Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Jesper Knudsen on September 18, 2003, 06:47:48 PM

Title: Sendmail exploit fix?
Post by: Jesper Knudsen on September 18, 2003, 06:47:48 PM

It seems that sendmail also needs to be updated (as well as OpenSSH) but I am not certain how to do that as SME does not have a sendmail RPM installed. Any good ideas whether I can just install the RPM from redhat updates?

http://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-27.73.i386.rpm

Article from The Register
http://www.theregister.co.uk/content/55/32899.html

/Jesper

Title: Re: Sendmail exploit fix?
Post by: Byte on September 18, 2003, 07:23:40 PM

Far as im aware you can ignore that as SME uses Qmail (smtpfront-qmail)

If I'm wrong sorry!

Byte

Title: Re: Sendmail exploit fix?
Post by: elSpike on September 18, 2003, 07:30:11 PM

Yes you are right.

e-smith does not use sendmail and therefore a security fix for something that isnt in use is redundant.

You dont need to install the rpm at all.

elSpike out.

Title: Re: Sendmail exploit fix?
Post by: Greg Zartman on September 18, 2003, 07:31:28 PM

Byte,

You are correct.  SME uses Qmail as the MTA.  smtpfront-qmail is actually a frontend to Qmail that adds a kind of preprocessing functionality.

AFAIK, Qmail hasn't seen a security related patch in months if not years.

Regards,

Greg Zartman

Title: qmail security (was Re: Sendmail exploit fix?)
Post by: Charlie Brady on September 19, 2003, 06:44:31 AM

Greg Zartman wrote:

> AFAIK, Qmail hasn't seen a security related patch in months
> if not years.

qmail 1.03 was released in June 1998, and hasn't required any security patches.

From the file BLURB in the release tarball:

 Secure: Security isn't just a goal, but an absolute requirement. Mail
 delivery is critical for users; it cannot be turned off, so it must be
 completely secure. (This is why I started writing qmail: I was sick of
 the security holes in sendmail and other MTAs.)

From SECURITY in the source tarball:

 Background: Every few months CERT announces Yet Another Security
 Hole In Sendmail---something that lets local or even remote users take
 complete control of the machine. I'm sure there are many more holes
 waiting to be discovered; sendmail's design means that any minor bug in
 46000 lines of code is a major security risk. Other popular mailers, such
 as Smail, and even mailing-list managers, such as Majordomo, seem
 nearly as bad.

 Note added in 1998: I wrote the above paragraph in December 1995, when
 the latest version of sendmail was 8.6.12 (with 41000 lines of code).
 Fourteen security holes were discovered from sendmail 8.6.12 through
 8.8.5. See http://pobox.com/~djb/docs/maildisasters/sendmail.html.

 I started working on qmail because I was sick of this cycle of doom. ...

See also:

  http://cr.yp.to/qmail/guarantee.html

Charlie