From: "Joe Barr" 

On Mon, 03 Mar 2003 13:49:31 +0000, Geo. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Internet Security Systems Security Brief March 3, 2002
> Remote Sendmail Header Processing Vulnerability Synopsis:
> ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail
> Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been
> documented to handle between 50% and 75% of all Internet email traffic.
> Impact:
> Attackers may remotely exploit this vulnerability to gain "root" or
> superuser
> control of any vulnerable Sendmail server. Sendmail and all other email
> servers are typically exposed to the Internet in order to send and receive
> Internet email. Vulnerable Sendmail servers will not be protected by
> legacy security devices such as firewalls and/or packet filters. This
> vulnerability is especially dangerous because the exploit can be delivered
> within an email message and the attacker doesn't need any specific
> knowledge of the target to
> launch a successful attack.
> Affected Versions:
> Sendmail versions from 5.79 to 8.12.7 are vulnerable Note: The affected
> versions of Sendmail commercial, Sendmail open source running on all
> platforms are known to be vulnerable. For the complete ISS X-Force
> Security Advisory, please visit:
> http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 ______
> About Internet Security Systems (ISS) Founded in 1994, Internet Security
> Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and
> services that protect critical online resources from an ever-changing
> spectrum of threats and misuse. Internet Security Systems is headquartered
> in Atlanta, GA, with additional operations throughout the Americas, Asia,
> Australia, Europe and the Middle East.
> Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
> worldwide.
> Permission is hereby granted for the electronic redistribution of this
> document. It is not to be edited or altered in any way without the express
> written consent of the Internet Security Systems X-Force. If you wish to
> reprint the whole or any part of this document in any other medium
> excluding electronic media, please email xforce{at}iss.net for permission.
> Disclaimer: The information within this paper may change without notice.
> Use of this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties, implied or otherwise, with regard to
> this information or its use. Any use of this information is at the user's
> risk. In no event shall the author/distributor (Internet Security Systems
> X-Force) be held liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. X-Force PGP Key
> available on MIT's PGP key server and PGP.com's key server, as well as at
> http://www.iss.net/security_center/sensitive.php Please send suggestions,
> updates, and comments to: X-Force xforce{at}iss.net of Internet Security
> Systems, Inc. -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> iQCVAwUBPmOIRDRfJiV99eG9AQGOoAQAsW+F+O6i+tsKs6MCyUcBhZ1J83VgGcRU
> /qSQD68RlVBBD7+MDmjdr+eewu3a2wOAeBxFKRne3F/xijoqx6BV70iR5hwcZ1ZE
> RqyoluWYvkBOPnPvkoufTjuQvEWwTgZsf98JnjGbn/kIHPD2CUnz86CTEVSvJvlT
> wacUckcEhiA=
> =HFwX
> -----END PGP SIGNATURE-----


Amazing, isn't it?  That vulnerability has been in the code for 15 years
and as far as anyone knows, it has never been exploited.  And now it's
fixed.  The open source business really works.


--

--- BBBS/NT v4.01 Flag-4