Archive : 2000 : january : etrn2 - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Re: procmail / Sendmail - five bugs




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пт, 14 янв 2000  11:33:48

   От: 3APA3A <3APA3A@SECURITY.NNOV.RU>

 Кому: VULN-DEV@SECURITYFOCUS.COM

 Тема: Re: procmail / Sendmail - five bugs

--------------------------------------------------------------------------------




Hello Gregory,



Thursday, January 13, 2000, 8:14:55 PM, you wrote:



lcamtuf>> # maximum number of children we allow at one time

lcamtuf>> O MaxDaemonChildren=15



GNS> Yes, MaxDaemonChildren will avoid this sort of denial of service attack.

GNS> However, the fact that sendmail buffers up commands after a remote side

GNS> drops its connection is a bug.  This bug will be fixed in the next 8.10.0

GNS> beta release.



 O MaxDaemonChildren=15 will avoid system crash and host rebooting but

 not  sendmail  DoS,  because  sendmail will not accept any connection

 until  "frozen" child processes will be killed. The best way to avoid

 this vulnerability is to switch off ETRN feature by

 O PrivacyOptions=noetrn







--

Best regards,

 3APA3A

http://www.security.nnov.ru