[CLA-2003:742] Conectiva Security Announcement - sendmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : sendmail
SUMMARY : Remote vulnerability
DATE : 2003-09-18 15:56:00
ID : CLA-2003:742
RELEVANT
RELEASES : 7.0, 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Sendmail[1] is a widely used Mail Transfer Agent (MTA).
Michal Zalewski reported[2] a remote vulnerability[3] in sendmail
versions 8.12.9 and earlier. The problem resides in the address
parsing code and can be exploited to execute arbitrary code in the
context of the server. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0694 to this
issue[4].
The sendmail authors have released a new version[5], 8.12.10, which
fixes this vulnerability. They have also made available a patch[6]
for older versions, which the packages provided via this announcement
contain.
This update also includes fixes for a buffer overflow vulnerability
in the ruleset parsing code. This vulnerability is not exploitable in
the default configuration and requires the use of non-standard
rulesets recipients. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0681 to this
issue[7].
Starting with Conectiva Linux 7.0, sendmail is no longer the default
mail server and has been replaced with Postfix (but sendmail is still
shipped with all Conectiva Linux versions).
SOLUTION
All sendmail users should upgrade immediately. If the service is
already active, it should be restarted after the upgrade in order to
close the vulnerability. To do so, execute the following command as
root:
/sbin/service sendmail restart
REFERENCES:
1.http://www.sendmail.org/
2.http://www.securityfocus.com/archive/1/337839
3.http://www.kb.cert.org/vuls/id/784980
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694
5.http://www.sendmail.org/8.12.10.html
6.http://www.sendmail.org/parse8.359.2.8.html
7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-cf-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-doc-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/sendmail-8.12.5-26986U90_3cl.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/agBb42jd0JmAcZARAmkUAJwPP0jdvBaDOFvo1wZO05r4iSJtKgCfcCDa
v3XRcIKd7hqFa7VwKGVPGU4=
=ilss
-----END PGP SIGNATURE-----