| Beschreibung: | Description:
The remote host is missing updates announced in
advisory CLA-2003:742.
Sendmail[1] is a widely used Mail Transfer Agent (MTA).
Michal Zalewski reported[2] a remote vulnerability[3] in sendmail
versions 8.12.9 and earlier. The problem resides in the address
parsing code and can be exploited to execute arbitrary code in the
context of the server. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2003-0694 to this
issue[4].
The sendmail authors have released a new version[5], 8.12.10, which
fixes this vulnerability. They have also made available a patch[6]
for older versions, which the packages provided via this announcement
contain.
This update also includes fixes for a buffer overflow vulnerability
in the ruleset parsing code. This vulnerability is not exploitable in
the default configuration and requires the use of non-standard
rulesets recipients. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2003-0681 to this
issue[7].
Starting with Conectiva Linux 7.0, sendmail is no longer the default
mail server and has been replaced with Postfix (but sendmail is still
shipped with all Conectiva Linux versions).
Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'
http://www.sendmail.org/
http://www.securityfocus.com/archive/1/337839
http://www.kb.cert.org/vuls/id/784980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0694
http://www.sendmail.org/8.12.10.html
http://www.sendmail.org/parse8.359.2.8.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0681
http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:742
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003
Risk factor : Critical
CVSS Score:
10.0
|
