[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security fix (Fwd: sendmail 8.12.9 available
- Subject: Security fix (Fwd: sendmail 8.12.9 available
- From: mike at sentex.net (Mike Tancsa)
- Date: Sat Mar 29 11:31:16 2003
From bugtraq :-(
>-----BEGIN PGP SIGNED MESSAGE-----
>Sendmail, Inc., and the Sendmail Consortium announce the availability
>of sendmail 8.12.9. It contains a fix for a critical security
>problem discovered by Michal Zalewski whom we thank for bringing
>this problem to our attention. Sendmail urges all users to either
>upgrade to sendmail 8.12.9 or apply a patch for your sendmail version
>that is part of this announcement. Remember to check the PGP
>signatures of patches or releases obtained via FTP or HTTP (to check
>the correctness of the patches in this announcement please verify
>the PGP signature of it). For those not running the open source
>version, check with your vendor for a patch.
>We apologize for releasing this information today (2003-03-29) but
>we were forced to do so by an e-mail on a public mailing list (that
>has been sent by an irresponsible individual) which contains
>information about the security flaw.
>For a complete list of changes see the release notes down below.
>Please send bug reports to sendmail-bugs_(_at_)_sendmail_(_dot_)_org as usual.
>Note: We have changed the way we digitally sign the source code
>distributions to simplify verification: in contrast to earlier
>versions two .sig files are provided, one each for the gzip'ed
>version and the compressed version. That is, instead of signing the
>tar file, we sign the compressed/gzip'ed files, so you do not need
>to uncompress the file before checking the signature.
>This version can be found at
>and the usual mirror sites.
>You either need the first two files or the third and fourth, i.e.,
>the gzip'ed version or the compressed version and the corresponding
>.sig file. The PGP signature was created using the Sendmail Signing
>Key/2003, available on the web site (http://www.sendmail.org/) or
>on the public key servers.
>Since sendmail 8.11 and later includes hooks to cryptography, the
>following information from OpenSSL applies to sendmail as well.
> PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
> SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
> TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
> PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
> COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
> SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
> YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
> AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
> ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
> SENDMAIL RELEASE NOTES
> $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $
>This listing shows the version of the sendmail binary, the version
>of the sendmail configuration files, the date of release, and a
>summary of the changes in that release.
> SECURITY: Fix a buffer overflow in address parsing due to
> a char to int conversion problem which is potentially
> remotely exploitable. Problem found by Michal Zalewski.
> Note: an MTA that is not patched might be vulnerable to
> data that it receives from untrusted sources, which
> includes DNS.
> To provide partial protection to internal, unpatched sendmail MTAs,
> 8.12.9 changes by default (char)0xff to (char)0x7f in
> headers etc. To turn off this conversion compile with
> -DALLOW_255 or use the command line option -d82.101.
> To provide partial protection for internal, unpatched MTAs that
> may be
> performing 7->8 or 8->7 bit MIME conversions, the default
> for MaxMimeHeaderLength has been changed to 2048/1024.
> Note: this does have a performance impact, and it only
> protects against frontal attacks from the outside.
> To disable the checks and return to pre-8.12.9 defaults,
> set MaxMimeHeaderLength to 0/0.
> Do not complain about -ba when submitting mail. Problem noted
> by Derek Wueppelmann.
> Fix compilation with Berkeley DB 1.85 on systems that do not
> have flock(2). Problem noted by Andy Harper of Kings
> College London.
> Properly initialize data structure for dns maps to avoid various
> errors, e.g., looping processes. Problem noted by
> Maurice Makaay.
> CONFIG: Prevent multiple application of rule to add smart host.
> Patch from Andrzej Filip.
> CONFIG: Fix queue group declaration in MAILER(`usenet').
> CONTRIB: buildvirtuser: New option -t builds the virtusertable
> text file instead of the database map.
> Revert wrong change made in 8.12.7 and actually use the
> builtin getopt() version in sendmail on Linux.
> This can be overridden by using -DSM_CONF_GETOPT=0
> in which case the OS supplied version will be used.
>Instructions to extract and apply the patches for sendmail:
>The data below is a uuencoded, gzip'ed tar file. Store the data
>between "========= begin patch ========" and "========= end patch
>==========" into a file called "patch.sm" and apply the following
>uudecode -p < patch.sm | gunzip -c | tar -xf -
>This will give you these files (explanation for each file is on
>the left, only "prescan.VERSION.patch" are the files).
>prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1
>prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string
>prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2
>prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string
>prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2
>prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string
>Apply the appropriate patch to your version of the sendmail source
>code (change the version number below to the right one!), e.g.,
>patch < prescan.8.12.8.patch
>recompile sendmail, and install the new binary.
>========= begin patch ========
>========= end patch ==========
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (OpenBSD)
>-----END PGP SIGNATURE-----
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike_(_at_)_sentex_(_dot_)_net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike