Slashdot Mirror
Buffer Overflow in Sendmail
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.
It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.
Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.
How small a thought it takes to fill a whole life
I'm not sure that "insecure by design" is quite fair to the hard-working folks who developed this near-ubiquitous MTA.
A fairer assessment is that, when sendmail was designed, security was not as big an issue as it has become today. And in their defense, they do seem quite good about notifying people when vunerabilities arise and releasing fixes as quickly as possible.
That being said, sendmail is a pain in the ass. You have to remember that when sendmail was developed, there were many different mail protocols (besides SMTP), and sendmail had to support all of them -- this is why sendmail config files are so darned complex and unreadable. The vast majority of those have faded into obscurity, so subsequent products, like Postfix, can be much simpler and less complex and, thus, more likely to be secure. For a long time, sendmail was the only choice for a real MTA, but I think Postfix has proven itself a worthy successor.
You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?
I'm a happy postfix user myself, but it should be noted for fairness reasons that the last postfix-related advisories are about two weeks old... Face it, some software may be better than others, but no matter what you are running, you'll always have to keep your systems up to date. Looking down on others because the software they run is oh so insecure and yours is perfect is the first step to being rooted.
Programming can be fun again. Film at 11.
Actually it is secure, depending on your needs.
I need a mail server for non-sensitive e-mails. If someone roots Hotmail's server, I couldn't care less about it. If someone roots my server, then it's a whole different matter. I also use it to prevent handing out my real email address to the myriad of sites that require e-mail registration and for usenet postings.
So yes, in my case Hotmail is a very secure solution.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit