|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
OpenBSD Information for VU#993452
| Date Notified | |
| Date Modified | 12/30/2003 05:33:13 PM |
| Status Summary | Vulnerable |
Vendor StatementPlease see the vendor statement for VU#993452 at:
http://www.openbsd.org/errata32.html#sendmail3US-CERT AddendumText of statement for VU#993452 follows:
There is a potential problem in the sendmail 8.12 series with respect
to DNS maps in sendmail 8.12.8 and earlier sendmail 8.12.x versions.
The bug did not exist in versions before 8.12 as the DNS map type
is new to 8.12. The bug was fixed in 8.12.9, released March 29,
2003 but not labeled as a security fix as it wasn't believed to be
a security bug at the time. Note that only FEATURE(`enhdnsbl')
uses a DNS map. We do not have an assessment whether this problem
is exploitable but we want to inform you just in case you distribute
sendmail 8.12.x versions before 8.12.9.
OpenBSD 3.2 shipped with sendmail 8.12.8 and thus has the bug.
OpenBSD 3.3 shipped with sendmail 8.12.9 and does *not* have the bug.
The problem has been fixed in the OpenBSD 3.2-stable branch.
In addition, a patch is available for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch
Please note that this only affects sendmail configurations that use
the "enhdnsbl" feature. The default OpenBSD sendmail config does
*not* use this. Unless you have created a custom config that uses
enhdnsbl, you do not need to apply the patch or update sendmail.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
