Re: Format String Vulnerability in Tripwire
In-Reply-To: <20040604175112.23294.qmail@xxxxxxxxxxxxxxxxxxxxx>
Okay folks, one more time.
We've identified a couple more important bits of information regarding this
vulnerability, mainly that it is present only in the code for processing email
reports when the MAILMETHOD is sendmail. This provides some important points of
clarification:
1) It is not present in our Windows binaries, since sendmail is not an option
on this platform.
2) Another, and probably best yet workaround on *nix, is to change from using
sendmail to SMTP as your email method. This requires setting a couple of
additional configuration variables (SMTPHOST and possibly SMTPPORT).
#2 is true of both our commercial *nix binaries as well as the open source
version.
I'll let everyone know if we uncover additional information regarding this
issue.
Cheers,
Ron Forrester
Security Architect
Tripwire, Inc.