Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0135 -- Sendmail Consortium Announcement
sendmail 8.12.8 available
04 March 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sendmail all versions prior to 8.12.8
Vendor: Sendmail Consortium
Impact: Root Compromise
Access Required: Remote
Ref: AA-2003.01
ESB-2003.0134
Comment: CVE Id: CAN-2002-1337
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.8. It contains a fix for a critical security
problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
for bringing this problem to our attention. Sendmail urges all users to
either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
is part of this announcement. Patches for older versions can be
downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for
details. Remember to check the PGP signatures of patches or releases
obtained. For those not running the open source version, check
with your vendor for a patch. There is a bug fix for ident parsing
in 8.12.8. While this is not believed to be exploitable, if you
are not upgrading to 8.12.8, you may want to turn off ident checking
by adding this to your .mc file:
define(`confTO_IDENT', `0s')
For a complete list of changes see the release notes down below.
Please send bug reports to sendmail-bugs@sendmail.org as usual.
Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig
You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file. The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.12.8/8.12.8 2003/02/11
SECURITY: Fix a remote buffer overflow in header parsing by
dropping sender and recipient header comments if the
comments are too long. Problem noted by Mark Dowd
of ISS X-Force.
Fix a potential non-exploitable buffer overflow in parsing the
.cf queue settings and potential buffer underflow in
parsing ident responses. Problem noted by Yichen Xie of
Stanford University Compilation Group.
Fix ETRN #queuegroup command: actually start a queue run for
the selected queue group. Problem noted by Jos Vos.
If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
log the fixup as "Fixed MIME header" instead of "Truncated
MIME header". Problem noted by Ian J Hart.
CONFIG: Fix regression bug in proto.m4 that caused a bogus
error message: "FEATURE() should be before MAILER()".
MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
a mailbox has more than one link or whether it is not
a regular file. Patch from John Beck of Sun Microsystems.
Instructions to extract and apply patch for sendmail 8.12:
The data below is a uuencoded, gzip'ed tar file. Store the data
between "========= begin patch ========" and "========= end patch
==========" into a file called "patch.sm" and apply the following
command:
uudecode -p < patch.sm | gunzip -c | tar -xf -
This will give you two files:
sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig
Check the integrity of the patch file using PGP or GPG, e.g.,
gpg --verify sendmail.8.12.security.cr.patch.sig sendmail.8.12.security.cr.patch
Then apply the patch to the sendmail source code:
cd sendmail-8.12.7
patch -p0 < sendmail.8.12.security.cr.patch
recompile sendmail, and install the new binary.
========= begin patch ========
begin 644 sendmail.8.12.security.cr.patch.tar.gz
M'XL("+5P,3X"`W-E;F1M86EL+C@N,3(N<V5C=7)I='DN8W(N<&%T8V@N=&%R
M`.T:2VPD1]71"H4V@@N72!%1V1OMS'AZ9KM[/AZ/U\X.MI==M+8W7B>*M&O-
MMGMJ9CH[T]W;W>-/-LL%A!0D)"!!Y(C@`$B`%(E+($)(X<*)7(`3![APA0.1
MD!#AO?KT9S[>#9!%@BY9GJZJ]ZI?O?^KKH`ZG:%I#\J-LFZ4`VJ-?#L\+5M^
MV3-#JS_WGVBZIM6K53)'B*'I-?R%IHE?8E2-2I60Y;I>->K+1D4G1*]6Z]H<
MT>8>0QL%H>D3,F>99\,=]RD=S/W/M5*I1`*A`Q?[U.Q0/RA;BEXAGS<=D)=6
M(?I*LZ(UC08I:="41MFHU\O5<F6^6"Q.Q:W'N$:E6=&;^C+'G;]\F93JRW6U
M08K\Y_+E>:(HBMTE^<-1]Y9V0!;62.ZVEBNP\?OL/Y^VPX"&^:OM*WN[VRKI
ME];[[>[`[`6%PGP)@11ZXIE.)V_YIG77['1\7+&@$OBODL!^A;I=]BR@N?(1
M6EB=+\Y$5V%>%?,"87PYM@*CDI%T9`Y&E*R18-CV/=<=M(/0[XR\]DF>EM8I
M'V,TI;#81LB%-?*%J^W-K2NM%Z[O\^D'C&4K*PUUF13Q1]<9SY:6%#LD0"_Q
MJ3<P+1H0Z!_;89\L/MM;+!.RWZ?$,_V`$CL@H1N:@\$I,3ND[UH,'7'MP,F%
MA!Y1A_1&IF\Z(:4=`"8#:AY1$KA#&O9MIT>"4R<TK="V<!7^]@YU6!_!C_MF
MB.]'4PIA!:0#2+CJ'L/:OHI3'1=(9,O.EP`]L30=FHY8F42KEN>+CP!%0#$\
M-PCLPP$%00Q@LT`(O"4(.7Z2;&*YOD^MD"W-IJ^X/J$GYM!#;*#1ZIM.#\A<
MW*.P]HXYI.22#X^7!5#9<H?K)+_A#H=`0&&1+0+;3\(_VTM"E)%7C%_[?1"#
M.>BYX%[[0](W`W)(@>\64.L`RT8>,A((Z`Q@$\!!,";B(ST,'93-,@.@#<S5
M`6$>PG[NC5QD-@KR$'0V&)A!G]#`,CT8!;4#O@5EIC_@@)?5.BGJFJZ#(G$%
M8NO>`*D#C\%PFZROH.;C2T)0'WRF`6H/T$J88=`.EXQ")1`$#!_V2JAS1`>N
M1^,M[]%PY#O1PB`I&Q3,Q^40T:''!+0CL%U'4JFOJ.!F@$RCJM8TJ>@*OMSU
M;-@5R!OD9$N2?#H*D"*R='&>S!?/=VC7=BBYN=V^VGIQJ[VWN[NM*/G\H4<N
MH<D-[&&!7+C`7`T\DTMK.`H.#%Q(<;YXD6D%(2W/@S$0`N@#[%F0#(O`VX\I
MR`A,PW?=89F#7^NB1%3BC1QID;AO\FP/`2[BR@G"6C=N;.ULMC>NMO;R5H$Y
MEMO@8#JNHD2=^XEGYON2&RI$,\K2H0<>>(W`0JO1*%I!`EWIN4`\)ZD703T`
MD[5!T?(:V_EY>,EVZZ6=UO86<$K7YHM;>WN[>]'8$((D\EL:%P,Y#TP"O(M+
M*53"=LQ81Y;F2[$WQ7_PLO0`>D_P<S[MV0'RF:/A#'KEK9T7MZ[OWM@B2Q2\
MX?U)0&]U8LQ:!?\.>D:L83B@1[*'9IP>`=,:4.BK;$[V(FS7.TUT#Y%JT3\$
M#T[N#=T.C7JX0GHDN&M['AA@-."-PM[0M$!:71,D%"^$1@PZ/3X.8F,T39NP
MW('KQ!/%Y'Y!P"`1BSL@D!88);$=^`,"A%-@(AKGR@P\=Q1.0XS8Q=$XI0]Y
MF60I1]'(VAK""A^CDG6-0:10(K9S'-:EDKHN>.]K-X[J;`D0/K7N<DS&)AAD
M5`E4),@:N`$NSZF--Q<C<1ER#!0,0B.<;_=L!UP\W])S"8Q8\I-82=8E<<95
M@;-P`$MU3LFQ#_H`OB-)U9B*,'A'1&HV";V3,.&N8MP)-6+(77<$?JIK^V#*
MN4NY-'Q:NQ+P)LDU&>R$'1XR0Q3/S+>F^I@:Q@,H+CY2C$'`ER`$)!`0K?FJ
MF`]*SU(D^@',`P2ZPW"_DZ]45**#W^:!HU93C1H&CH:A&@;/*M$WFYV7P74!
MIP8F4LL=.+CB#D8@<.``Q2*'(B*"#`CP<`'?S_,\EDB2$J=!@4#`P'`/_(G9
MIEP@@8=S@+;,T!!+;ET\(IZP"AP1-@6/28\$76ZB8CSJ:(R!T]!GP@/QPJ)X
MOZ0PW160\CER*],FI5W%<"@5$4WRJ-1+$)0*R32>)?$07"'O%O$2PS_PIHLB
M"8@+64!W!%EQSP6[`9TV2>!1RP:#6Y1^=%%B,S)"S#?!KBA+!.Y2ZH%/Z*&!
M8L)W`FOSA!.S6["($<M:Q0+"+%E:">E1D8_N^Z?3EQHQEQ%`)AV1#!V+2L0\
M%#\`:&,.=W@JLPS4+*Y:\%:Y!U06CZRO$6DB)9Q%A9927`>W"/G)@L3@E8T,
M\]:JS`<2\`46Y"<2"RX6YM*98T1G.9XD!MR6^8KHCG.W;^>D134:6*3INF[$
M59KBE4JB:F%9!3HR6::4E$?9RMA>IF]FZFXFWOD`=LA)75GFI!JZJE<%K?&>
M%G-(A[`"R/@T5EGRPE(J]4(4O!^VB>)TB%2"QH#N\ZT@;&0^8GO"5R`O61\S
MMM1,L2BXG#2\A422460L1Q#+A4K(&5')$OY&\3;&'EW75!U]HUYE#T*6G"'L
M3:S/0M#`/>;:S?1%QDO4?0=U1;)G"C_2#$B4[O%>HQTE7JVDV0FJ$4DH6H%7
M_QYZ%.%U9<$?:5..Y%;%V)B"36H3P$8E_PQ%$[Q]P'G*N6BP"ES7:PU10,4$
M\OU$6Q1[P7Y)F<ZQ&2R+=AQS*5HUH1J<H,H*)ZB^$A'$"N!8\PNYA*J#?(5'
MH[[O^DTR<H9XP`=NJY"4[;^I^ESFTD]$-JK7ECFUC65!K2"*_:`?W8C<U.;6
MA@-)G@<E,B777B1W[C2;N1S)]]T@;#:AX/.%6T1G#MD#_*10&$89,/A^:2`.
M0R`%@!R`%TX<]<.@23HMC%8!P"(AEV&%9CDT3\O#4R0/L*$`C&#OW!F;Y^0G
MW@&*/:`@!1XP,&)P=M7K*I12P*\5]I#6-R:$V)\Q,0F+YZH2)XRA/Z()-3Q;
MN)/>6"CEA&6E![`,FVE/4R>6O+2E*5[D#1).GK.BH:E5'5AA@!^K5B0KDDG8
M:G2$*#8N'5`JXD`@6)T:7F!"ADM>94"8Q.,8%#3+5##KQ;K>=$ZY=Y2!4U%*
M)4]P0V1`=F`&EFWGEV"&G378`4/!+0LN"TC(!'CE<N$"'Q?GBV>OP`6<\OH)
M[G%NHA'E[R72S55R#VIS;Y6D/#/+U>XA:BGA9:.#DE@EI#IA&!4A=4PU9D*-
M^VE(,&8ZZG&Q8#+R<$<]'D%G0#Z8I2,DL?<UGKTCRV[I!Y+9AW'6P]Z3)C]6
MJQEZE1#Y6'K<E`Q*LC$E@C'V2<M[,#67FFU^LWD2A7Y0[=`W[0'&>Z`62DJ>
M!T!Z#N$_)%#,]'QWY#5EK!C7]PE=Q>[D9F*?@8I7?)2%4OG4-$=2C&P@F1?)
MNDCCFXV+[HD3%\*CJZSG/.%Y#*/"G;`!U:4,L8)G<9!=Y>FE>%WDCS>PB-Z]
M>\UIL6.ODA3R=!&G!?S@T5/ZJ.0/>$TT-$_Y^20_'Q4GQ'&:'X2^U??SVU`4
M/X]S&X`?J,1B"KGSPO7K(FDT:E6U:N#>&Q6U6DM&;.*Z'CN&EN_AI^905_ED
MB)6U\(V)>E1?G98ZEF2FDX:<GE&.I=0+L@R=D5(GJE0>`HL)?7^LL>-2%CO^
MGV+'XX@;E_[[<>-#>ECF4RH:U.<5\"F52B4NU!GQD0>(LD[!7#GQKQ53)67<
MQ43K),JI8L3#<:<R`33E\"M9+I:41`TV1F4T/K-2/J-"6X^<QD2*SEFKUUEY
M5:G&Q>"XI<=:/%YL3U6*&;(?/V\0[S>J:@5#907JO*HX?T5]:$;!<CQ`"FT1
M%6HB-*Y'9ZLL@;A5T@^B:K8TM>B7`]NMC;W=K9=NM'8VTQ.Y7BZ.*_(54Y8O
MGGE<,#:1>-MT`'AK8=PR>#`21S4\'H'8?>J9ML]CA/QB33KFT(2PRM*MB5.D
MU$`RT\*/F>SL,>EF2M*1),\5Y'G;C*DS%RV,+QK;EUPV:4]GKK7.UHJ]O,9D
MM<2"M.PE'1Q;H"@*Q6!D04@-5O$CIOS(V8198.I-_ODI=%T"J5A/?)_E7SKX
M31/F2E=%']4@K4%\W#B(]`>[E0-),^]7#V(J@V$[.`T&;B]_??=S[=;UK;U]
ME;!;'W:'72(A9''3=SW\/&\[1^;`[L@/;@'I^NZ0\#LT\IO8(DLMBG*3S2E?
M/\3A.KRYX\%VPVY^,?K`NK9^9Y$KX`DH8)"/[IPDH7.W'0X$WHM]UV&?KMDW
M#0+ZB:?VR0M">-A=MI1&ZH*/MM*LK427@QJ-Y;)1UI?3MX,$(KC]"%,SFI5&
ML]9(7`VJ5B'G!D<F?J4C$_G-X@L!6$237.376@27Y`:8IT?JDR?2F,G$7YQE
ML3`V&E_AR1^Y=J>`=W=LM]T5/`J&MNN.0A5/NO:O;6_)"SJJ(([3ML%O1T1W
M)M:()(MS_Q[T4JQDFT!H8(M1)S>IAVPQ&$,KS4K,T$IM!1@Z=MLJB?T0IAHU
MC1T5BE_&U,2%JKTK[8W6SN[.M8W6=97P&U7DU5<)3#LXO]W>V=W8W=[>V@%M
M'I;6A]&M*]A<UW2L4]SK;4/3>XNX89GKR*F8T8XY%+>MIL\).3"?*+[?[:,V
MLLLB>+F&?1RR3,=UV.4?R%6'Y313Y4.YK^@&V:26X*G1K-:;E5K$TQ4=>:K7
MTDQ-8I_-T\I*%5G*?WAQA)])1PZX;M?A.3X]@;K,(:A2BF6&+%]OMV]`-L<^
M>BZI9.Q!Q0VR?P54%H&/<\I2Q*GD$@A6?#B82N*+%(@B*<,/O@H=>N%IC-':
MW-S;NGDS#2@&E:4>#:UP\!!HH%^Q'6LP@LB4HN*077V+<!*/<NMI.N?GLO:1
MM^#L^[_EP.Y]Q/=_811RQ_3]WYI>7\[N_SZ.]MK<-\]];&Y=>^^K"U_\PULK
M[I.O/?'$<V^>^^#YN7=N/7UIY\WOM]8W[S0.WOO@2FE^]<]_?^-77UIXI_[#
MI_/?^.3[9N]GHZ^]]=-O_^*OI;4GM7/??>H?OPO7/O7ZI]6O')Q^YWN_N?+\
MC]_[??'-I\J?_?C;VLB[_\3)C_RO?_DS=W_PP2=>>>KMMW_YUC,_#]]9^5.K
M_Y=GWO\C>4,_]^ZOO_7Z^9\X[_[V]@__]G)FF5G+6M:REK6L92UK6<M:UK*6
GM:QE+6M9RUK6LI:UK&4M:UG+6M:REK6L92UKC];^"?7L4,L`4```
`
end
========= end patch ==========
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iQCVAwUBPklPeCGD4bE5bweJAQFhywP+Kn+5RdwephTcApFNsSOWfTjKxP9wv6rE
z0XPVd1ihfdByrXE1Fr8ML9uZm6fhg4vtOfJIXzsO4j0fiAWwyqwq8Mu5YAJVKOi
k/5ncMtvDZI9aRHEGEIRXapOTg/Ui5W5E3Wpep0IYCRf5wkXPqYS6ppVa5urMqKH
x/1/OqBPUCc=
=G4ha
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPmRtmyh9+71yA2DNAQHx3wP9GeymNkRad7f/VAfd4ufYQrH0g+7/VSPE
2Is6qL6Lt1IYGL1I9mkweHHoc6YIXRQ6TK4MOegfs2jMP0Z4AbMt3/FCwA/n+fkz
FbCBlMhvhGGkih2Knti/xdYauqCt/fWU2XQ9ZocKxpDp8jqy1c5pBCx5jdfPv/zy
Wx6dJQk9k0w=
=PODB
-----END PGP SIGNATURE-----