I presume this will affect a number of people here, so I thought I'd forward this alert I just received from sendmail. Alan SECURITY ALERT Today Internet Security Systems and the Sendmail Consortium announced the discovery of a security vulnerability in the sendmail mail transfer agent. This vulnerability is serious, and Sendmail, Inc. urges customers to apply the supplied security patch as soon as possible. The vulnerability derives from a potential buffer overflow in sendmail's header handling code. In a worst-case scenario, the vulnerability provides the ability for an attacker to remotely gain root access to the targeted system. While there have been no known exploits of this vulnerability to this point, we believe that unpatched systems could become exploitable very soon. For that reason we are immediately providing software patches for the following releases of Sendmail's commercial products. These include: Sendmail Switch 3.0.x on Solaris, Linux, and AIX Sendmail Switch 2.2.x on Solaris, Linux, AIX, Windows NT/2000 and S390 Linux Sendmail Switch 2.1.x on HP-UX Sendmail Switch 2.2.xJ on Windows NT/2000 Sendmail Advanced Message Server 1.2 on Solaris, Linux, AIX, and S390 Linux Sendmail Advanced Message Server 1.3 on Windows 2000 Sendmail for NT Version 3.x You may download the patch from the following URL: http://www.sendmail.com/support/download/ We have provided MD5 checksums at the end of this message to assist you in validating the integrity of the downloaded patches. More information on this vulnerability and the fix in Sendmail's commercial products is available by visiting Sendmail's security information page at: http://www.sendmail.com/security/ More information on this vulnerability and the fix in Open Source sendmail is avaialable from the Sendmail Consortium's Web site at: http://www.sendmail.org/ The original ISS announcement can be found on ISS's Web site at http://www.iss.net/ -------- Checksums Verifying the MD5 Checksum After you have downloaded the package, you should check, if the MD5 checksum matches the one provided at the end of this email. Each file has an individual checksum, that you can verify with the following command: shell> md5sum < Note, that not all operating systems support the md5sum command - on some it is simply called md5, others do not ship it at all. On Linux, it is part of the GNU Text Utilities package, which is available for a wide range of platforms. You can download the source code from http://www.gnu.org/software/textutils/ as well. If you have OpenSSL installed, you can also use the command openssl md5 < instead. A DOS/Windows implementation of the md5 command is available from http://www.fourmilab.ch/md5/. You should check, if the resulting checksum matches the one provided in this email to the left the respective filename: MD5(Patch2.1.5/CONTENTS)= 954a3723b44f6ad60282bc0ae601366c MD5(Patch2.1.5/README)= 8ec2cfffbd4d62afff573c7693a0bf15 MD5(Patch2.1.5/smswitch-patch-2.1.5-HP-UX.tar.Z)= d10afe2bfde06519bc811faac84b7e9c MD5(Patch2.2.5/CONTENTS)= 2a131cf257431d5f4d8458126d22489e MD5(Patch2.2.5/README- Windows-225-JP.txt)= 9b03ab8bb0aecc1775b95e0a8d6e1f54 MD5(Patch2.2.5/README_UNIX)= 9d0437be2ce12f4bce8222f523e07cab MD5(Patch2.2.5/README_WINDOWS.txt)= 6789d90f0c4441ca6bbb57338ddabe2d MD5(Patch2.2.5/RELEASE_NOTES_UNIX)= 6d21a1d5f4eef9cd2a5587b40879e888 MD5(Patch2.2.5/RELEASE_NOTES_WINDOWS.txt)= 16850d9256115db65ddba59048249cb7 MD5(Patch2.2.5/RELEASE_NOTES_Windows-225-JP.txt)= f1afe8cf09998564a0de238dd373185e MD5(Patch2.2.5/smswitch- patch-2.2.5-390SuSE.tar.gz)= 08d0932b42a9064b1390ded293c9e191 MD5(Patch2.2.5/smswitch-patch-2.2.5-AIX.tar.Z)= 8204d6af447bfb1ff20ccdda95a8a4d3 MD5(Patch2.2.5/smswitch- patch-2.2.5-RedHat.tar.gz)= ac96c8a1bab2e01de3e3d453c116a3db MD5(Patch2.2.5/smswitch-patch-2.2.5-Solaris.tar.Z)= 19b84c15a3e2cc91c85c7eb55ca2e0ed MD5(Patch2.2.5/smswitch-patch-2.2.5-Solaris8.tar.Z)= 923cbb9752ca89e5744c836987a367dd MD5(Patch2.2.5/smswitch-patch-2.2.5-SuSE.tar.gz)= 30e8c197cba5441509f9649af50c651a MD5(Patch2.2.5/smswitch- patch-2.2.5-Windows.zip)= ec917fcbf34f6bc2ede4b95e12a97009 MD5(Patch2.6.2NT/CONTENTS)= 8d8e510f4b95bdb4dff69f73ca5364f2 MD5(Patch2.6.2NT/README-Windows-262-JP.txt)= 80e70085cbb8936d4d350a0e2897433a MD5(Patch2.6.2NT/README-Windows-262.txt)= 3a575453ccdd879eb6ec2b7c28014484 MD5(Patch2.6.2NT/sendmailNT-patch-2.6.2-Windows.zip)= dce2c335af0e476e9ec5ac06fc1ad184 MD5(Patch3.0.3/CONTENTS)= d15909ff79f6af37e453a4ee72531014 MD5(Patch3.0.3/README.txt)= ef4930e2d58a7887757b32867dccaea8 MD5(Patch3.0.3/RELEASE_NOTES.txt)= a91eafcacd92ea948d53d32eef466cfa MD5(Patch3.0.3/smswitch- patch-3.0.3-AIX.tar.Z)= 1e07845f608e897421fa25f4374f7167 MD5(Patch3.0.3/smswitch-patch-3.0.3-Linux.tar.gz)= eb0c16530ed6cfa1d0190fc906f7b42e MD5(Patch3.0.3/smswitch- patch-3.0.3-Solaris.tar.Z)= 2fa4e1c61b1121df871f1d79602ce4dc MD5(Patch3.0.3/smswitch-patch-3.0.3-Solaris8.tar.Z)= 26f0817c868b46942eff7c44b66312b2 MD5(Patch3.0.3NT/CONTENTS)= 2f3e1a5d71048795e71e0be08a138145 MD5(Patch3.0.3NT/README-PATCH.txt)= 709541150ce09a9295483fbbe186e991 MD5(Patch3.0.3NT/README-Windows-303-JP.txt)= 5aa26b179a3120dca27754719756470b MD5(Patch3.0.3NT/sendmailNT-patch-3.0.3-Windows.zip)= 2652751268529e548872b9e22d759de0 0100,0100,0100------- End of forwarded message ------- "I don't have time to be impatient." Alan R. Vidmar Assistant Director of IT Office of Financial Aid University of Colorado Alan.Vidmar@Colorado.EDU (303)492-3598 *** This message printed with 100% recycled electrons ***