FOR    OFFICIAL    DOE    USE    ONLY
________________________________________________________________________
    THE COMPUTER INCIDENT ADVISORY CAPABILITY

         CIAC

      INFORMATION BULLETIN
________________________________________________________________________

    Vulnerability in SUN sendmail program


January 29, 1990, 0900 PST                              Number A-16

CIAC has been advised of a new vulnerability in the SUN sendmail
program.  This vulnerability (SUN bug #1028173) exists in all versions
of SUN OS (version 4.1, 4.0.3 on SUN 3, SUN 4, as well as SUN 386i
systems, for which version 4.0.2 is the most current version).  This
vulnerability has been exploited in several recent Internet breakins.

You may obtain a patch directly from SUN by calling (800) USA-4SUN, or
may obtain SUN 3 and 4 sendmail binaries using anonymous FTP from
uunet.uu.net in the /sun-fixes directory.  CIAC can also provide you
with a patch for this vulnerability.

Recent versions of UNIX systems other than SUN OS systems contain a 
sendmail fix.  CIAC encourages you to consult with your vendor about 
upgrading to a recent release if the version you are running does not 
have this fix.

If you have questions, please contact CIAC.
 
        Tom Longstaff  
  (415) 423-4416 or (FTS) 543-4416
  FAX: (FTS) 543-0913 or (415) 294-5054  

CIAC's business hours phone number is (415) 422-8193 or (FTS)
532-8193.  CIAC's 24-hour emergency hot-line number is (415) 971-9384. 
If you call the emergency number and there is no answer, please leave 
a voice mail message.  Someone will return your call promptly.  You may 
also send e-mail to:

  ciac@tiger.llnl.gov           

This bulletin is based on information supplied by the Computer
Emergency Response Team Coordination Center.  Neither the United
States Government nor the University of California nor any of their
employees, makes any warranty,  expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.