Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux/Sendmail Pro Security Alert (fwd)

I received this yesterday from an employee of Sendmail Inc.  FYI.
Personally I think it's a marketing ploy... ;)

---------- Forwarded message ----------
Date: Wed, 07 Jun 2000 18:42:25 -0700
From: Tasha Lockyer <tasha at>
To: rhlcustomers at
Subject: Linux/Sendmail Pro Security Alert


The Problem
A serious bug has been discovered in the Linux kernel that can be used
by local users to gain root access.  The problem, a vulnerability in the
Linux kernel capability model, exists in kernel versions up to and
including version 2.2.15.  This problem will affect programs that drop
setuid state and rely on losing saved setuid, even those that check that
the setuid call succeeded.  

How This Affects You
Because this vulnerability can be used to attack any setuid root program
that attempts to cede special permission, all sendmail users can be
exploited.  Please note that this is NOT a sendmail security issue, but
rather a Linux issue that can manifest itself in the sendmail program. 
As a result, this problem can be exploited on Sendmail Pro for Red Hat

How To Fix It
To resolve this issue, upgrade your Linux kernel to version 2.2.16
immediately. If you are currently unable to obtain an upgrade from your
vendor, we strongly recommend that you upgrade from Sendmail Pro to
Sendmail Switch.  Sendmail Switch 2.0.5 for Red Hat Linux includes a
check for this vulnerability in the kernel and if it is present, refuses
to run, thus making it impossible to use sendmail to exploit the
problem.  Sendmail Single Switch is available only on the Sendmail Store
for the special promotional price of $99.  To purchase this product,
please go to:

For more information on the Sendmail Switch product line, please see:

PGP/GPG Public key at
Derek D. Martin      |  Unix/Linux Geek
derekm at  |  derek at

Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at (Subject line is ignored).

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /