[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security fix (Fwd: sendmail 8.12.9 available



 From bugtraq :-(



>-----BEGIN PGP SIGNED MESSAGE-----
>
>Sendmail, Inc., and the Sendmail Consortium announce the availability
>of sendmail 8.12.9.  It contains a fix for a critical security
>problem discovered by Michal Zalewski whom we thank for bringing
>this problem to our attention.  Sendmail urges all users to either
>upgrade to sendmail 8.12.9 or apply a patch for your sendmail version
>that is part of this announcement.  Remember to check the PGP
>signatures of patches or releases obtained via FTP or HTTP (to check
>the correctness of the patches in this announcement please verify
>the PGP signature of it).  For those not running the open source
>version, check with your vendor for a patch.
>
>We apologize for releasing this information today (2003-03-29) but
>we were forced to do so by an e-mail on a public mailing list (that
>has been sent by an irresponsible individual) which contains
>information about the security flaw.
>
>For a complete list of changes see the release notes down below.
>
>Please send bug reports to sendmail-bugs_(_at_)_sendmail_(_dot_)_org as usual.
>
>Note: We have changed the way we digitally sign the source code
>distributions to simplify verification: in contrast to earlier
>versions two .sig files are provided, one each for the gzip'ed
>version and the compressed version. That is, instead of signing the
>tar file, we sign the compressed/gzip'ed files, so you do not need
>to uncompress the file before checking the signature.
>
>This version can be found at
>
>ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz
>ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig
>ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z
>ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig
>
>and the usual mirror sites.
>
>MD5 signatures:
>
>3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz
>19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig
>268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z
>19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig
>
>You either need the first two files or the third and fourth, i.e.,
>the gzip'ed version or the compressed version and the corresponding
>.sig file.  The PGP signature was created using the Sendmail Signing
>Key/2003, available on the web site (http://www.sendmail.org/) or
>on the public key servers.
>
>Since sendmail 8.11 and later includes hooks to cryptography, the
>following information from OpenSSL applies to sendmail as well.
>
>    PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
>    SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
>    TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
>    PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
>    COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
>    SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
>    YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
>    AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
>    ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
>
>
>                         SENDMAIL RELEASE NOTES
>       $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $
>
>
>This listing shows the version of the sendmail binary, the version
>of the sendmail configuration files, the date of release, and a
>summary of the changes in that release.
>
>8.12.9/8.12.9   2003/03/29
>         SECURITY: Fix a buffer overflow in address parsing due to
>                 a char to int conversion problem which is potentially
>                 remotely exploitable.  Problem found by Michal Zalewski.
>                 Note: an MTA that is not patched might be vulnerable to
>                 data that it receives from untrusted sources, which
>                 includes DNS.
>         To provide partial protection to internal, unpatched sendmail MTAs,
>                 8.12.9 changes by default (char)0xff to (char)0x7f in
>                 headers etc.  To turn off this conversion compile with
>                 -DALLOW_255 or use the command line option -d82.101.
>         To provide partial protection for internal, unpatched MTAs that 
> may be
>                 performing 7->8 or 8->7 bit MIME conversions, the default
>                 for MaxMimeHeaderLength has been changed to 2048/1024.
>                 Note: this does have a performance impact, and it only
>                 protects against frontal attacks from the outside.
>                 To disable the checks and return to pre-8.12.9 defaults,
>                 set MaxMimeHeaderLength to 0/0.
>         Do not complain about -ba when submitting mail.  Problem noted
>                 by Derek Wueppelmann.
>         Fix compilation with Berkeley DB 1.85 on systems that do not
>                 have flock(2).  Problem noted by Andy Harper of Kings
>                 College London.
>         Properly initialize data structure for dns maps to avoid various
>                 errors, e.g., looping processes.  Problem noted by
>                 Maurice Makaay.
>         CONFIG: Prevent multiple application of rule to add smart host.
>                 Patch from Andrzej Filip.
>         CONFIG: Fix queue group declaration in MAILER(`usenet').
>         CONTRIB: buildvirtuser: New option -t builds the virtusertable
>                 text file instead of the database map.
>         Portability:
>                 Revert wrong change made in 8.12.7 and actually use the
>                         builtin getopt() version in sendmail on Linux.
>                         This can be overridden by using -DSM_CONF_GETOPT=0
>                         in which case the OS supplied version will be used.
>
>
>Instructions to extract and apply the patches for sendmail:
>
>The data below is a uuencoded, gzip'ed tar file.  Store the data
>between "========= begin patch ========" and "========= end patch
>==========" into a file called "patch.sm" and apply the following
>command:
>
>uudecode -p < patch.sm | gunzip -c | tar -xf -
>
>This will give you these files (explanation for each file is on
>the left, only "prescan.VERSION.patch" are the files).
>
>prescan.8.12.8.patch    only for 8.12.8, changes version string to 8.12.8p1
>prescan.8.12.patch      for 8.12.0 - 8.12.7, does not change version string
>prescan.8.11.6.patch    only for 8.11.6, changes version string to 8.11.6p2
>prescan.8.11.patch      for 8.11.0 - 8.11.5, does not change version string
>prescan.8.9.3.patch     only for 8.9.3, changes version string to 8.9.3p2
>prescan.8.9.patch       for 8.9.0 - 8.9.2, does not change version string
>
>Apply the appropriate patch to your version of the sendmail source
>code (change the version number below to the right one!), e.g.,
>
>cd sendmail-8.12.8/sendmail
>patch < prescan.8.12.8.patch
>
>recompile sendmail, and install the new binary.
>
>========= begin patch ========
>
>========= end patch ==========
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (OpenBSD)
>
>iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0
>JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT
>L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK
>hjC59XbAdSk=
>=t4zn
>-----END PGP SIGNATURE-----

--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike_(_at_)_sentex_(_dot_)_net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike