Update sendmail due to vulnerability in 8.14.3
Bug #604996 reported by
Dan Sargeant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sendmail (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: sendmail
I have had a PCI vulnerability scan (credit card compliance) that failed due to the null character vulnerability in the package available from the repostitory for lucid (8.14.3). See http://
Is it possible for someone update the package to version 8.14.4 to fix this vulnerability?
Thanks
CVE References
To post a comment you must log in.
Hi,
The sendmail package in lucid has already been fixed for that issue. From the changelog:
sendmail (8.14.3-9.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-4565: incorrect verification of SSL certificate with NUL in
name (Closes: #564581)
I would appear your PCI vulnerability scan is simply looking at the version in the banner to determine if it's vulnerable or not, which isn't the right approach. Either tell your PCI compliance scanner vendor to fix their scanner or configure sendmail not to display the version number in the banner.
See: https:/ /wiki.ubuntu. com/SecurityTea m/FAQ#Versions