From owner-freebsd-security@FreeBSD.ORG  Sat Sep 20 20:05:37 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CC83E16A4B3
	for <freebsd-security@freebsd.org>;
	Sat, 20 Sep 2003 20:05:37 -0700 (PDT)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 492FD43FBF
	for <freebsd-security@freebsd.org>;
	Sat, 20 Sep 2003 20:05:36 -0700 (PDT)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.12.10/8.12.9) with ESMTP id h8L35YWm056426;
	Sun, 21 Sep 2003 15:05:34 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Date: Sun, 21 Sep 2003 15:05:34 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: "Andrej (Andy) Brodnik" <Andrej.Brodnik@IMFM.Uni-Lj.SI>
In-Reply-To: <20030920072008.GK7655@Svarun.Gotska.IJP.SI>
Message-ID: <20030921145659.B56005@a2.scoop.co.nz>
References: <20030917162118.GB4838@madman.celabo.org>
	<20030918161314.J29876@a2.scoop.co.nz>
	<20030920072008.GK7655@Svarun.Gotska.IJP.SI>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: Sendmail vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Sep 2003 03:05:37 -0000

On Sat, 20 Sep 2003, Andrej (Andy) Brodnik wrote:

> Date: Sat, 20 Sep 2003 09:20:08 +0200
> From: "Andrej (Andy) Brodnik" <Andrej.Brodnik@IMFM.Uni-Lj.SI>
> To: Andrew McNaughton <andrew@scoop.co.nz>
> Cc: freebsd-security@freebsd.org
> Subject: Re: Sendmail vulnerability
>
> On Thu, Sep 18, 2003 at 04:17:07PM +1200, Andrew McNaughton wrote:
> >
> > I've been using  sendmail from ports for some  time. I just upgraded
> > to sendmail 8.12.10 by changing  the version number in the makefile,
> > then doing `make makesum build deinstall reinstall`.
> >
> > Everything  built cleanly, started  up ok,  accepted a  delivery and
> > generally looks oK so far an outgoiand looks ok so far.
>
> And this is OK? I mean does this remove the security problem?

I haven't tested vulnerability directly, but 8.12.10 was brought out after
the exploit was reported in order to address the security issue.

Since my message to the list, the sendmail port has been updated in the
FreeBSD CVS repository in precisely the same way I did it.  The CVS update
has the message:

     Security update to 8.12.10 Approved by: marcus (portmgr)

You could always check the new sendmail sources yourself.

--

No added Sugar.  Not tested on animals.  May contain traces of Nuts.  If
irritation occurs, discontinue use.

-------------------------------------------------------------------
Andrew McNaughton           Currently in Boomer Bay, Tasmania
andrew@scoop.co.nz
Mobile: +61 422 753 792     http://staff.scoop.co.nz/andrew/cv.doc