Sendmail队列处理中存在数据丢失或拒绝服务攻击漏洞

发布时间：2001-10-06
更新时间：2001-10-06
严重程度：中
威胁程度：本地拒绝服务
错误类型：设计错误
利用方式：服务器模式

受影响系统

Sendmail Consortium Sendmail 8.9.3
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10.2
Sendmail Consortium Sendmail 8.11
   - MandrakeSoft Linux Mandrake 7.2
   - RedHat Linux 7.0
   - RedHat Linux 7.0 alpha
   - RedHat Linux 7.0 i386
   - RedHat Linux 7.0 sparc
   - S.u.S.E. Linux 7.0
   - S.u.S.E. Linux 7.0alpha
   - S.u.S.E. Linux 7.0ppc
   - S.u.S.E. Linux 7.0sparc
Sendmail Consortium Sendmail 8.11.1
   - Caldera OpenLinux Server 3.1
   - Caldera OpenLinux Workstation 3.1
   - Conectiva Linux 6.0
Sendmail Consortium Sendmail 8.11.2
   - RedHat Linux 7.1
   - RedHat Linux 7.1 alpha
   - RedHat Linux 7.1 i386
   - RedHat Linux 7.1 ia64
   - S.u.S.E. Linux 7.1
   - S.u.S.E. Linux 7.1alpha
   - S.u.S.E. Linux 7.1ppc
   - S.u.S.E. Linux 7.1sparc
   - S.u.S.E. Linux 7.1x86
Sendmail Consortium Sendmail 8.11.3
   - MandrakeSoft Corporate Server 1.0.1
   - MandrakeSoft Linux Mandrake 8.0
   - S.u.S.E. Linux 7.2
   - Slackware Linux 7.1
Sendmail Consortium Sendmail 8.11.4
   - Conectiva Linux 7.0
   - Slackware Linux 8.0
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.12beta7
Sendmail Consortium Sendmail 8.12beta5
Sendmail Consortium Sendmail 8.12beta16
Sendmail Consortium Sendmail 8.12beta12
Sendmail Consortium Sendmail 8.12beta10
Sendmail Consortium Sendmail 8.12

详细描述
sendmail允许一般用户强迫处理整个MAIL队列，除非管理员关闭这个功能。当运行'sendmail'时，用户可以改变KEY配置变量如设置超过限制规定的信息hop计数欺骗SENDMAIL来处理，这样SENDMAIL在处理的时候就会丢弃队列中的邮件。

测试代码
sendmail -q -h1000

解决方案
升级程序：

Sendmail Consortium Sendmail 8.9.3:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.10:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.10.1:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.10.2:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11.1:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11.2:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11.3:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11.4:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.11.5:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12beta7:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12beta5:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12beta16:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12beta12:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12beta10:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

Sendmail Consortium Sendmail 8.12:

Sendmail Consortium Upgrade Sendmail 8.12.1
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

相关信息

最近严重漏洞

Sendmail队列处理中存在数据丢失或拒绝服务攻击漏洞