Sendmail Update a Risk?

Support for security such as Firewalls and securing linux
Likeless
Posts: 12
Joined: 2008/04/17 21:11:54

Sendmail Update a Risk?

Postby Likeless » 2009/06/15 19:39:31

I'm using the security scanning service from www.controlscan.com, and recently it started failing my box for this error:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1490

yum update sendmail gives me one package that is already installed, and I have tried to figure this out, in particular with reference to this thread:
https://www.centos.org/modules/newbb/vi ... e=threaded

But what I don't understand is that this advisory came up recently, and with no Sendmail patches for a while, I don't see how my yum installed version can be patched for this.

Is CentOS 4 safe from this issue? Is Controlscan just getting it wrong?

User avatar
AlanBartlett
Forum Moderator
Posts: 9311
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Sendmail Update a Risk?

Postby AlanBartlett » 2009/06/16 13:39:16

Is CentOS 4 safe from this issue? Is Controlscan just getting it wrong?

You can answer the first question by looking at the change log for the CentOS / RHEL package.

To your second question, I will suggest that probably is the correct answer. Most of these systems offer wrong "advice", as they are naively constructed without an understanding of upstream's policy of back-porting security fixes and just look at a package version number.

In general, I would advise that you keep your system fully up to date -- you should be using CentOS 4.7 at present. (C 4.8 is currently in the QA phase, if I am not mistaken.)