Risks
Advisories
Browse
or
or
OpenBSD Security Announcement - new sendmail buffer overflow
A buffer overflow in address parsing due to char to int conversion
has been discovered in sendmail by Michal Zalewski.

For more information on the bug, please see:
    http://www.cert.org/advisories/CA-2003-12.html
    http://www.securityfocus.com/archive/1/316773/2003-03-28/2003-04-03/0

As shipped, OpenBSD runs a sendmail that binds only to localhost,
making this a localhost-only hole in the default configuration.
However, any sendmail configuration that accepts incoming mail may
potentially be exploited.  It is worth noting that the ProPolice
stack protector (http://www.trl.ibm.com/projects/security/ssp/)
that will ship with OpenBSD 3.3 would have protected a system from
an attacker trying to exploit this bug.

The sendmail in OpenBSD-current (and OpenBSD 3.3) has been updated
to version 8.12.9 which includes a fix for this problem.
The 3.1 and 3.2 -stable branches have had a patch applied that fixes
the buffer overflow.  However, because the -stable branches have
the specific vulnerability patched (as opposed to the full 8.12.9
distribution), sendmail on -stable will report the old sendmail version.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/027_sendmail.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/014_sendmail.patch

Patches for older versions of sendmail may be found at
ftp://ftp.sendmail.org/pub/sendmail/




Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //