Mandrake Linux Security Advisory : sendmail (MDKSA-2003:042-1)

critical Nessus Plugin ID 14026

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

Michal Zalweski discovered a vulnerability in sendmail versions earlier than 8.12.9 in the address parser, which performs insufficient bounds checking in certain conditions due to a char to int conversion.
This vulnerability makes it poissible for an attacker to take control of sendmail and is thought to be remotely exploitable, and very likely locally exploitable. Updated packages are available with patches applied (the older versions), and the new fixed version is available for Mandrake Linux 9.1 users.

Update :

The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed.
This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out.

Solution

Update the affected packages.

Plugin Details

Severity: Critical

ID: 14026

File Name: mandrake_MDKSA-2003-042.nasl

Version: 1.22

Type: local

Published: 7/31/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:sendmail, p-cpe:/a:mandriva:linux:sendmail-cf, p-cpe:/a:mandriva:linux:sendmail-devel, p-cpe:/a:mandriva:linux:sendmail-doc, cpe:/o:mandrakesoft:mandrake_linux:9.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 4/3/2003

Reference Information

CVE: CVE-2003-0161

CERT-CC: CA-2003-12

MDKSA: 2003:042-1