US-CERT Technical Cyber Security Alert TA06-081A -- Sendmail Race Condition Vulnerability (fwd)
Michal Jaegermann
michal at harddata.com
Wed Mar 22 23:47:27 UTC 2006
On Wed, Mar 22, 2006 at 10:29:27AM -0800, Kenneth Porter wrote:
> Main alert page: <http://www.kb.cert.org/vuls/id/834865>
>
> Fedora details: <http://www.kb.cert.org/vuls/id/MIMG-6MPU9N>
>
> >From the summary:
>
> A race condition in Sendmail may allow a remote attacker to execute
> arbitrary code.
>
> For those of us accepting mail from outside on pre-FC4 Fedora, are any
> updates in the pipe to address this?
It sounds like this is an issue with some urgency. FC3 is using
sendmail-8.13.1-2 and a patch sendmail-8.13.1-VU#834865.patch, which
you can find in sendmail-8.13.1-3.RHEL4.3.src.rpm, applies to this
source without any modificiations. Not a very big surprise. So it
is enough to rebuild a corresponding rpm with this patch and you
should be fine.
How this works for earlier versions I do not know. There is also
sendmail-8.12.11-4.RHEL3.4.src.rpm in RHEL updates and it should be
possible to "recycle" that patch as well.
Michal
More information about the fedora-legacy-list
mailing list