|
|
Log in / Subscribe / Register

A serious sendmail security hole

[Posted March 22, 2006 by corbet]

It's been a while since we had a good sendmail vulnerability...but we need wait no longer. Sendmail 8.13.6 has just been released in response to a security issue which could lead to a remote root exploit. This looks like a good one to fix in a hurry. Distributor updates have been seen so far from:


to post comments

A serious sendmail security hole

Posted Mar 22, 2006 20:10 UTC (Wed) by dberkholz (guest, #23346) [Link] (3 responses)

Also Gentoo.

A serious sendmail security hole

Posted Mar 22, 2006 20:14 UTC (Wed) by mattdm (subscriber, #18) [Link] (2 responses)

Also Fedora Core 4 and 5.

A serious sendmail security hole

Posted Mar 23, 2006 18:07 UTC (Thu) by kmccarty (subscriber, #12085) [Link]

Also Debian.

A serious sendmail security hole

Posted Mar 31, 2006 9:06 UTC (Fri) by barrygould (guest, #4774) [Link]

Also Fedora Legacy.

also ALT Linux, but...

Posted Mar 22, 2006 20:36 UTC (Wed) by gvy (guest, #11981) [Link] (15 responses)

...by default it comes with Postfix and Exim is also in the repository.
So why use Sendmail?

also ALT Linux, but...

Posted Mar 22, 2006 20:52 UTC (Wed) by dmantione (guest, #4640) [Link] (14 responses)

Because it can do anything. I've used multiple MTA's; none has the
flexibility of Sendmail.

also ALT Linux, but...

Posted Mar 22, 2006 21:11 UTC (Wed) by gvy (guest, #11981) [Link] (6 responses)

Anything but security is nice indeed.

also ALT Linux, but...

Posted Mar 22, 2006 21:25 UTC (Wed) by TwoTimeGrime (guest, #11688) [Link] (5 responses)

Nice troll, but Sendmail has been quite secure for some time now. Maybe 10 years ago it was a mess of security holes but the Sendmail folks have learned their lesson. Sendmail is very secure. Everything has a hole appear everyone once in a while. Postfix is not a SMTP panacea.

Security in Sendmail vs. Postfix (or qmail or probably exim)

Posted Mar 22, 2006 21:36 UTC (Wed) by rfunk (subscriber, #4054) [Link] (2 responses)

Two words: remote root.

Security in Sendmail vs. Postfix (or qmail or probably exim)

Posted Mar 24, 2006 17:27 UTC (Fri) by TwoTimeGrime (guest, #11688) [Link] (1 responses)

The Linux kernel has had remote root bugs too. Should we all abandon it in favor of something else?

Security in Sendmail vs. Postfix (or qmail or probably exim)

Posted Mar 24, 2006 17:43 UTC (Fri) by rfunk (subscriber, #4054) [Link]

Possibly.

But when was the last time a remote root hole was discovered in the Linux kernel? How many have there been in "modern times" (say, since 2000)?

And can you provide a link to a remote-root Linux kernel hole? I'm aware of local-root and remote-DoS holes, but no remote-root holes.

also ALT Linux, but...

Posted Mar 22, 2006 23:12 UTC (Wed) by bastiaan (guest, #5170) [Link]

Maybe 10 years ago it was a mess of security holes but the Sendmail folks have learned their lesson.

They have learnt their lessons indeed. That's why they ditched the monolithic spaghetti hell of Sendmail 8 and are writing Sendmail X from scratch! Anyone who has taken a look at the horrible crufty source code of Sendmail 8 knows it's not maintainable anymore. It has constructs like macros that contain return statements, functions that go on for pages and pages, all kinds of if-else statements for obsolete configuration file verions, etc.... yuk!

also ALT Linux, but...

Posted Mar 29, 2006 17:10 UTC (Wed) by erwbgy (subscriber, #4104) [Link]

Sendmail is very secure.

Care to bet $1000 on that statement?

Everything has a hole appear everyone once in a while.

Not true.

What can you do with sendmail what other MTAs can't?

Posted Mar 22, 2006 22:26 UTC (Wed) by jeroen (guest, #12372) [Link] (3 responses)

What can you do with sendmail what other MTAs can't? Knowing the things you can do with exim, I'm seriously wondering what else you might want to do with an MTA.

What can you do with sendmail what other MTAs can't?

Posted Mar 22, 2006 22:38 UTC (Wed) by xorbe (guest, #3165) [Link]

Remote server management. ;-)

What can you do with sendmail what other MTAs can't?

Posted Mar 23, 2006 1:22 UTC (Thu) by dskoll (subscriber, #1630) [Link] (1 responses)

Milter. It's Sendmail's killer feature, in my opinion.

What can you do with sendmail what other MTAs can't?

Posted Mar 23, 2006 2:19 UTC (Thu) by busterb (subscriber, #560) [Link]

Wow, sendmail can fertilize fish eggs? That _is_ uncommon for an MTA!

also ALT Linux, but...

Posted Mar 22, 2006 23:17 UTC (Wed) by jgarzik (guest, #8364) [Link] (2 responses)

IMO exim has MORE flexibility than sendmail, due to its superior database lookup abilities... with less of the security problems than sendmail.

also ALT Linux, but...

Posted Mar 23, 2006 14:46 UTC (Thu) by dmantione (guest, #4640) [Link] (1 responses)

In order to support things like Spam filtering packages and virus
scanners, Exim got new versions.

Sendmail not, it could flawlessly interact with all new tools.

also ALT Linux, but...

Posted Mar 23, 2006 20:13 UTC (Thu) by beoba (guest, #16942) [Link]

This seems analogous to saying that Windows is superior because new ATi cards work with it immediately upon release.

A serious sendmail security hole

Posted Mar 23, 2006 8:58 UTC (Thu) by mjcox@redhat.com (guest, #31775) [Link] (1 responses)

FWIW, for all Red Hat Enterprise Linux (so from 20020517 to date) this is the first sendmail vulnerability needing to be fixed....

Vulnerabilities fixed in sendmail: 1 critical
Vulnerabilities fixed in postfix: 1 low
Vulnerabilities fixed in exim: 3 moderate

The data isn't for comparison (only version 4 shipped exim, so it has a shorter date range), but recently there are not as many vulnerabilities in MTAs as people think.

Not many, but look at severity

Posted Mar 23, 2006 16:50 UTC (Thu) by rfunk (subscriber, #4054) [Link]

I agree that there aren't many vulnerabilities in any MTAs these days. But it only takes one remote root to ruin your week.

Vulnerabilities fixed in sendmail: 1 critical Vulnerabilities fixed in postfix: 1 low

It's striking to me that even after sendmail fixed some architecture problems with 8.12, there have been multiple remote root holes discovered, while the better-architected postfix and qmail have never had any remote root holes discovered in that same amount of time -- or ever, to my knowledge.

Vulnerabilities fixed in exim: 3 moderate

Meanwhile, exim gets by with an architecture similar to sendmail's, but starts with better code, and the results seem to show the compromise.


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds