| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 Mar 2003 07:00:22 -0500 From: "Charles M. Richmond" <cmr@...c.com> To: bugtraq@...urityfocus.com Subject: Re: SA-03:04.sendmail Bin Update The following exchange covers a method of upgrading the sendmail binaries while postponing redoing the CFs. If you have a bunch of systems with varying configs then it might be a useful way of getting the security fix in place with your old CFs. It will also allow you to test the install of the new binaries without impacting current incoming email. I found some permissions problems related to an incorrectly done smmsp group that would have been a real problem if I had done the restart of sendmail without doing the checks. ****************** Names removed ****************** >>Depends on how old. I was able to get it to work with an 8.9.0 >>sendmail.cf file with no problem. That let me get the binaries >>in plce quickly and then play with a new config with extra >>features. You will get a warning: >But was it really working? >I know that on at least some of the machines I'll be upgrading, things >like DNSBLs are handled much differently than in the latest versions, >both in the .mc and in the .cf. I am using access list for IP, domain, host, and user@, rejection. That is working perfectly. I was not using DSNBLs because I prefer my own tailoring and prejudices :) So I can verify that many anti SPAM features work fine, but I can not verify DSNBL. The 'test' that I did will work for you also. Do the make and make install but do not kill -HUP the sendmail that is running and do not restart the sendmail. Now your incoming mail is still being handled by the old sendmail but you can test the features of the new sendmail by doing: $ sendmail known@...bled.address some text ^d This will attempt to send mail to a blocked address and should fail. Also run 'mailq' and 'newalias' and verify the operation. If it works then it is safe to 'kill -HUP' or restart sendmail and work out new mc/cf files at your leisure. At least you will have the new binaries in place and that is critical. Of course you could just patch your 8.9.3 binary. The instructions are on the sendmail server: ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Charles ZX-6R *********************************************************************** * Charles Richmond Implemented Integrated Systems Corporation * * cmr@...c.com cmr@....org YIM:cmriisc http://www.iisc.com * * O/S I18N Systems Development Process and Integration Providers * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2246 FAX (781) 647 3665 Cellular (781) 389 9777 * ***********************************************************************
Powered by blists - more mailing lists