Date: Thu, 22 Feb 2001 20:24:18 -0500 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Cc: gshapiro@freebsd.org Subject: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 Message-ID: <4.2.2.20010222202121.03d64948@marble.sentex.net>
next in thread | raw e-mail | index | archive | help
Is this a LINUX specific thing, or Sendmail in general ?? >Approved-By: beng@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Delivered-To: bugtraq@securityfocus.com >User-Agent: Mutt/1.2.5i >X-Mailman-Version: 1.1 >List-Id: Announcements-only security list > <tl-security-announce.www.turbolinux.com> >X-BeenThere: tl-security-announce@www.turbolinux.com >Date: Thu, 22 Feb 2001 14:09:35 -0800 >Reply-To: security@TURBOLINUX.COM >Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> >From: security@TURBOLINUX.COM >Subject: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1 >X-To: tl-security-announce@www1.turbolinux.com >To: BUGTRAQ@SECURITYFOCUS.COM >X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (amavis.org) > > > >___________________________________________________________________________ > > TurboLinux Security Announcement > > > Vulnerable Packages: All versions previous to 8.11.2-5 > Date: 02/21/2001 5:00 PDT > > Affected TurboLinux versions:TL 6.1 WorkStation, > All TurboLinux versions > 6.0.5 and earlier > > TurboLinux Advisory ID#: TLSA2001003-1 > > Credits: Vulnerability discovered by Michal Zalewski > of the Internet for Schools project(IdS). >___________________________________________________________________________ > >A security hole was discovered in the package mentioned above. >Please update the package in your installation as soon as possible. >___________________________________________________________________________ > >1. Problem Summary > > Sendmail, launched with the -bt command-line switch, enters its special > "address test" mode. Under these conditions, it is vulnerable to a > segmentation fault which can occur when trying to set a class in ad- > dress test mode due to a negative array index. > >2. Impact > > A user can gain root privileges. > >3. Solution > > Update the package from our ftp server by running the following command: > > rpm -Uvh ftp_path_to_filename > > Where ftp_path_to_filename is the following: > > >ftp://ftp.turbolinux.com/pub/updates/6.0/security/sendmail-8.11.2-5.i386.rpm > > The source RPM can be downloaded here: > > ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/sendmail-8.11.2-5.src.rpm > > **Note: You must rebuild and install the RPM if you choose to download > and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE > THE SECURITY HOLE. > > Please verify the MD5 checksums of the updates before you install: > > MD5 sum Package Name >--------------------------------------------------------------------------- >38eee0653839595aedad386cc8d2346f sendmail-8.11.2-5.i386.rpm >cfe857414b7e3cdbf658a898bd592b71 sendmail-8.11.2-5.src.rpm >___________________________________________________________________________ > >These packages are GPG signed by TurboLinux for security. Our key >is available here: > > http://www.turbolinux.com/security/tlgpgkey.asc > >To verify a package, use the following command: > > rpm --checksig name_of_rpm > >To examine only the md5sum, use the following command: > > rpm --checksig --nogpg name_of_rpm > >**Note: Checking GPG keys requires RPM 3.0 or higher. > >___________________________________________________________________________ >You can find more updates on our ftp server: > > ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation > and Server security updates > ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation > and Server security updates > >Our webpage for security announcements: > > http://www.turbolinux.com/security > >If you want to report vulnerabilities, please contact: > > security@turbolinux.com >___________________________________________________________________________ > >Subscribe to the TurboLinux Security Mailing lists: > > TL-security - A moderated list for discussing security issues > TurboLinux products. > Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security > > TL-security-announce - An announce-only mailing list for security updates > and alerts. > Subscribe at: > > http://www.turbolinux.com/mailman/listinfo/tl-security-announce -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20010222202121.03d64948>