From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 11:31:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C68CC37B401 for ; Sat, 29 Mar 2003 11:31:10 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05FE343F93 for ; Sat, 29 Mar 2003 11:31:10 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2TJV7rj084340 for ; Sat, 29 Mar 2003 14:31:07 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 29 Mar 2003 14:36:29 -0500 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Security fix (Fwd: sendmail 8.12.9 available X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 19:31:13 -0000 From bugtraq :-( >-----BEGIN PGP SIGNED MESSAGE----- > >Sendmail, Inc., and the Sendmail Consortium announce the availability >of sendmail 8.12.9. It contains a fix for a critical security >problem discovered by Michal Zalewski whom we thank for bringing >this problem to our attention. Sendmail urges all users to either >upgrade to sendmail 8.12.9 or apply a patch for your sendmail version >that is part of this announcement. Remember to check the PGP >signatures of patches or releases obtained via FTP or HTTP (to check >the correctness of the patches in this announcement please verify >the PGP signature of it). For those not running the open source >version, check with your vendor for a patch. > >We apologize for releasing this information today (2003-03-29) but >we were forced to do so by an e-mail on a public mailing list (that >has been sent by an irresponsible individual) which contains >information about the security flaw. > >For a complete list of changes see the release notes down below. > >Please send bug reports to sendmail-bugs@sendmail.org as usual. > >Note: We have changed the way we digitally sign the source code >distributions to simplify verification: in contrast to earlier >versions two .sig files are provided, one each for the gzip'ed >version and the compressed version. That is, instead of signing the >tar file, we sign the compressed/gzip'ed files, so you do not need >to uncompress the file before checking the signature. > >This version can be found at > >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig > >and the usual mirror sites. > >MD5 signatures: > >3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig >268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig > >You either need the first two files or the third and fourth, i.e., >the gzip'ed version or the compressed version and the corresponding >.sig file. The PGP signature was created using the Sendmail Signing >Key/2003, available on the web site (http://www.sendmail.org/) or >on the public key servers. > >Since sendmail 8.11 and later includes hooks to cryptography, the >following information from OpenSSL applies to sendmail as well. > > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME > PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR > COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL > SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE > YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT > AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR > ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. > > > SENDMAIL RELEASE NOTES > $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $ > > >This listing shows the version of the sendmail binary, the version >of the sendmail configuration files, the date of release, and a >summary of the changes in that release. > >8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > To provide partial protection to internal, unpatched sendmail MTAs, > 8.12.9 changes by default (char)0xff to (char)0x7f in > headers etc. To turn off this conversion compile with > -DALLOW_255 or use the command line option -d82.101. > To provide partial protection for internal, unpatched MTAs that > may be > performing 7->8 or 8->7 bit MIME conversions, the default > for MaxMimeHeaderLength has been changed to 2048/1024. > Note: this does have a performance impact, and it only > protects against frontal attacks from the outside. > To disable the checks and return to pre-8.12.9 defaults, > set MaxMimeHeaderLength to 0/0. > Do not complain about -ba when submitting mail. Problem noted > by Derek Wueppelmann. > Fix compilation with Berkeley DB 1.85 on systems that do not > have flock(2). Problem noted by Andy Harper of Kings > College London. > Properly initialize data structure for dns maps to avoid various > errors, e.g., looping processes. Problem noted by > Maurice Makaay. > CONFIG: Prevent multiple application of rule to add smart host. > Patch from Andrzej Filip. > CONFIG: Fix queue group declaration in MAILER(`usenet'). > CONTRIB: buildvirtuser: New option -t builds the virtusertable > text file instead of the database map. > Portability: > Revert wrong change made in 8.12.7 and actually use the > builtin getopt() version in sendmail on Linux. > This can be overridden by using -DSM_CONF_GETOPT=0 > in which case the OS supplied version will be used. > > >Instructions to extract and apply the patches for sendmail: > >The data below is a uuencoded, gzip'ed tar file. Store the data >between "========= begin patch ========" and "========= end patch >==========" into a file called "patch.sm" and apply the following >command: > >uudecode -p < patch.sm | gunzip -c | tar -xf - > >This will give you these files (explanation for each file is on >the left, only "prescan.VERSION.patch" are the files). > >prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1 >prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string >prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2 >prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string >prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2 >prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string > >Apply the appropriate patch to your version of the sendmail source >code (change the version number below to the right one!), e.g., > >cd sendmail-8.12.8/sendmail >patch < prescan.8.12.8.patch > >recompile sendmail, and install the new binary. > >========= begin patch ======== > >========= end patch ========== >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (OpenBSD) > >iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0 >JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT >L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK >hjC59XbAdSk= >=t4zn >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike