Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sendmail buffer overflow fix for 8.11.6

2 views
Skip to first unread message

Deepak Thadani

unread,
Mar 10, 2003, 10:21:34 PM3/10/03
to
Hi all,

I just recompiled my sendmail 8.11.6 (on SCO OSR 5.0.5) with the
patch from sendmail.org for the latest buffer flow vulnerability, and
things are looking good and it's running fine.

While I was at it, I also compiled 8.12.8, however I wanted to know,
before I install 8.12.8, are there a list of significant changes
between 8.11.6 and 8.12.8? I've checked the sendmail.org site and I
don't find any real feature comparisons between versions of sendmail.

Is there a site/page or reference document I can read which will show
a feature by feature comparison between various sendmail versions?

Any help would be appreciated.


Thanks,

Deepak

---
Deepak Thadani
SysIntegrators, LLC

John Schmidt

unread,
Mar 11, 2003, 10:06:08 AM3/11/03
to

On Tue, 11 Mar 2003, Deepak Thadani wrote:

> Is there a site/page or reference document I can read which will show
> a feature by feature comparison between various sendmail versions?

Check the RELEASE_NOTES file in the base directory of the sendmail
source code. Most of the changes from 8.12.0 through 8.12.8 are
minor, so the section dealing with 8.12.0 gives a good overview
of what you're looking for.

JS


Bill Vermillion

unread,
Mar 11, 2003, 12:25:32 PM3/11/03
to
In article <3e6d5502....@news.alterdial.uu.net>,

Deepak Thadani <dee...@REMOVEsysintegrators.comME> wrote:
>Hi all,
>
>I just recompiled my sendmail 8.11.6 (on SCO OSR 5.0.5) with the
>patch from sendmail.org for the latest buffer flow vulnerability, and
>things are looking good and it's running fine.

>While I was at it, I also compiled 8.12.8, however I wanted to know,
>before I install 8.12.8, are there a list of significant changes
>between 8.11.6 and 8.12.8? I've checked the sendmail.org site and I
>don't find any real feature comparisons between versions of sendmail.

Release notes 'knows all - tells all'.

The most significant change - and it can catch you if you don't
add new users before running it - is that sendmail no longer
runs SUID root by default. It runs SGID 'smmsp' - and that user
needs to be added along with 'mailnull' user.

It will create a 'clientmqueue' directory in addition to the
standars 'mqueue'

There are also now two .cf files, the sendmail.cf and the submit.cf
The latter is used for tranmitting and the former is for receiving.

That means you can run sendmail in send only, receive only, both,
or none. It also does some severechecking on world and group
writeable files/directories and will not run if they are not
correct. I had to fix an OS/X for friend of mine this way.

There are lots of other changes but those are the only ones you
need to watch out for if you install in the default mode.

>Is there a site/page or reference document I can read which will show
>a feature by feature comparison between various sendmail versions?

Nothing in sendmail is one page :-) The one site that has the
information is www.sendmail.org.

The closest you'll come are the release notes and if you stick with
current you'll see starting with the 8.12.0 notes all the changes
that have been made. It is a LOT of information - 99% of which
won't affect most people. The above are what you really need to
know about.

Bill


--
Bill Vermillion - bv @ wjv . com

Deepak Thadani

unread,
Mar 13, 2003, 11:14:00 PM3/13/03
to
On Tue, 11 Mar 2003 17:25:32 GMT, b...@wjv.comREMOVE (Bill Vermillion)
wrote:

Thanks Guys! Appreciate all the extra Info!

Deepak

0 new messages