(Fwd) Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-06
rra at stanford.edu
Thu Sep 18 02:27:21 UTC 2003
Forrest J Cavalier <mibsoft at epix.net> writes:
> So, have we ever decided about INN silently picking any old sendmail
> found during configure?
No one's objecting except you and no one is really supporting except me,
so no, not really. I'm going to post on news.software.nntp and ask, and
hopefully we can get more opinions.
More and more, though, I'm becoming convinced that the right way of
handling this is to search /usr/sbin and /usr/lib *only*, and *never*
search the user's PATH, since it's the PATH search that picks up the
random old copies of sendmail, not any of the rest.
Please note that I continue to believe that the fact that sendmail has
vulnerabilities is completely irrelevant to this discussion, since I think
the old behavior is just as likely if not more so to pick up the wrong
sendmail than the behavior I'm advocating. So pointing out that sendmail
has vulnerabilities is not going to convince me. :)
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers