Buffer Overflow in Sendmail

ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."

"Email Different"

[Anonymous Coward]

That's why you should entrust all your email services to Hotmail.

Re:"Email Different"

[CausticWindow]

You've got a point there.

While not as flexible as mutt on a *nix server, at least Hotmail is basicly secure.

Yay!

[Greyfox]

I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!

Re:*cough*

[jrockway]

Well, I don't use sendmail. I use postfix. So M$ and sendmail both suck, lol.

Re:Fix this at the language level?

[interiot]

Yes, in order to make sendmail even more convoluted, I recommend it be rewritten in perl. Or maybe javascript, that would work too.

This is a really difficult one

[heironymouscoward]

A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.

Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"

Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.

Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!

Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"

Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.

SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.

Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Patch delivery mechanism

[Anonymous Coward]

> Does Linux have an Auto-update mechanism similar to
> windows that indicates when new patches are available
> for download?

Yup. it's called "slashdot"

Spam, spam, spam and spam

[Serious Simon]

I experience daily buffer overflows receiving mail.

Re:I use...

[1010011010]

If you can edit a .cf file by hand, you've earned the right to run it. :) And the punishment of running it.

Re:"Email Different"

[buffer-overflowed]

No, you should entrust all your email to me... I'm a nice guy really. I'm *never* responsible for remotely exploitable holes.

I didn't realize Microsoft wrote sendmail!

[Junks Jerzey]

But they must have, because there are no bugs in any software that runs under Linux. There never have been, and there never will be.

Re:It's on the site now

[buffer-overflowed]

Lies, all lies, I'm not in sendmail, I don't even run sendmail. I run qmail.

Re:HUH?

[athen66]

that's pretty sad if you think "a lot" and "allot" mean the same thing. go back to kindergarten.

Re:Sendmail's future

[Fizzlewhiff]

I agree and am migrating to Exchange as I type this. Hopefully it, and Outlook will be more secure for my users.

You know...

[Gay Nigger]

I feel like my week isn't complete without patching Sendmail at least once. Ahhh... return to normalcy. I feel better.

Look I know

[IWantMoreSpamPlease]

that many in the Open Source Community are content to imitate Microsoft's latest offerings, but copy exploits is, in my opinion, going too far! ;-)

Re:OpenSSH as well

[lone_marauder]

What?? You don't trust software compiled by flying butt monkeys?

Re:Fix this at the language level?

[spektr]

I vote to have it written in Brainfuck (http://www.muppetlabs.com/~breadbox/bf). A simpler language makes a program easier to read, right?

I wouldn't be surprised entirely if it turned out that sendmail was the first (and only) non-trivial program that could be expressed in brainfuck [muppetlabs.com]. I fact, I believe that sendmail.cf [busan.edu] had been ported to brainfuck already.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I suspect this story is fradulent

[RLiegh]

as I cannot believe that sendmail would have an exploit (remote or otherwise) given its' history.

Re:Use qmail

[Anonymous Coward]

bernstein managed to suck out the brain of many people?

Re:OpenSSH as well

[Anonymous Coward]

> What?? You don't trust software compiled by flying butt monkeys?

Yes, I use Microsoft products all the time.

Perpetual newpaper

[perp]

There was a Dilbert strip where Dogbert tried to sell Dilbert a "perpetual newspaper"; only a thousand dollars and you'll never need to buy another newspaper!

The headlines were like "Pope Denounces Violence" and "Real Estate Values Rise" and "Unrest in the Middle East". I think that "Buffer Overflow Found in Sendmail" would have been a worthy addition to the Tech Pages.