendmail Switch.  Sendmail Switch 2.0.5 for Red Hat Linux includes a
> check for this vulnerability in the kernel and if it is present, refuses
> to run, thus making it impossible to use sendmail to exploit the
> problem.  Sendmail Single Switch is available only on the Sendmail Store
> for the special promotional price of $99.  To purchase this product,
> please go to:
>
> http://www2.sendmail.com/store/
>
> For more information on the Sendmail Switch product line, please see:
>
> http://www2.sendmail.com/products/routing/
>
> --
> PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> ------------------------------------------------------
> Derek D. Martin      |  Unix/Linux Geek
> derekm at mediaone.net  |  derek at cerberus.ne.mediaone.net
> ------------------------------------------------------
>
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list