Mailinglist Archive: opensuse-security (375 mails)
| < Previous | Next > |
Re: [suse-security] Re: Package sendmail-tls with openssl vulnerability?
- From: Hatto von Hatzfeld <hatto@xxxxxxxxxxxxx>
- Date: Tue, 24 Sep 2002 22:04:17 +0200
- Message-id: <20020924220417.B2796@pinguin>
On Thu, Sep 19, 2002 at 06:17:20PM +0200, Roman Drahtmueller wrote:
> I just had a brief talk with the maintainer of the SuSE sendmail-tls
> package a few doors down the hallway. He said that he regrets that
> sendmail-tls is statically linked, but it was a requirement from a time
> long ago, imposed by a customer. So I guess that customer is to blame.
>
> Olaf will sent out an announcement in a few minutes that should clarify
> the missing snippets in the puzzle for everybody. In fact, more packages
> other than just the openssl packages need to be updated in some rare
> cases.
Does that mean that one has to wait quite long until sendmail-tls gets
updated (or becomes a dynamically linked package)? Since there are
already several exploits of apache ssl, I think it's too risky to run a
vulnerable sendmail-tls.
I hope this hint is okay: To deactivate TLS in sendmail it seems to be
sufficient to insert a wrong filename in the line "O ServerCertFile=..."
Of course I'd prefer to have a working sendmail-tls. Otherwise I'll get
a lot of question from people who wonder why they cannot send mails any
more...
> Stand by.
OK. How long?
Thanks and bye,
Hatto
> I just had a brief talk with the maintainer of the SuSE sendmail-tls
> package a few doors down the hallway. He said that he regrets that
> sendmail-tls is statically linked, but it was a requirement from a time
> long ago, imposed by a customer. So I guess that customer is to blame.
>
> Olaf will sent out an announcement in a few minutes that should clarify
> the missing snippets in the puzzle for everybody. In fact, more packages
> other than just the openssl packages need to be updated in some rare
> cases.
Does that mean that one has to wait quite long until sendmail-tls gets
updated (or becomes a dynamically linked package)? Since there are
already several exploits of apache ssl, I think it's too risky to run a
vulnerable sendmail-tls.
I hope this hint is okay: To deactivate TLS in sendmail it seems to be
sufficient to insert a wrong filename in the line "O ServerCertFile=..."
Of course I'd prefer to have a working sendmail-tls. Otherwise I'll get
a lot of question from people who wonder why they cannot send mails any
more...
> Stand by.
OK. How long?
Thanks and bye,
Hatto
| < Previous | Next > |