Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Re: Package sendmail-tls with openssl vulnerability?
On Thu, Sep 19, 2002 at 06:17:20PM +0200, Roman Drahtmueller wrote:

> I just had a brief talk with the maintainer of the SuSE sendmail-tls
> package a few doors down the hallway. He said that he regrets that
> sendmail-tls is statically linked, but it was a requirement from a time
> long ago, imposed by a customer. So I guess that customer is to blame.
>
> Olaf will sent out an announcement in a few minutes that should clarify
> the missing snippets in the puzzle for everybody. In fact, more packages
> other than just the openssl packages need to be updated in some rare
> cases.

Does that mean that one has to wait quite long until sendmail-tls gets
updated (or becomes a dynamically linked package)? Since there are
already several exploits of apache ssl, I think it's too risky to run a
vulnerable sendmail-tls.

I hope this hint is okay: To deactivate TLS in sendmail it seems to be
sufficient to insert a wrong filename in the line "O ServerCertFile=..."

Of course I'd prefer to have a working sendmail-tls. Otherwise I'll get
a lot of question from people who wonder why they cannot send mails any
more...

> Stand by.

OK. How long?

Thanks and bye,
Hatto


< Previous Next >
Follow Ups