Rapid7 Vulnerability & Exploit Database

CESA-2007:0252: sendmail security and bug fix update

Back to Search

CESA-2007:0252: sendmail security and bug fix update

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
03/27/2007
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated sendmail packages that fix a security issue and various bugs are now available for CentOS Linux 4. This update has been rated as having low security impact by the CentOS Security Response Team.

Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver mail from one machine to another. Sendmail is not a client program, but rather a behind-the-scenes daemon that moves email over networks or the Internet to its final destination. The configuration of Sendmail on CentOS Linux was found to not reject the "localhost.localdomain" domain name for e-mail messages that came from external hosts. This could have allowed remote attackers to disguise spoofed messages (CVE-2006-7176). This updated package also fixes the following bugs: * Infinite loop within tls read. * Incorrect path to selinuxenabled in initscript. * Build artifacts from sendmail-cf package. * Missing socketmap support. * Add support for CipherList configuration directive. * Path for aliases file. * Failure of shutting down sm-client. * Allows to specify persistent queue runners. * Missing dnl for SMART_HOST define. * Fixes connections stay in CLOSE_WAIT. All users of Sendmail should upgrade to these updated packages, which contains backported patches to resolve these issues.

Solution(s)

  • centos-upgrade-sendmail
  • centos-upgrade-sendmail-cf
  • centos-upgrade-sendmail-devel
  • centos-upgrade-sendmail-doc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;