Has CVE-2009-4565 been resolved in RHEL4?
Environment
- Red Hat Enterprise Linux 4
Issue
- Can't find sendmail patch for CVE-2009-4565 for RHEL 4
Resolution
- The RHEL4 patch for this CVE is aligned against RHEL4.9.
- As this issue affects uncommon configurations and the issue is non-trivial to exploit, this was rated by our security team as "Low" severity.
-
As an alternative, if TLS/SSL is not required in your environment, you can disable SSL/TLS support from sendmail entirely:
Sendmail Configuration file: dnl # dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # Output from the server which indicates SSL/TLS is disabled: [root@localhost mail]# telnet 0 25 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 localhost ESMTP Sendmail 8.13.1/8.13.1 EHLO localhost 250-localhost Hello localhost.localdomain [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP STARTTLS 454 4.3.3 TLS not available after start <<<----------------------
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments