[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: [LI] Info on Y2K!!!

To: Linux India <linux-india@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [LI] Info on Y2K!!!
From: "Suresh Ramasubramanian" <Suresh@xxxxxxxxxxx>
Date: Mon, 29 Nov 1999 11:48:55 +0530
Cc: Mannu Kalra <Mannu@xxxxxxxxxxxx>
In-reply-to: <199911290357.TAA11404@www.aunet.org>
Organization: KCircle [ http://www.kcircle.com ]
Reply-to: linux-india
Sender: owner-linux-india@xxxxxxxxxxxxxxxxxxxxx

Mannu

On 28 Nov 99, at 19:57, thus spake Linux India Digest:

> Anyone here has a clue about the Y2K readiness of RedHat 5.2 and
> Sendmail 8.8.7???

It's Y2K compliant all right, but totally insecure - especially sendmail 
8.8.7 (as IIT Madras found to their cost a couple of days ago when a 
spammer attacked them).

1. Sendmail builds lower than 8.9.3 are generally unstable, and 
subject to several buffer overflow attacks (say HELO string > 1kb 
length).

2. Older builds are generally open relays.

3. Even the sendmail supplied with RH6 is slightly broken - or rather 
the linuxconf generated sendmail.cf file is outdated, generating 
faulty check_rcpt tables vulnerable to open relay using mail from:"" 
, user%host, uucp bangpathing etc hacks (which several commercial 
spamware uses)

According to sendmail.org - sendmail 8.8 is effectively unsupported 
and susceptible to a buffer overflow attack (caused when a HELO of 
over 1024 characters is sent).   It is also vulnerable to uucp 
bangpathing, %, "" etc relaying hacks.

Sendmail 8.9.0 and 8.9.1 are susceptable to relaying attacks using 
the : pathing control character in the RCPT TO:<> header. 

Hence, golden rule - upgrade to RH6.1 or at least upgrade your 
sendmail to 8.9.3.  Or get sendmail 8.10.x.Beta which supports 
Authenticated SMTP.

When upgrading sendmail - always rebuild your sendmail.cf - or 
download the .cf generator for free from 
ftp://ftp.jpcert.or.jp/pub/security/tools/CF/

Or better - as u use Red Hat, see ftp://admin.netus.com/sendmail/ 
for free, preconfigured sendmail 8.9.3 rpms for various scenarios.

[hell, why do I keep saying "free"?  this is Linux after all, not 
windoze <g>]

--s



Suresh Ramasubramanian
106D, Aditya Enclave, Ameerpet, Hyderabad 500038, India.
Phone: +(91-40)3736553/3745398 | eFax: +(1-603)590-5437
Suresh@xxxxxxxxxxx | Suresh@xxxxxxxx
http://www.kcircle.com | http://www.angen.net/~pegasus/
    Freedom's just another word for not caring about the quality of your work. 
         - Scott Adams (in Dilbert)

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Prev by Subject: Re: [LI] Info on Y2K!!!
Next by Subject: Re: [LI] Info on Y2K!!!
Previous by thread: Re: [LI] Info on Y2K!!!
Next by thread: [LI] CHAT/NEWS Server
Index(es):
- Subject
- Thread