[vox] [Fwd: sendmail 8.12.8 available]
ME
vox@lists.lugod.org
Mon, 3 Mar 2003 10:50:24 -0800 (PST)
If you use "sendmail" on your systems, pay attention to new security
updates to your pakcaged for it. If you compiled it on your own, you may
want to get a new copy that was recently released.
-ME
---------------------------- Original Message ----------------------------
Subject: sendmail 8.12.8 available
From: "Claus Assmann" <ca+bugtraq@sendmail.org>
Date: Mon, March 3, 2003 9:08 am
To: bugtraq@securityfocus.com
vulnwatch@vulnwatch.org
--------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability of
sendmail 8.12.8. It contains a fix for a critical security
problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for
bringing this problem to our attention. Sendmail urges all users to
either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that is part
of this announcement. Patches for older versions can be
downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for
details. Remember to check the PGP signatures of patches or releases
obtained. For those not running the open source version, check
with your vendor for a patch. There is a bug fix for ident parsing in
8.12.8. While this is not believed to be exploitable, if you
are not upgrading to 8.12.8, you may want to turn off ident checking by
adding this to your .mc file:
define(`confTO_IDENT', `0s')
For a complete list of changes see the release notes down below.
Please send bug reports to sendmail-bugs@sendmail.org as usual.
Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the tar
file, we sign the compressed/gzip'ed files, so you do not need to
uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig
You either need the first two files or the third and fourth, i.e., the
gzip'ed version or the compressed version and the corresponding .sig file.
The PGP signature was created using the Sendmail Signing Key/2003,
available on the web site (http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU
ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR
USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY
VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $
This listing shows the version of the sendmail binary, the version of the
sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.12.8/8.12.8 2003/02/11
SECURITY: Fix a remote buffer overflow in header parsing by
dropping sender and recipient header comments if the
comments are too long. Problem noted by Mark Dowd
of ISS X-Force.
Fix a potential non-exploitable buffer overflow in parsing the
.cf queue settings and potential buffer underflow in
parsing ident responses. Problem noted by Yichen Xie of
Stanford University Compilation Group.
Fix ETRN #queuegroup command: actually start a queue run for
the selected queue group. Problem noted by Jos Vos.
If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
log the fixup as "Fixed MIME header" instead of "Truncated
MIME header". Problem noted by Ian J Hart.
CONFIG: Fix regression bug in proto.m4 that caused a bogus
error message: "FEATURE() should be before MAILER()".
MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
a mailbox has more than one link or whether it is not
a regular file. Patch from John Beck of Sun Microsystems.
Instructions to extract and apply patch for sendmail 8.12:
The data below is a uuencoded, gzip'ed tar file. Store the data
between "========= begin patch ========" and "========= end patch
==========" into a file called "patch.sm" and apply the following
command:
uudecode -p < patch.sm | gunzip -c | tar -xf -
This will give you two files:
sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig
Check the integrity of the patch file using PGP or GPG, e.g.,
gpg --verify sendmail.8.12.security.cr.patch.sig
sendmail.8.12.security.cr.patch
Then apply the patch to the sendmail source code:
cd sendmail-8.12.7
patch -p0 < sendmail.8.12.security.cr.patch
recompile sendmail, and install the new binary.
========= begin patch ========
begin 644 sendmail.8.12.security.cr.patch.tar.gz
M'XL("+5P,3X"`W-E;F1M86EL+C@N,3(N<V5C=7)I='DN8W(N<&%T8V@N=&%R
M`.T:2VPD1]71"H4V@@N72!%1V1OMS'AZ9KM[/AZ/U\X.MI==M+8W7B>*M&O-
MMGMJ9CH[T]W;W>-/-LL%A!0D)"!!Y(C@`$B`%(E+($)(X<*)7(`3![APA0.1
MD!#AO?KT9S[>#9!%@BY9GJZJ]ZI?O?^KKH`ZG:%I#\J-LFZ4`VJ-?#L\+5M^
MV3-#JS_WGVBZIM6K53)'B*'I-?R%IHE?8E2-2I60Y;I>->K+1D4G1*]6Z]H<
MT>8>0QL%H>D3,F>99\,=]RD=S/W/M5*I1`*A`Q?[U.Q0/RA;BEXAGS<=D)=6
M(?I*LZ(UC08I:="41MFHU\O5<F6^6"Q.Q:W'N$:E6=&;^C+'G;]\F93JRW6U
M08K\Y_+E>:(HBMTE^<-1]Y9V0!;62.ZVEBNP\?OL/Y^VPX"&^:OM*WN[VRKI
ME];[[>[`[`6%PGP)@11ZXIE.)V_YIG77['1\7+&@$OBODL!^A;I=]BR@N?(1
M6EB=+\Y$5V%>%?,"87PYM@*CDI%T9`Y&E*R18-CV/=<=M(/0[XR\]DF>EM8I
M'V,TI;#81LB%-?*%J^W-K2NM%Z[O\^D'C&4K*PUUF13Q1]<9SY:6%#LD0"_Q
MJ3<P+1H0Z!_;89\L/MM;+!.RWZ?$,_V`$CL@H1N:@\$I,3ND[UH,'7'MP,F%
MA!Y1A_1&IF\Z(:4=`"8#:AY1$KA#&O9MIT>"4R<TK="V<!7^]@YU6!_!C_MF
MB.]'4PIA!:0#2+CJ'L/:OHI3'1=(9,O.EP`]L30=FHY8F42KEN>+CP!%0#$\
M-PCLPP$%00Q@LT`(O"4(.7Z2;&*YOD^MD"W-IJ^X/J$GYM!#;*#1ZIM.#\A<
MW*.P]HXYI.22#X^7!5#9<H?K)+_A#H=`0&&1+0+;3\(_VTM"E)%7C%_[?1"#
M.>BYX%[[0](W`W)(@>\64.L`RT8>,A((Z`Q@$\!!,";B(ST,'93-,@.@#<S5
M`6$>PG[NC5QD-@KR$'0V&)A!G]#`,CT8!;4#O@5EIC_@@)?5.BGJFJZ#(G$%
M8NO>`*D#C\%PFZROH.;C2T)0'WRF`6H/T$J88=`.EXQ")1`$#!_V2JAS1`>N
M1^,M[]%PY#O1PB`I&Q3,Q^40T:''!+0CL%U'4JFOJ.!F@$RCJM8TJ>@*OMSU
M;-@5R!OD9$N2?#H*D"*R='&>S!?/=VC7=BBYN=V^VGIQJ[VWN[NM*/G\H4<N
MH<D-[&&!7+C`7`T\DTMK.`H.#%Q(<;YXD6D%(2W/@S$0`N@#[%F0#(O`VX\I
MR`A,PW?=89F#7^NB1%3BC1QID;AO\FP/`2[BR@G"6C=N;.ULMC>NMO;R5H$Y
MEMO@8#JNHD2=^XEGYON2&RI$,\K2H0<>>(W`0JO1*%I!`EWIN4`\)ZD703T`
MD[5!T?(:V_EY>,EVZZ6=UO86<$K7YHM;>WN[>]'8$((D\EL:%P,Y#TP"O(M+
M*53"=LQ81Y;F2[$WQ7_PLO0`>D_P<S[MV0'RF:/A#'KEK9T7MZ[OWM@B2Q2\
MX?U)0&]U8LQ:!?\.>D:L83B@1[*'9IP>`=,:4.BK;$[V(FS7.TUT#Y%JT3\$
M#T[N#=T.C7JX0GHDN&M['AA@-."-PM[0M$!:71,D%"^$1@PZ/3X.8F,T39NP
MW('KQ!/%Y'Y!P"`1BSL@D!88);$=^`,"A%-@(AKGR@P\=Q1.0XS8Q=$XI0]Y
MF60I1]'(VAK""A^CDG6-0:10(K9S'-:EDKHN>.]K-X[J;`D0/K7N<DS&)AAD
M5`E4),@:N`$NSZF--Q<C<1ER#!0,0B.<;_=L!UP\W])S"8Q8\I-82=8E<<95
M@;-P`$MU3LFQ#_H`OB-)U9B*,'A'1&HV";V3,.&N8MP)-6+(77<$?JIK^V#*
MN4NY-'Q:NQ+P)LDU&>R$'1XR0Q3/S+>F^I@:Q@,H+CY2C$'`ER`$)!`0K?FJ
MF`]*SU(D^@',`P2ZPW"_DZ]45**#W^:!HU93C1H&CH:A&@;/*M$WFYV7P74!
MIP8F4LL=.+CB#D8@<.``Q2*'(B*"#`CP<`'?S_,\EDB2$J=!@4#`P'`/_(G9
MIEP@@8=S@+;,T!!+;ET\(IZP"AP1-@6/28\$76ZB8CSJ:(R!T]!GP@/QPJ)X
MOZ0PW160\CER*],FI5W%<"@5$4WRJ-1+$)0*R32>)?$07"'O%O$2PS_PIHLB
M"8@+64!W!%EQSP6[`9TV2>!1RP:#6Y1^=%%B,S)"S#?!KBA+!.Y2ZH%/Z*&!
M8L)W`FOSA!.S6["($<M:Q0+"+%E:">E1D8_N^Z?3EQHQEQ%`)AV1#!V+2L0\
M%#\`:&,.=W@JLPS4+*Y:\%:Y!U06CZRO$6DB)9Q%A9927`>W"/G)@L3@E8T,
M\]:JS`<2\`46Y"<2"RX6YM*98T1G.9XD!MR6^8KHCG.W;^>D134:6*3INF[$
M59KBE4JB:F%9!3HR6::4E$?9RMA>IF]FZFXFWOD`=LA)75GFI!JZJE<%K?&>
M%G-(A[`"R/@T5EGRPE(J]4(4O!^VB>)TB%2"QH#N\ZT@;&0^8GO"5R`O61\S
MMM1,L2BXG#2\A422460L1Q#+A4K(&5')$OY&\3;&'EW75!U]HUYE#T*6G"'L
M3:S/0M#`/>;:S?1%QDO4?0=U1;)G"C_2#$B4[O%>HQTE7JVDV0FJ$4DH6H%7
M_QYZ%.%U9<$?:5..Y%;%V)B"36H3P$8E_PQ%$[Q]P'G*N6BP"ES7:PU10,4$
M\OU$6Q1[P7Y)F<ZQ&2R+=AQS*5HUH1J<H,H*)ZB^$A'$"N!8\PNYA*J#?(5'
MH[[O^DTR<H9XP`=NJY"4[;^I^ESFTD]$-JK7ECFUC65!K2"*_:`?W8C<U.;6
MA@-)G@<E,B777B1W[C2;N1S)]]T@;#:AX/.%6T1G#MD#_*10&$89,/A^:2`.
M0R`%@!R`%TX<]<.@23HMC%8!P"(AEV&%9CDT3\O#4R0/L*$`C&#OW!F;Y^0G
MW@&*/:`@!1XP,&)P=M7K*I12P*\5]I#6-R:$V)\Q,0F+YZH2)XRA/Z()-3Q;
MN)/>6"CEA&6E![`,FVE/4R>6O+2E*5[D#1).GK.BH:E5'5AA@!^K5B0KDDG8
M:G2$*#8N'5`JXD`@6)T:7F!"ADM>94"8Q.,8%#3+5##KQ;K>=$ZY=Y2!4U%*
M)4]P0V1`=F`&EFWGEV"&G378`4/!+0LN"TC(!'CE<N$"'Q?GBV>OP`6<\OH)
M[G%NHA'E[R72S55R#VIS;Y6D/#/+U>XA:BGA9:.#DE@EI#IA&!4A=4PU9D*-
M^VE(,&8ZZG&Q8#+R<$<]'D%G0#Z8I2,DL?<UGKTCRV[I!Y+9AW'6P]Z3)C]6
MJQEZE1#Y6'K<E`Q*LC$E@C'V2<M[,#67FFU^LWD2A7Y0[=`W[0'&>Z`62DJ>
M!T!Z#N$_)%#,]'QWY#5EK!C7]PE=Q>[D9F*?@8I7?)2%4OG4-$=2C&P@F1?)
MNDCCFXV+[HD3%\*CJZSG/.%Y#*/"G;`!U:4,L8)G<9!=Y>FE>%WDCS>PB-Z]
M>\UIL6.ODA3R=!&G!?S@T5/ZJ.0/>$TT-$_Y^20_'Q4GQ'&:'X2^U??SVU`4
M/X]S&X`?J,1B"KGSPO7K(FDT:E6U:N#>&Q6U6DM&;.*Z'CN&EN_AI^905_ED
MB)6U\(V)>E1?G98ZEF2FDX:<GE&.I=0+L@R=D5(GJE0>`HL)?7^LL>-2%CO^
MGV+'XX@;E_[[<>-#>ECF4RH:U.<5\"F52B4NU!GQD0>(LD[!7#GQKQ53)67<
MQ43K),JI8L3#<:<R`33E\"M9+I:41`TV1F4T/K-2/J-"6X^<QD2*SEFKUUEY
M5:G&Q>"XI<=:/%YL3U6*&;(?/V\0[S>J:@5#907JO*HX?T5]:$;!<CQ`"FT1
M%6HB-*Y'9ZLL@;A5T@^B:K8TM>B7`]NMC;W=K9=NM'8VTQ.Y7BZ.*_(54Y8O
MGGE<,#:1>-MT`'AK8=PR>#`21S4\'H'8?>J9ML]CA/QB33KFT(2PRM*MB5.D
MU$`RT\*/F>SL,>EF2M*1),\5Y'G;C*DS%RV,+QK;EUPV:4]GKK7.UHJ]O,9D
MM<2"M.PE'1Q;H"@*Q6!D04@-5O$CIOS(V8198.I-_ODI=%T"J5A/?)_E7SKX
M31/F2E=%']4@K4%\W#B(]`>[E0-),^]7#V(J@V$[.`T&;B]_??=S[=;UK;U]
ME;!;'W:'72(A9''3=SW\/&\[1^;`[L@/;@'I^NZ0\#LT\IO8(DLMBG*3S2E?
M/\3A.KRYX\%VPVY^,?K`NK9^9Y$KX`DH8)"/[IPDH7.W'0X$WHM]UV&?KMDW
M#0+ZB:?VR0M">-A=MI1&ZH*/MM*LK427@QJ-Y;)1UI?3MX,$(KC]"%,SFI5&
ML]9(7`VJ5B'G!D<F?J4C$_G-X@L!6$237.376@27Y`:8IT?JDR?2F,G$7YQE
ML3`V&E_AR1^Y=J>`=W=LM]T5/`J&MNN.0A5/NO:O;6_)"SJJ(([3ML%O1T1W
M)M:()(MS_Q[T4JQDFT!H8(M1)S>IAVPQ&$,KS4K,T$IM!1@Z=MLJB?T0IAHU
MC1T5BE_&U,2%JKTK[8W6SN[.M8W6=97P&U7DU5<)3#LXO]W>V=W8W=[>V@%M
M'I;6A]&M*]A<UW2L4]SK;4/3>XNX89GKR*F8T8XY%+>MIL\).3"?*+[?[:,V
MLLLB>+F&?1RR3,=UV.4?R%6'Y313Y4.YK^@&V:26X*G1K-:;E5K$TQ4=>:K7
MTDQ-8I_-T\I*%5G*?WAQA)])1PZX;M?A.3X]@;K,(:A2BF6&+%]OMV]`-L<^
M>BZI9.Q!Q0VR?P54%H&/<\I2Q*GD$@A6?#B82N*+%(@B*<,/O@H=>N%IC-':
MW-S;NGDS#2@&E:4>#:UP\!!HH%^Q'6LP@LB4HN*077V+<!*/<NMI.N?GLO:1
MM^#L^[_EP.Y]Q/=_811RQ_3]WYI>7\[N_SZ.]MK<-\]];&Y=>^^K"U_\PULK
M[I.O/?'$<V^>^^#YN7=N/7UIY\WOM]8W[S0.WOO@2FE^]<]_?^-77UIXI_[#
MI_/?^.3[9N]GHZ^]]=-O_^*OI;4GM7/??>H?OPO7/O7ZI]6O')Q^YWN_N?+\
MC]_[??'-I\J?_?C;VLB[_\3)C_RO?_DS=W_PP2=>>>KMMW_YUC,_#]]9^5.K
M_Y=GWO\C>4,_]^ZOO_7Z^9\X[_[V]@__]G)FF5G+6M:REK6L92UK6<M:UK*6
GM:QE+6M9RUK6LI:UK&4M:UG+6M:REK6L92UKC];^"?7L4,L`4```
`
end
========= end patch ==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iQCVAwUBPklPeCGD4bE5bweJAQFhywP+Kn+5RdwephTcApFNsSOWfTjKxP9wv6rE
z0XPVd1ihfdByrXE1Fr8ML9uZm6fhg4vtOfJIXzsO4j0fiAWwyqwq8Mu5YAJVKOi
k/5ncMtvDZI9aRHEGEIRXapOTg/Ui5W5E3Wpep0IYCRf5wkXPqYS6ppVa5urMqKH
x/1/OqBPUCc=
=G4ha
-----END PGP SIGNATURE-----