> -----Original Message-----
> From: US-CERT Technical Alerts [mailto:technical-alerts@xxxxxxxxxxx]
> Sent: Wednesday, March 22, 2006 8:11 PM
> To: technical-alerts@xxxxxxxxxxx
> Subject: US-CERT Technical Cyber Security Alert TA06-081A --
> Sendmail Race Condition Vulnerability
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> National Cyber Alert System
>
> Technical Cyber Security Alert TA06-081A
>
>
> Sendmail Race Condition Vulnerability
>
> Original release date: March 22, 2006
> Last revised: --
> Source: US-CERT
>
>
> Systems Affected
>
> Sendmail versions prior to 8.13.6.
>
>
> Overview
>
> A race condition in Sendmail may allow a remote attacker to execute
> arbitrary code.
>
>
> I. Description
>
> Sendmail contains a race condition caused by the improper
> handling of
> asynchronous signals. In particular, by forcing the SMTP server to
> have an I/O timeout at exactly the correct instant, an
> attacker may be
> able to execute arbitrary code with the privileges of the Sendmail
> process.
>
> Details, including statements from affected vendors are
> available in
> the following Vulnerability Note:
> VU#834865 - Sendmail contains a race condition
> A race condition in Sendmail may allow a remote attacker to execute
> arbitrary code.
> (CVE-2006-0058)
>
> Please refer to the Sendmail MTA Security Vulnerability
> Advisory and
> the Sendmail version 8.13.6 release page for more information.
>
>
> II. Impact
>
> A remote, unauthenticated attacker could execute arbitrary
> code with
> the privileges of the Sendmail process. If Sendmail is running as
> root, the attacker could take complete control of an
> affected system.
>
>
> III. Solution
>
> Upgrade Sendmail
>
> Sendmail version 8.13.6 has been released to correct this issue. In
> addition to VU#834865, Sendmail 8.13.6 addresses other
> security issues
> and potential weaknesses in the Sendmail code.
>
> Patches to correct this issue in Sendmail versions 8.12.11
> and 8.13.5
> are also available.
>
>
> Appendix A. References
>
> * US-CERT Vulnerability Note VU#834865 -
> <>
>
> * Sendmail version 8.13.6 - <>
>
> * Sendmail MTA Security Vulnerability Advisory -
> <>
>
> * Sendmail version 8.12.11 Patch -
> <ftp://ftp.sendmail.org/pub/sendmail/8.12.11.p0>
>
> * Sendmail version 8.13.5 Patch -
> <ftp://ftp.sendmail.org/pub/sendmail/8.13.5.p0>
>
> * CVE-2006-0058 -
> <>
>
>
> ____________________________________________________________________
>
> The most recent version of this document can be found at:
>
> <>
> ____________________________________________________________________
>
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert@xxxxxxxx> with "TA06-081A Feedback VU#834865" in the
> subject.
> ____________________________________________________________________
>
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <>.
> ____________________________________________________________________
>
> Produced 2006 by US-CERT, a government organization.
>
> Terms of use:
>
> <>
> ____________________________________________________________________
>
>
> Revision History
>
> Mar 22, 2006: Initial release
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iQEVAwUBRCGC0X0pj593lg50AQLczAf+NzjAlt+FR5QXIayFTYL3RPVXuVU8RYtp
> i4a62FbF6bDQkVJZwWqusa1XCOaAk2HhIYbYHt2RDIKyXU8PlIs1VjtKCMzhfhNE
> HyJfBhfCJycU0udMsoH1IorH9bves2Ubog+mLS/eGMCcgNUJ+z3P/U8KukZfeRJi
> 5+jGrqksuz342XlI/9vKc9x3ateUrAyS2plbWc8wzxiG/T82hO7fCxz9mnd1V6zM
> Ub2iFAIpAbBhvEJOt7/IHxnmED/YaFF6JWbvWrZxXkLpcLFNKTN7j4pyX4ymqPmk
> rSoSXeCb5cc2ARBCyfsLY5+i96BxV0RgfcBXbT9mRjv7die16AoTXQ==
> =7/71
> -----END PGP SIGNATURE-----
>
