Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Hit by Data Interception Flaw

Posted by ryuzaki0 on from the bumps-in-the-night dept.

ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."

2 of 208 comments (clear)

  1. Agreed by waldoj · · Score: 3, Interesting

    I ignored posts like this for years, figuring it was like the Linux vs. BSD debates -- just a bunch of zealots. I was wrong.

    Years after I mastered mc files and learned the magic of m4, back around 2002, I succumbed to /. peer pressure and switched to Postfix. It's just like Sendmail, only it doesn't suck. I didn't know Sendmail sucked until I used Postfix. It's easy, it's secure, and my servers haven't once been 0wn3d because of the ubiquitous MTA flaws of Sendmail.

    Some day I'll try Qmail. Baby steps.

    -Waldo Jaquith

  2. Re:WTF does sendmail do? by mrsbrisby · · Score: 2, Interesting

    Basically Sendmail was written in the age when moving mail from place A to B actually was difficult

    No. Sendmail was written when moving mail was easy- they just thought it was going to get harder so they overengineered it.

    The whole message rewriting header/scrambling thing has NEVER been needed to transfer to/from uucp hosts, the 7bit fantasy network, or other messaging networks- it was ALWAYS performed in the gateways to those other networks.

    Source routes should never have existed- There should never have been a reason why the person sending the message might know more about the messaging server than the server itself.

    There's no reason a user should ever send mail to a program- users only ever sent mail to addresses, and by exposing programs as "a special kind of address" - they made it possible to yes, use UUCP without the mail administrators' permission, but they also opened the whole slew of bugs in sendmail that popularized the mid '90s.

    Sendmail _never_ had to be this complicated. They did it this way because of equal parts stupidity and hubris, and pretending it was anything else means it'll happen again (see IPV6 for more details).

    By the way, I've had zero difficulty getting qmail- which itself doesn't understand how to send mail over uucp, Fido or Citnet, to actually transfer mail bidirectionally with all of these networks. Love or hate qmail, if the naive mailbox-to-user approach was good enough for all these networks, it would've worked for sendmail.