Sendmail vulnerabilities


Summary

Assorted sendmail vulnerabilities.

The problems

Note: this text was adapted from Cert Advisory CA-95:05 of February 22, 1995.

With almost every sendmail version that was built before February 1995, a malicious user can gain unauthorized privileges by exploiting newlines in command-line arguments or in the process environment. Intruders need to have access to an account on your system to exploit this problem.

In addition, pre-8.6.10 versions of sendmail that support IDENT (RFC 1413) functionality have a problem that could allow an intruder to gain unauthorized access to your system remotely (that is, without having access to an account on the system).

Fix

Replace sendmail by a more recent version, for example from ftp.cs.berkeley.edu:/ucb/sendmail, or use a corrected version from your vendor. Consult Cert Advisory CA-95:05