linux, säkerhet

7268558 2001-10-10 09:05 -0600  /96 rader/ Support Info <supinfo@caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-10-10  18:12  av Brevbäraren
Extern mottagare: announce@lists.caldera.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-security@redhat.com
Extern mottagare: linuxlist@securityportal.com
Mottagare: Bugtraq (import) <19403>
Ärende: Security Update: [CSSA-2001-34.0] Linux: sendmail queue run privilege problem
------------------------------------------------------------
From: Support Info <supinfo@caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
 linux-security@redhat.com, linuxlist@securityportal.com
Message-ID: <20011010090548.A5526@phoenix.calderasystems.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - sendmail queue run privilege problem
Advisory number: 	CSSA-2001-034.0
Issue date: 		2001, October 05
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a permission problem in the default setup of sendmail in
   all OpenLinux versions, which allows a local attacker to cause a
   denial of service attack effectively stopping delivery of all
   mails from the current system.

   This vulnerability also allows a local attacker to read the full
   headers of all mails in the mail queue.


2. Vulnerable Versions

   All sendmail versions on currently supported OpenLinux product are
   vulnerable.


3. Solution

   There are no fixed packages available.

   Workaround:

    OpenLinux 2.3, OpenLinux eServer 2.3.1 and OpenLinux eDesktop 2.4:

	In /etc/sendmail.cf, change the line:

	  O PrivacyOptions=authwarnings

	to read:

	  O PrivacyOptions=authwarnings,restrictqrun


    OpenLinux Workstation and Server 3.1:

	In /etc/mail/sendmail.cf, change the line:

	  O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb

	to read:

	  O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb,restrictqrun


4. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10576.


5. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through
   our security advisories. Our advisories are a service to our
   customers intended to promote secure installation and use of
   Caldera OpenLinux.


11. Acknowledgements

   Caldera International wishes to thank Michal Zalewski for pointing
   out this problem.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7vXbB18sy83A/qfwRAogdAKCo3+7TxdXQjpcUlju+AH2nGZP/+QCdFj7m
S3lXcUgF2b2ihvDBYKco6x8=
=zQ4+
-----END PGP SIGNATURE-----
(7268558) /Support Info <supinfo@caldera.com>/(Ombruten)