-----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii FTP://ftp.sendmail.org/pub/sendmail/sendmail.8.8.5.tar.gz FTP://ftp.cs.berkeley.edu/ucb/src/sendmail/sendmail.8.8.5.tar.gz This release fixes a nasty security bug that allows an external attacker to get root privileges. This problem appeared in 8.8.3. It is essential that you upgrade ASAP if you are running 8.8.3 or 8.8.4. If you cannot upgrade immediately, turn off the F=9 flag on the local and prog mailers. You can do this by editing the /etc/sendmail.cf file and look for the lines beginning Mlocal and Mprog. Find the field beginning "F=" and delete the digit "9" from the following string. Then restart the sendmail daemon. If your configuration file does not include the F=9 flag, then you are not vulnerable. A CERT Advisory on this vulnerability will be released soon. I believe this to be the problem claimed by bob2@seanet.com in a posting to comp.security.unix on January 9. However, despite the claim in the posting that an exploit script was sent to me and to CERT, neither of us received any such message. The delay between that posting and this release is a direct cause of time spent trying to find the problem and verify whether this is the vulnerability that poster had in mind. Since he declined to answer any e-mail, we spent a considerable amount of time trying to assure ourselves that there wasn''t another problem. I''ve had people tell me that there is a perception that I don''t care about security. That isn''t true -- in fact, security is one of my top concerns. However, I can''t do it alone. Sendmail has always been a part time project for me, something done in my so-called free time. I need the help of you out there to improve the security of sendmail. Finding a hole and then not passing it on to someone who can fix it doesn''t help improve the net. We''re all in this together -- please, let''s start working as a team. It has been suggested to me that I try to organize "tiger teams" of hackers to do critical security-related code reviews. I haven''t had time to organize such a thing myself, and I haven''t been able to find someone else who was willing to organize the process. However, my time commitments have recently changed enough that I would be willing to attempt this if members of the hacker community were willing to volunteer their time. Please let me know if you have energy to help out. eric -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMuUWiyPkYtS/e6QhAQFtLgQAjl2HW4velzs4I5POCZaJY/QbTbYW/fLC oIxlRRyjeEcfNYCqqSN1kX2QkwNmlDya6uhXdK5DXvysEu5DebPmWniDkeDu+T+y e3ON0Mmv3cVwccpYoq7bak3+e6EEg9sf586inPbD002OzZDYgKGfs/CUg6k0X+Gi LfemAMJwHGs=EjSW -----END PGP SIGNATURE-----