[Esd-l] FYI critical sendmail vulnerability

John D. Hardin jhardin at impsec.org
Tue Mar 4 06:31:55 PST 2003

On Tue, 4 Mar 2003, Brett Glass wrote:

> At 08:44 PM 3/3/2003, John D. Hardin wrote:
> >...and if I had a sample I could sanitize it.
> But by then it would be too late. Procmail doesn't get the message
> until after Sendmail does.

Not necessarily. The sanitizer could conceivably be running on a
qmail or postfix gateway in front of a vulnerable sendmail, or be
sanitizing outbound messages the same way.

Yes, I'm grasping. :)

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ...voice or no voice, the people can always be brought to the bidding
 of the leaders. That is easy. All you have to do is tell them they
 are being attacked and denounce the pacifists for lack of patriotism
 and exposing the country to danger. It works the same way in any
                                            -- Hermann Goering
   79 days until The Matrix Reloaded

More information about the esd-l mailing list