[Esd-l] FYI critical sendmail vulnerability

daniel lance herrick dan.herrick at pbs.proquest.com
Tue Mar 4 05:50:42 PST 2003

On Mon, 3 Mar 2003, John D. Hardin wrote:

> On Mon, 3 Mar 2003, Kenneth Porter wrote:
> > <http://rhn.redhat.com/errata/RHSA-2003-073.html>
> > <http://www.cert.org/advisories/CA-2003-07.html>
> >
> > Note that the problem affects internal servers, not just border
> > servers. All versions of sendmail below 8.12.8 are vulnerable. The
> > attack takes the form of a message, not a connection, and the
> > message could potentially arrive via a trusted peer.
> ...and if I had a sample I could sanitize it.

The cert advisory says the patch reports

"Dropped invalid comments from header address"

Doesn't that make this the misuse of rfc822
comments that was discussed in this list a couple
weeks ago?


More information about the esd-l mailing list