You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-user@james.apache.org by "Gary L. Harris" <gh...@wvinternet.com> on 2003/03/04 17:41:05 UTC

Sendmail Buffer Overflow

Is James affected by this?
CERT® Advisory CA-2003-07 Remote Buffer Overflow in Sendmail

Gary Harris
wvinternet.com



---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

Re: Sendmail Buffer Overflow

Posted by Serge Knystautas <se...@lokitech.com>.

Gary L. Harris wrote:
> Is James affected by this?
> CERT® Advisory CA-2003-07 Remote Buffer Overflow in Sendmail

Yes in that more people may consider using James.

-- 
Serge Knystautas
President
Lokitech >> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

Re: Sendmail Buffer Overflow

Posted by bill parducci <bi...@parducci.net>.

not directly. completely different code base.

b

Gary L. Harris wrote:
> Is James affected by this?
> CERT® Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
> 
> Gary Harris
> wvinternet.com
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Sendmail Buffer Overflow

Posted by "Noel J. Bergman" <no...@devtech.com>.

> Is James affected by [CERT® Advisory CA-2003-07 Remote Buffer Overflow in
Sendmail]

No.  There are no known exploits for James.

Furthermore, because James doesn't need root priviledges other than to
access the IANA-specified ports for the public services, a deployment can
use port forwarding to allow James to run as a non-root process.  A tradeoff
is that a malicious non-root process could spoof the service (this is why
there are restrictions on port use in the first place), but that tradeoff is
managable in many situations.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Host connect issue

Posted by "Noel J. Bergman" <no...@devtech.com>.

> James - 2.0a2

v2.1.2 is the current version.  No idea what problems might have existed in
v2.0a2.  There were 100s of fixes and enhancements between 2.0a3 and 2.1.0
alone.  I do know that some of them were related to proper handling of
permanent and temporary errors, because I made some of those changes.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

Host connect issue

Posted by Shal Jain <sh...@intertechsys.com>.

OS - Win2K
James - 2.0a2

Every so often sending emails through james to the host listed below fails.
I haven't had a chance to dig through the logs (they are kinda huge)   (I
have replaced the username w/ [some user] )

However, sending email through Exchange works just fine.
What should I be looking for.


-- bounce from James --

Hi. This is the James mail server at [my host name]
I'm afraid I wasn't able to deliver your message
to the following addresses.
This is a permanent error; I've given up. Sorry it
didn't work out.

[some user]@aol.com
Could not connect to SMTP host: mailin-03.mx.aol.com.,
port: 25



---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Sendmail Buffer Overflow

Posted by Danny Angus <da...@apache.org>.

No.
Absoultely not.

Following the instructions here: http://james.apache.org/james_and_sendmail.html
Will show you how you can use James for outbound traffic and thereby protect yourself from this vulnerability by restricting sendmail to access by local users only, with no open ports.

d.


> -----Original Message-----
> From: Gary L. Harris [mailto:gharris@wvinternet.com]
> Sent: 04 March 2003 16:41
> To: James Users List
> Subject: Sendmail Buffer Overflow
> 
> 
> Is James affected by this?
> CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
> 
> Gary Harris
> wvinternet.com
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org