[CentOS] Re: Sendmail Segfaults

Tue Sep 19 19:41:12 UTC 2006
Daniel Senie <dts at senie.com>

At 07:44 PM 9/18/2006, Scott Silva wrote:
>Alexander Dalloz spake the following on 9/18/2006 4:14 PM:
> > Scott Silva schrieb:
> >
> >> Has anybody else been seeing a lot of sendmail segfaults since Yesterday?
> >> I got over 2300 yesterday alone, and haven't got done counting todays.
> >>
> > You are maybe target of an attack using a known vulnerability of
> > Sendmail < 8.13.8.
> >
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4434
> >
> > Alexander
>Is there a good repo with a newer sendmail than in CentOS 4.4?

Note that RedHat has been back-porting patches into sendmail 8.12.x 
rather than supplying 8.13.x as a bug fix. As a result, the patched 
8.12.x might not be vulnerable to issues despite CVE statements that 
all versions before X are vulnerable. That said, I haven't looked to 
see if RedHat has indeed patched up sendmail to deal with this 
particular vulnerability.

This also points out one of my concerns with the RHEL distribution 
(we have lots of copies we pay RH for, and a few we use CentOS for). 
For some packages, we'd REALLY like a choice of staying on the 
present train, or moving forward. In our case, sendmail-8.13 would be 
useful, and php-5.x would be useful. If there were the possibility of 
getting those -- including bug fixes for security updates via normal 
patch installation methods -- we would be much happier.