Support Info
2001-Oct-10 15:05 UTC
Security Update: [CSSA-2001-34.0] Linux: sendmail queue run privilege problem
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux - sendmail queue run privilege problem Advisory number: CSSA-2001-034.0 Issue date: 2001, October 05 Cross reference: ______________________________________________________________________________ 1. Problem Description There is a permission problem in the default setup of sendmail in all OpenLinux versions, which allows a local attacker to cause a denial of service attack effectively stopping delivery of all mails from the current system. This vulnerability also allows a local attacker to read the full headers of all mails in the mail queue. 2. Vulnerable Versions All sendmail versions on currently supported OpenLinux product are vulnerable. 3. Solution There are no fixed packages available. Workaround: OpenLinux 2.3, OpenLinux eServer 2.3.1 and OpenLinux eDesktop 2.4: In /etc/sendmail.cf, change the line: O PrivacyOptions=authwarnings to read: O PrivacyOptions=authwarnings,restrictqrun OpenLinux Workstation and Server 3.1: In /etc/mail/sendmail.cf, change the line: O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb to read: O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb,restrictqrun 4. References This and other Caldera security resources are located at: http://www.caldera.com/support/security/index.html This security fix closes Caldera's internal Problem Report 10576. 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 11. Acknowledgements Caldera International wishes to thank Michal Zalewski for pointing out this problem. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7vXbB18sy83A/qfwRAogdAKCo3+7TxdXQjpcUlju+AH2nGZP/+QCdFj7m S3lXcUgF2b2ihvDBYKco6x8=zQ4+ -----END PGP SIGNATURE-----