03-24-2006, 11:10 AM
Quote:A significant vulnerability has been discovered in the Sendmail open-source e-mail application that could allow attackers to take over control of any devices running the affected software.
The flaw, first reported by security researchers at Atlanta-based Internet Security Systems, is present in Sendmail's e-mail server software and could be exploited by someone sending malicious data to a computer running the software at specific time intervals, ISS said.
If exploited in such a manner by an outsider, the flaw could allow the attacker to corrupt the application's memory and gain control of the device.
full article: http://www.eweek.com/article2/0,1895,1941865,00.asp
From Sendmail:
Quote:Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.13.6. It contains a fix for a security problem discovered by Mark Dowd of ISS X-Force. Sendmail thanks ISS for bringing this problem to our attention and reviewing the patch for it. sendmail 8.13.6 also includes fixes for other potential problems, see the release notes below for more details. Sendmail urges all users to upgrade to sendmail 8.13.6. If this is not possible, patches for 8.13 (PGP signature) and 8.12 (PGP signature) are availabe at our FTP site. However, note that those patches do not (cleanly) apply to versions other than 8.13.5 and 8.12.11, respectively, because the patch for sendmail/version.c will fail, but that can be ignored. Moreover, these patches may not even work with older version as there have been other changes before. Nevertheless, the patches can be used as a stop-gap measure before eventually upgrading to 8.13.6.
There are no patches for versions before 8.12 because those outdated versions use a different I/O layer and hence it would require a major effort to rewrite that layer.
full announcement and downloads of Sendmail: http://www.sendmail.org/8.13.6.html