From: Darren_Smith@NeXT.COM (Darren Smith) Newsgroups: comp.sys.next.announce Subject: NeXT Security Bulletin 94:001-sendmail Date: 18 Feb 1994 18:22:00 -0500 Approved: sanguish@digifix.com -------------------------------------------------------------- NeXT SECURITY BULLETIN: NeXT-94:001-sendmail, 16 February 94 -------------------------------------------------------------- PROBLEM: A security vulnerability has been identified in all versions of NEXTSTEP up to and including Release 3.2. This vulnerability, described in CERT advisories CA-93:16 and CA-93:16a, may allow unauthorized remote or authorized local users to gain unauthorized privileges. All sendmail recipient machines within a domain could potentially be vulnerable. SOLUTION: NeXT has corrected this vulnerability and provided a patch containing new binaries for both NeXT and Intel-based computers running NEXTSTEP Release 3.1 or Release 3.2. DETAILS: This patch is available via anonymous FTP from FTP.NEXT.COM in the directory "/pub/NeXTanswers/Files/Patches/SendmailPatch.23950.1". Filename Checksum --------------------------------- --------- 1513_SendmailPatch.ReadMe.rtf 63963 4 1514_SendmailPatch.pkg.compressed 02962 290 This patch is also available via electronic mail by sending a message to NeXTanswers@NeXT.com with a subject line of "1513 1514". The two files noted above will be returned as NeXTmail attachments. This patch is for NEXTSTEP 3.1 and NEXTSTEP 3.2. Instructions for installing this patch are included in the ReadMe file. Note: At the present time, NeXT has no plans to make a patch available for releases of NEXTSTEP prior to Release 3.1. COMMENTS: NeXT recommends that all customers concerned with the security of their NEXTSTEP systems either apply the patch or edit the sendmail configuration files as soon as possible. Questions about this patch should be directed to NeXT's Technical Support Hotline at 1-800-848-NeXT (+1-415-424-8500 if outside the U.S.) or via email to ask_next@NeXT.com.