[STBR/security] sendmail
Michał J. Podyma
misiek w r-h.pl
Sob, 29 Mar 2003, 20:54:27 CET
ehlo!
czy ktos moze puscic na buildery sendmaila ??
BUGZ(bugtraq):
SECURITY: Fix a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable. Problem found by Michal Zalewski.
Note: an MTA that is not patched might be vulnerable to
data that it receives from untrusted sources, which
includes DNS.
To provide partial protection to internal, unpatched sendmail MTAs,
8.12.9 changes by default (char)0xff to (char)0x7f in
headers etc. To turn off this conversion compile with
-DALLOW_255 or use the command line option -d82.101.
To provide partial protection for internal, unpatched MTAs that may be
performing 7->8 or 8->7 bit MIME conversions, the default
for MaxMimeHeaderLength has been changed to 2048/1024.
Note: this does have a performance impact, and it only
protects against frontal attacks from the outside.
To disable the checks and return to pre-8.12.9 defaults,
set MaxMimeHeaderLength to 0/0.
--
Michał J. Podyma <michalp w r-h.pl> <michalp w cna.us.edu.pl>
SySadmin @ R - H . PL [ http://f.com.pl ]
Więcej informacji o liście dyskusyjnej pld-devel-pl