Another Sendmail security hole

, posted: 1-Apr-2006 12:55

Yesterday, a security announcement from OpenBSD appeared in my inbox:

A race condition exists in sendmail's handling of asynchronous signals.
A remote attacker may be able to execute arbitrary source code with the
privileges of the user running sendmail, typically root.

Ugh. Luckily, I don't expose Sendmail to the Internet. Exim is my favourite Mail Transfer Agent, and has been for a long while now, and I can thoroughly recommend it over Sendmail. Postfix is also good.

I see that FreeBSD had a Security Advisory out on the Sendmail race condition by March 22 already.
Wonder why OpenBSD, which is so security-oriented, took so long to send out theirs? Also, does this count as the second remotely exploitable security hole in OpenBSD's default installation...?

Either way, if you have Sendmail running anywhere, it's time to patch. Or, you could just install Exim instead. :)

Other related posts:
Google Chrome OS announced
Bombshell: Microsoft and Novell to interop on... Linux?
Woodcrest in Mac Pro and Apple OS X Leopard spots emerging

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.