MDKSA-2003:092 - Updated sendmail packages fix buffer overflow vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: sendmail
Advisory ID: MDKSA-2003:092
Date: September 17th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1
________________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the address parsing
code in all versions of sendmail prior to 8.12.10 by Michal Zalewski,
with a patch to fix the problem provided by Todd C. Miller. This
vulnerability seems to be remotely exploitable on Linux systems running
on the x86 platform; the sendmail team is unsure of other platforms
(CAN-2003-0694).
Another potential buffer overflow was fixed in ruleset parsing which is
not exploitable in the default sendmail configuration. A problem may
occur if non-standard rulesets recipient (2), final (4), or mailer-
specific envelope recipients rulesets are use. This problem was
discovered by Timo Sirainen (CAN-2003-0681).
MandrakeSoft encourages all users who use sendmail to upgrade to the
provided packages which are patched to fix both problems.
________________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694
http://www.sendmail.org/8.12.10.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html
________________________________________________________________________
Updated Packages:
Corporate Server 2.1:
7870e3e3f35647266197194e933f5ed7
corporate/2.1/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4
corporate/2.1/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b
corporate/2.1/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d
corporate/2.1/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5
corporate/2.1/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm
Mandrake Linux 8.2:
87a2d830b724bc67640ea4e267a60517 8.2/RPMS/sendmail-8.12.1-4.5mdk.i586.rpm
b21c82a3f1b554aecd5227ab7269aea4 8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.i586.rpm
aed850225f1902657b02010a703d744c
8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.i586.rpm
aca8d9015390056de17b16db3fecc3e4 8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.i586.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba 8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm
Mandrake Linux 8.2/PPC:
993a8769ba667651e4319c27c9e82b7e ppc/8.2/RPMS/sendmail-8.12.1-4.5mdk.ppc.rpm
6c9e501287a7eccec51b10dce7c6e6fb
ppc/8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.ppc.rpm
e8d204f807ee1ea4a364fb4afdc24439
ppc/8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.ppc.rpm
cb695b306b372a540e363006adfc5f54
ppc/8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.ppc.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba ppc/8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm
Mandrake Linux 9.0:
7870e3e3f35647266197194e933f5ed7 9.0/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4 9.0/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b
9.0/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d 9.0/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5 9.0/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm
Mandrake Linux 9.1:
abf1ad68f3835ce7f2593f935af97c95 9.1/RPMS/sendmail-8.12.9-1.2mdk.i586.rpm
26427faee7bc48e521e370a7957865a7 9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.i586.rpm
a531c3ec3b6807428968254854d863b2
9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.i586.rpm
3e70938f6cb88c69f3a004c96b3ec347 9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.i586.rpm
1d575885387c5130d993d15cdfec56e5 9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
ff80af8ecc2af755689271c495cffed2 ppc/9.1/RPMS/sendmail-8.12.9-1.2mdk.ppc.rpm
d29850a5cd7322d7d908a2c7299133ea
ppc/9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.ppc.rpm
503d3aae07c0b8f707fd0f6187990dbd
ppc/9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.ppc.rpm
10c1cb226d1e991eed8f974d1b62dc33
ppc/9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.ppc.rpm
1d575885387c5130d993d15cdfec56e5 ppc/9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
To upgrade automatically, use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/aSWpmqjQ0CJFipgRAprYAJoDoD//KswcpWMNsRGS1pngxcbVHQCgpRhj
LNIH0ocjUdSWrnhyQhjWE30=
=cHFW
-----END PGP SIGNATURE-----