Contributed by jose on from the mail-land-security dept.
OpenBSD 3.2 shipped with sendmail 8.12.8 and thus has the bug. OpenBSD 3.3 shipped with sendmail 8.12.9 and does not have the bug.
The problem has been fixed in the OpenBSD 3.2-stable branch.
In addition, a patch is available for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch
Please note that this only affects sendmail configurations that use the "enhdnsbl" feature. The default OpenBSD sendmail config does not use this. Unless you have created a custom config that uses enhdnsbl, you do not need to apply the patch or update sendmail."
Sendmail has their own announcement on this issue. If you're still on 3.2, you should consider upgrading to 3.3, anyhow, to enjoy the benefits of several other security and reliability enhancements.
(Comments are closed)
By Arrigo Triulzi () on http://www.alchemistowl.org/arrigo
The patch applies cleanly and without problems following the instructions contained in the patch.
Hope this helps other fellows...
By anonymous () on
Comments
By Wim () on
First of all, what replacement with equal flexibility and features would you propose? Sure you can bring up Exim, Qmail or Postfix. And there the fun starts... it's a religious thing.
But... which one of these has a valid license that is compatible with http://www.openbsd.org/policy.html ?
Surely not Qmail. Nor Postfix.
So, what is left over?
OpenBSD is a free and functional OS. Ripping out Sendmail would surely cripple it, unless you can come up with a valid replacement.
Wim.
Comments
By anonymous () on
As a "newbie", this was my first impression/question.
By Anonymous Coward () on
Does someone asked Wietse Wenema (Postfix "owner") if something could be forked in openbsd with a more compatible licence ?
Just as we did for p0f, and Wietse Wenema is known to have accepted that sort of deal for tcp_wrappers ...
Postfix was designed with security in mind (no security hole since it became public) but maybe Exim would be a better candidate if Wietse Wenema doesn't want us to fork postfix under bsd policy ?
Comments
By grey () on
Not to say that asking isn't OK, but you might want to have a good expectation of the answer beforehand.
I'd almost say you'd have better luck getting djb to apply a BSD license to his projects.
By Michael Anuzis () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Well, Exim is free.
Courier-mta is free.
So I don't beleive this argument.
Sendmail stays there because TdR and somes are - stupidly - stucks to bad old tools and pseudo unix tradition.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By pravus () on
sendmail is *the* standard MTA for UNIX-ish systems. it seems as though it might be better if more people spent more of their time helping to fix the standard rather than call for it's replacement.
let's face it, sendmail works. it's not perfect, but show me a piece of code that is of any significant size that is perfect. put your money where your mouth is and develop "the secure system".
otherwise, you just sound like a parrot on the great anti-sendmail bandwagon. get a life... learn how to use ports if you don't like sendmail. i tire of your drivel.
Comments
By Anonymous Coward () on
By www () on
Comments
By anonymous () on
Comments
By Anonymous Coward () on
You trolls go to another site, use another OS, dont' bother with openbsd if you dislike it so much >:(
By Anonymous Coward () on
Comments
By Anonymous Coward () on
What are you waiting for?
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
I was only releasing an advice :P
By Anonymous Coward () on
By Wim () on
But OpenBSD is more than just an analy paranoid system, it aims to be USEABLE.
That's why it comes with all the default stuff installed that people need to run a production box. Enabling/disabling is more a question of policy, not security.
(enabling rsh with + + in trusted hosts is not a question of policy but of beeing retarded ;-)
By Anonymous Coward () on
All daemons are not disabled by default on OpenBSD.
Do most people need a;
SMTP server?
POP server?
DNS server?
Web server?
FTP server?
and the list can go on indefinately. No, most people do not need all that crap, but we can safely say that *most* people need remote access to the machine. Hence, the ability to remotely access a fresh OpenBSD install via the SSH server.
By Anonymous Coward () on
By Anonymous Coward () on
In recent version of OpenBSD sendmail is configured to only accept connections from the local host and to not accept connections on any external interfaces. Has this ALWAYS been the case?
Comments
By Z-Blocker () on
Z
By Anonymous Coward () on
Comments
By Anonymous Coward () on
If older versions of OpenBSD than 3.0 have sendmail accepting connection from local host and external interfaces how can the quote on openbsd.org be true?
Sendmail has had quite a few vulnerabilities. Its reputation isn't good.
Does it only count for the latest release and/or stable branch? If so why not say it?
If not then I should be able to install an OpenBSD 2.4 (or even an older release) and the only vulnerability in that OS should be the know OpenSSH bug (the one that made the quote say one remote hole).
An OS from that time or older with an old sendmail accepting connections by default on external interfaces with only an OpenSSH
vulnerability sounds too good.
How can this be true with sendmails reputation?
Comments
By Wim () on
Secondly, the counter on the OpenBSD website is from the point of view that you upgrade your OpenBSD version each release.
There are various holes in older releases, in SSH for example, but if you would have upgraded your OpenBSD machine each time there is a release, you would have not been vulnerable because OpenSSH was upgraded.
Comments
By Anonymous Coward () on
If this is in fact so why not modify the quote to say so? Or is this some marketing trick to sell more OpenBSD CD’s?
Comments
By Ulysses () on
By Anonymous Coward () on
By Wim () on
Or did you read the quote as saying that you could
install OpenBSD 2.4 and have it up and running without any patches and be safe?
I would not advise running any production system like that ;-)
Comments
By Anonymous Coward () on
Comments
By tedu () on
By rabbit () rabbit@ulyssis.org on http://ace.ulyssis.org/rabbit
So holes like this one don't qualify, as they've been fixed long before they're known, let alone an exploit for them exists.
But why do people keep on staring on that one little sentence, instead of looking at what OpenBSD has achieved. Even if you don't agree with that sentence, you still can't deny that OpenBSD's security track record is superb.
(now are we going to have this discussion over and over again every time a patch comes out? :( )
Comments
By Anonymous Coward () on
That's a given with the Linux community. :P
By Anonymous Coward () on
To only way I can see that these discussions can end is by either specify exactly what is meant by that quote – requirements, hidden assumptions and stuff like that. Or change it to something more understandable.
By tedu () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
A fast check on errata shows that there were 8 differents security fix for sendmail since 2.6 !
More than anything else.
Sendmail deserves us ...
Is there absolutely no solution to expect ?
Comments
By Nate () on
1. Have the Open folk start a new MTA: OpenMTA, focusing on security and the BSD lisence (go to page 50).
2. Create an Open controlled branch of sendmail, one that focuses on secuity (go to page 150).
3. Try to get one of the other MTA's to go BSD (go to page 75).
By Chris () on http://unixfu.net
KISS and sendmail are kinda ironic. I would like to see theo say otherwise with a straight face.
Are other developers besides Theo also interested in keeping sendmail (i mean the non-sheep-follow-him-around-like-he-is-jesus ones).
again, secure out the box is kinda easy with no services running. netbsd comes out the box with no services running, as do linux boxes i install. maybe netbsd and those of us that install systems that way should make a note of it in big red letters on the site. it seems to marketing-ish.
why not just put "we audit our code and care about correctness... and notice our tree compiles pretty much everyday of the year" in big red letters on the front page.
i think that is more important. hard to trust code that developers cant even test before committing. openbsd should stress this, instead of appealing the joe windows/redhat user with the x years no remote hole crap... and wonder why morons come to misc@ and stuff... hrm, almost like a moth to a flame.
By Anonymous Coward () on
Sendmail needs to be redesigned. The configuration is ackward, and sendmail needs to be simplified internally from what I gather. The Unix Hater's Handbook[1] sums up Sendmail well. Basically Sendmail existed before the standards were complete, so the author(s) bent over backwards to support weird methods of using it. The horror stories from people using Sendmail are enough to scare one away from it.
1. Unix Hater's Handbook