Mandrake Linux Security Advisory : sendmail (MDKSA-2003:042-1)

Critical Nessus Plugin ID 14026


The remote Mandrake Linux host is missing one or more security updates.


Michal Zalweski discovered a vulnerability in sendmail versions earlier than 8.12.9 in the address parser, which performs insufficient bounds checking in certain conditions due to a char to int conversion.
This vulnerability makes it poissible for an attacker to take control of sendmail and is thought to be remotely exploitable, and very likely locally exploitable. Updated packages are available with patches applied (the older versions), and the new fixed version is available for Mandrake Linux 9.1 users.

Update :

The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed.
This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out.


Update the affected packages.

Plugin Details

Severity: Critical

ID: 14026

File Name: mandrake_MDKSA-2003-042.nasl

Version: $Revision: 1.19 $

Type: local

Published: 2004/07/31

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:sendmail, p-cpe:/a:mandriva:linux:sendmail-cf, p-cpe:/a:mandriva:linux:sendmail-devel, p-cpe:/a:mandriva:linux:sendmail-doc, cpe:/o:mandrakesoft:mandrake_linux:9.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2003/04/03

Reference Information

CVE: CVE-2003-0161

CERT-CC: CA-2003-12

MDKSA: 2003:042-1