[8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994.UPDATE

This advisory has been sent to:

        comp.security.unix
        Sun Microsystems        

===============================================================================
                  [8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994.UPDATE


PROGRAM:

	sendmail(8)

UPDATE:

	After further investigation, it has been discovered that SVR4 based
	ports include sendmail(8) based on SMI code.  This code therefore
	is affected by the problem discussed in:

	[8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994

	Any systems running SMI sendmail(8) should follow advice given in
	this advisory, and remove any set bits on sendmail(8).

	To give more time to administrators to fix this problem, and due
	to other problems being published this week, the exploit script
	will now be posted at 00:00GMT on Monday 6th February 1995.

	To retrieve these details, send a mail containing the line:

		send [8lgm]-Advisory-16.UNIX.sendmail-6-Dec-1994-EXPLOIT

	to 8lgm-fileserver@bagpuss.demon.co.uk.  Requests for the script
	to be sent before this date will be directed to /dev/null.

FIX:

	We recommend that security conscious sites upgrade immediately
	to UCB Sendmail 8.6.9, as Suns sendmail is generally recognised
	as being broken.  Your options are:

	1. Obtain patch from your vendor.

	2. Build and install sendmail 8.6.9, available from:
	   ftp.cs.berkeley.edu:/ucb/sendmail/sendmail.8.6.9.*

	3. Remove set bits from any SMI sendmail(8) binaries.

FEEDBACK AND CONTACT INFORMATION:

        8lgm-request@bagpuss.demon.co.uk        (Mailing list additions -
						 processed automatically;
						 just send any message)

        8lgm@bagpuss.demon.co.uk                (Everything else)


	NB: 8lgm-bugs@bagpuss.demon.co.uk has been closed.

8LGM MAILING LIST:

	Send any message to 8lgm-request@bagpuss.demon.co.uk and the
	address you mail from will automatically be added to the list.

	If you need to subscribe to an address you cannot mail from
	(eg an alias), send mail to 8lgm@bagpuss.demon.co.uk and request
	to be added to the list.  Due to our mail volume, we appreciate
	it if you can use 8lgm-request instead; thus if	you need to
	subscribe an alias, please look into using, say sendmail -f,
	if possible.

8LGM FILESERVER:

	All [8LGM] advisories may be obtained via the [8LGM] fileserver.
	For details, 'echo help | mail 8lgm-fileserver@bagpuss.demon.co.uk'
===========================================================================