Sendmail Vulnerability Issues



A critical security problem was recently discovered in sendmail (www.sendmail.org) and a new version 8.12.8 containing a fix is now available.

Although H-Sphere doesn't include sendmail package by default, boxes that don't have H-Sphere mail system based on qmail/vpopmail may contain a custom sendmail package. We recommend checking your webservers, CP server and database servers as follows:

Linux:

---------------------------------------------
[root@server root]# rpm -qa|grep sendmail
sendmail-cf-8.11.6-15
sendmail-8.11.6-15
sendmail-devel-8.11.6-15
---------------------------------------------

FreeBSD:

---------------------------------------------
[root@server root]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 monster.psoft ESMTP Sendmail 8.11.6/8.11.6; Thu, 6 Mar 2003 18:31:15
+0200
^]
telnet> Connection closed.
---------------------------------------------

If you have a sendmail package installed and sendmail SMTP daemon running, you should update or patch the package. The instructions are available on the sendmail site at www.sendmail.org.



Copyright 1998-2008. Positive Software Corporation.
All rights reserved.