Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buffer Overflow in Sendmail

Posted by CmdrTaco on from the put-on-your-hardhat-and-rebuild dept.

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

9 of 478 comments (clear)

  1. *cough* by interiot · · Score: 2, Flamebait
    Everyone who complained that Microsoft is so evil for the lack in quality of code they put out, raise your hand so we can heckle you.

    Mistakes happen to everyone, and microsoft code isn't necessarily even the most important part of the internet.

    1. Re:*cough* by errxn · · Score: 0, Flamebait

      You're obviously new to /., and as such, are unfamiliar with the double standard that is in place around here. Here are a couple of guidelines to get you started:

      1) Microsoft has questionable business practices, so of course that means all of their code, no matter where it came from or how well it was designed or implemented, is automatically the worst buggy garbage on the face of the planet.

      2) Any and all research, statistics, or benchmarks that are favorable to Microsoft can be dismissed out of hand, without prior examination, as FUD, because it is obviously biased towards the Evil Microsoft Marketing Machine (TM), no matter where it came from.

      3) Any or all research, statistics, or benchmarks that are unfavorable to any Microsoft product can be, without prior examination, taken as the God's honest truth, no matter where it came from.

      4) Making money off of the sale of software is OK, unless you are Microsoft. Then it is, y'know, "Evil Capitalism" and all that.

      5) Proprietary systems and product lock-in are inherently evil, and should be stopped at all costs. Unless it's done by Apple. Then it's OK, because Apple is like, cool and stuff, and they're not Evil (TM) like Microsoft.

      6) Any comment that defends anything that has even the slightest connection to Microsoft whatsoever, regardless of its interest, factual correctness, or insightfulness, is obviously just astroturfing from a member of the Evil Empire and, as such, should be instantly modded down as either "flamebait" or "troll".

      7) Any comment that disparages any aspect of Microsoft, regardless of factual correctness, stupidity, or childishness, is automatically "funny".

      Hope this helps to get you started.

      --
      In Soviet Russia, Chuck Norris will still kick your ass.
  2. ssh... sendmail.. etc by stratjakt · · Score: 0, Flamebait

    Cuz OSS is so secure an M$ is teh suck!

    --
    I don't need no instructions to know how to rock!!!!
  3. Re:Patch delivery mechanism by Vaginal+Discharge · · Score: 1, Flamebait

    With all the bad things said about Windows, one thing you must give Microsoft credit. When an exploit is made public, they already have the patch ready. This is unlike what Linux/Open source has, and I think it needs to be changed soon. Microsoft has a policy of encouraging private disclosure and has a top notch response team. But the problem for them is that since so many people use their system and not everyone uses the auto update feature, having a patch out and getting that patch installed are two very different things.

    --
    "Glory is fleeting but obscurity is forever" - Napoleon Bonapart.
  4. Not having sendmail is like not having VD by shoppa · · Score: 0, Flamebait
    As the old saying goes...
    Not having sendmail is like not having VD
  5. anyone who still uses sendmail is fucking stupid by NynexNinja · · Score: 0, Flamebait

    That guy Eric Allman purposely puts bugs in his code so he can write exploits and crack into machines. He's been doing it since the late 80's. We cracked his box years ago and found an unpublished exploit THAT HE WROTE for the current version of sendmail sitting in his home directory. Coincidence?

  6. Re:Patch delivery mechanism by mobets · · Score: 0, Flamebait

    emerge sync && emerge -Up world

    look for anything that might be a problem

    emerge -U world

    wait a little while...
    long live gentoo

    --

    It was me, I did it, I moved your cheese
  7. Tinfoil hats for sale! by Bohiti · · Score: 0, Flamebait

    I hate to suggest this (well, not really), but sometimes, the timing is too weird. A couple weeks after Microsoft starts taking a heavy bashing from security holes, the *n*x OS's get some exploits.

    Anyone think its possible that Microsoft hired a few "consultants" to work full time looking for exploits in competing OS's? Regardless of the severity/exploitability of any exploits found, they make powerful bullets in the Microsoft PR gun.

  8. Re:Use qmail by blakestah · · Score: 0, Flamebait

    You are wrong, qmail is not in the same class as proprietary software.

    Qmail comes free, with source, with the ability to modify the source and re-distribute the original package as source, and any patches you might have as separate patches.

    Debian packaging distributes qmail with a patch and a build script.

    Very nearly all the Free Software guidelines are met by the distribution of qmail. The one lacking is not a true freedom, but something that makes life easier, the ability to package binaries any way you like and re-distribute them.

    Besides, doncha just like to install something that works and not need to worry about it, like djbdns or qmail?