From owner-freebsd-questions Tue Mar 4 0:20:42 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C30937B401; Tue, 4 Mar 2003 00:20:40 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A54243F3F; Tue, 4 Mar 2003 00:20:37 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) by smtp.infracaninophile.co.uk (8.12.8/8.12.8) with ESMTP id h248KRDA006985; Tue, 4 Mar 2003 08:20:27 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.8/8.12.8/Submit) id h248KQKK006984; Tue, 4 Mar 2003 08:20:26 GMT Date: Tue, 4 Mar 2003 08:20:26 +0000 From: Matthew Seaman To: Giorgos Keramidas Cc: Mike Loiterman , freebsd-questions@FreeBSD.ORG Subject: Re: Sendmail patch questions... Message-ID: <20030304082026.GB6551@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , Giorgos Keramidas , Mike Loiterman , freebsd-questions@FreeBSD.ORG References: <002701c2e1df$95fc1f00$0301a8c0@mike> <20030304022249.GB681@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030304022249.GB681@gothmog.gr> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-32.5 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT version=2.50 X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Mar 04, 2003 at 04:22:49AM +0200, Giorgos Keramidas wrote: > PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the > maintainer of Sendmail on FreeBSD, has already merged the latest > Sendmail version (8.12.8) to the RELENG_4 branch. Actually, according to what I can see in a quick trawl through cvsweb, he's MFC'd sendmail patches on all RELENG_x and RELENG_x_y branches back to and including RELENG_3: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/sendmail/src/?sortby=date&only_with_tag=RELENG_3 However, it seems that his modifications don't constitute a complete upgrade to sendmail-8.12.8 except on RELENG_4 and HEAD. Hence the confusion over the binary updates given in the original security alert. Your sendmail binary will be immune to this attack if you've built it out of a recently cvsup'd source tree or installed one of the binary patches so that: -- you're running sendmail-8.12.8 or better or -- the string 'Dropped invalid comments from header address' appears in the sendmail binary. Thanks to Claus Assmann for pointing out the second test. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message