Yellow Dog Linux Security Announcement -------------------------------------- Package: sendmail Issue Date: December 08, 2001 Priority: high Advisory ID: YDU-20011208-4 1. Topic: An input validation error in the debugging functionality of all currently released versions of sendmail can enable a local user to gain root access. 2. Problem: Sendmail has an input validation flaw in part of its debugging code. This flaw could be exploited by an attacker who already has local access to a system and wants to gain root privileges. 3. Solution: a) Updating via yup... We suggest that you use the Yellow Dog Update Program (yup) to keep your system up-to-date. The following command(s) will automatically retrieve and install the fixed version of this update onto your system: yup update sendmail b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. (Please use a mirror site) ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/ rpm -Fvh sendmail-8.11.6-2.7.1.ppc.rpm rpm -Fvh sendmail-cf-8.11.6-2.7.1.ppc.rpm rpm -Fvh sendmail-doc-8.11.6-2.7.1.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 8344fdd1b917c6323fb83f69c3cec188 RPMS/sendmail-8.11.6-2.7.1.ppc.rpm 4c6f9a5d7af9b5868115030b2d9526fe RPMS/sendmail-cf-8.11.6-2.7.1.ppc.rpm ec8bee002d91f522b2b000b79146cfb8 RPMS/sendmail-doc-8.11.6-2.7.1.ppc.rpm cd1807df9c67e04ace899a5d63336105 SRPMS/sendmail-8.11.6-2.7.1.src.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of yup, the Yellow Dog Update Program, see http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml