Re: [LI] root access from old sendmail boxes

[Atul Chitnis <achitnis@xxxxxxxxxxx>]

On Wed, 19 Jan 2000, Manoj Victor Mathew wrote:

> A cracker will always get all the info he wants. But what about us? Give
> us a chance!

Give you a chance to do what? Do you know how many script-kiddies are
going to try out such "titbits" just for the heck now?

> Honestly, I would not have believed Mr. Suresh if he said "Sendmail 8.8.4
> has a bug that crackers can exploit to gain r00t.", without giving the
> details.

If you need proof for everything that is said around here, then you are in
serious trouble. You will have to have a certain amount of faith. And the
sense to understand that if there *is* a new version of sendmail out
there, and dire warnings hanging all over the palce about old sendmail
versions, to quietly update your sendmail without going too deep into the
details.

Try this - go to Linux Weekly News, Linux Today or even SlashDot and see
if they tell you in explicit detail how a crack can be achieved. They do
not, because they are responsible. And people trust them to report facts
(OK, one would take SlashDot with a pinch of salt) that do not need to be
followed up on - if they report that there is a problem with sendmail, and
you need to update, you don't ask questions - you get the latest evrsion
and update!

Raj Mathur posts lots of security bulletins here. Have a loook at them -
do they mention details? They do not, but the second he posts one here, we
scramble to update all our client installations, because we trust Raju and
his sources.

Atul


--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.