lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 29 Mar 2003 12:55:54 -0800
From: Dan Harkless <bugtraq@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: sendmail 8.12.9 available



Claus Assmann <ca+announce@...dmail.org> writes:
> We apologize for releasing this information today (2003-03-29) but
> we were forced to do so by an e-mail on a public mailing list (that
> has been sent by an irresponsible individual) which contains
> information about the security flaw.
[...]
>       SECURITY: Fix a buffer overflow in address parsing due to
>               a char to int conversion problem which is potentially
>               remotely exploitable.  Problem found by Michal Zalewski.
>               Note: an MTA that is not patched might be vulnerable to
>               data that it receives from untrusted sources, which
>               includes DNS.

Since this was publically disclosed before a patch was available, I'm sure a
lot of people would be interested in knowing whether attempts to exploit
this are detectable in the syslog in sendmail's default configuration.

--
Dan Harkless
bugtraq@...kless.org
http://harkless.org/dan/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ