Date: Wed, 22 Jan 1997 09:33:30 -0700 From: Dave Andersen <angio@aros.net> To: Eivind Eklund <eivind@dimaga.com> Cc: Jaye Mathisen <mrcpu@cdsnet.net>, hackers@FreeBSD.org Subject: Re: FWIW Message-ID: <199701221633.JAA14250@fluffy.aros.net> In-Reply-To: Your message of "Wed, 22 Jan 1997 12:31:46 %2B0100." <3.0.32.19970122123145.00b69350@dimaga.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: Eivind Eklund <eivind@dimaga.com> > > At 01:55 PM 1/21/97 -0800, Jaye Mathisen wrote: > > > > > >8.8.5 of sendmail is out, apparently fixing some nasty security bug in > >8.8.3 and 8.8.4. Since 8.8.4 is in the tree, we should upgrade ASAP. > > The security bug is reasonably minor; it is a question of not giving up > group rights in some cases. The problem has been present quite a while (if > it is the problem the description made it sound like), since 8.7.0 or > something. > > (Not that we shouldn't fix it, but I'm not too concerned about it. Since > you are concerned, perhaps you should upgrade the port? :) You should be. :) Sendmail 8.8.5 fixes a remotely exploitable buffer overflow that (you guessed it) can let an outsider have root access to your system. A local account is not required to take advantage of this hole. (If you haven't upgraded to 8.8.5 yet, you should. Don't bother waiting for it to make it in to the tree. Sendmail 8.8.5 is available from ftp.sendmail.org and ftp.cert.org). -Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701221633.JAA14250>