Date: Sat, 29 Mar 2003 14:36:29 -0500 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Security fix (Fwd: sendmail 8.12.9 available Message-ID: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
From bugtraq :-( >-----BEGIN PGP SIGNED MESSAGE----- > >Sendmail, Inc., and the Sendmail Consortium announce the availability >of sendmail 8.12.9. It contains a fix for a critical security >problem discovered by Michal Zalewski whom we thank for bringing >this problem to our attention. Sendmail urges all users to either >upgrade to sendmail 8.12.9 or apply a patch for your sendmail version >that is part of this announcement. Remember to check the PGP >signatures of patches or releases obtained via FTP or HTTP (to check >the correctness of the patches in this announcement please verify >the PGP signature of it). For those not running the open source >version, check with your vendor for a patch. > >We apologize for releasing this information today (2003-03-29) but >we were forced to do so by an e-mail on a public mailing list (that >has been sent by an irresponsible individual) which contains >information about the security flaw. > >For a complete list of changes see the release notes down below. > >Please send bug reports to sendmail-bugs@sendmail.org as usual. > >Note: We have changed the way we digitally sign the source code >distributions to simplify verification: in contrast to earlier >versions two .sig files are provided, one each for the gzip'ed >version and the compressed version. That is, instead of signing the >tar file, we sign the compressed/gzip'ed files, so you do not need >to uncompress the file before checking the signature. > >This version can be found at > >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig > >and the usual mirror sites. > >MD5 signatures: > >3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig >268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig > >You either need the first two files or the third and fourth, i.e., >the gzip'ed version or the compressed version and the corresponding >.sig file. The PGP signature was created using the Sendmail Signing >Key/2003, available on the web site (http://www.sendmail.org/) or >on the public key servers. > >Since sendmail 8.11 and later includes hooks to cryptography, the >following information from OpenSSL applies to sendmail as well. > > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME > PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR > COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL > SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE > YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT > AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR > ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. > > > SENDMAIL RELEASE NOTES > $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $ > > >This listing shows the version of the sendmail binary, the version >of the sendmail configuration files, the date of release, and a >summary of the changes in that release. > >8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > To provide partial protection to internal, unpatched sendmail MTAs, > 8.12.9 changes by default (char)0xff to (char)0x7f in > headers etc. To turn off this conversion compile with > -DALLOW_255 or use the command line option -d82.101. > To provide partial protection for internal, unpatched MTAs that > may be > performing 7->8 or 8->7 bit MIME conversions, the default > for MaxMimeHeaderLength has been changed to 2048/1024. > Note: this does have a performance impact, and it only > protects against frontal attacks from the outside. > To disable the checks and return to pre-8.12.9 defaults, > set MaxMimeHeaderLength to 0/0. > Do not complain about -ba when submitting mail. Problem noted > by Derek Wueppelmann. > Fix compilation with Berkeley DB 1.85 on systems that do not > have flock(2). Problem noted by Andy Harper of Kings > College London. > Properly initialize data structure for dns maps to avoid various > errors, e.g., looping processes. Problem noted by > Maurice Makaay. > CONFIG: Prevent multiple application of rule to add smart host. > Patch from Andrzej Filip. > CONFIG: Fix queue group declaration in MAILER(`usenet'). > CONTRIB: buildvirtuser: New option -t builds the virtusertable > text file instead of the database map. > Portability: > Revert wrong change made in 8.12.7 and actually use the > builtin getopt() version in sendmail on Linux. > This can be overridden by using -DSM_CONF_GETOPT=0 > in which case the OS supplied version will be used. > > >Instructions to extract and apply the patches for sendmail: > >The data below is a uuencoded, gzip'ed tar file. Store the data >between "========= begin patch ========" and "========= end patch >==========" into a file called "patch.sm" and apply the following >command: > >uudecode -p < patch.sm | gunzip -c | tar -xf - > >This will give you these files (explanation for each file is on >the left, only "prescan.VERSION.patch" are the files). > >prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1 >prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string >prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2 >prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string >prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2 >prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string > >Apply the appropriate patch to your version of the sendmail source >code (change the version number below to the right one!), e.g., > >cd sendmail-8.12.8/sendmail >patch < prescan.8.12.8.patch > >recompile sendmail, and install the new binary. > >========= begin patch ======== > >========= end patch ========== >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (OpenBSD) > >iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0 >JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT >L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK >hjC59XbAdSk= >=t4zn >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030329143542.037b1600>