from the lingering-bugs dept.
Wow, huge security hole in Sendmail
found by ISS' X-Force
. This one's been present in Sendmail versions from 5.79 to 8.12.7, including what has been shipping in OpenBSD. Miod and Todd have been working hard to correct the problem. Two patches are available,
for OpenBSD 3.1-stable and
for OpenBSD 3.2-stable. For OpenBSD-current the problem has been fixed by importing Sendmail 8.12.8, available from your local OpenBSD tree source or
. From Claus Assmann at Sendmail:
There is a bug fix for ident parsing
in 8.12.8. While this is not believed to be exploitable, if you are not upgrading to 8.12.8, you may want to turn off ident checking
At least this made it in before the tree freeze ... Mail to security-announce is on its way out now, and the website will be updated shortly. Big thanks to Todd and Miod for their info and fixing this.