North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical sendmail 8.12.9 available (fwd)
For your edification and weekend enjoyment... > -----BEGIN PGP SIGNED MESSAGE----- > > Sendmail, Inc., and the Sendmail Consortium announce the availability > of sendmail 8.12.9. It contains a fix for a critical security > problem discovered by Michal Zalewski whom we thank for bringing > this problem to our attention. Sendmail urges all users to either > upgrade to sendmail 8.12.9 or apply a patch for your sendmail version > that is part of this announcement. Remember to check the PGP > signatures of patches or releases obtained via FTP or HTTP (to check > the correctness of the patches in this announcement please verify > the PGP signature of it). For those not running the open source > version, check with your vendor for a patch. > > We apologize for releasing this information today (2003-03-29) but > we were forced to do so by an e-mail on a public mailing list (that > has been sent by an irresponsible individual) which contains > information about the security flaw. > > For a complete list of changes see the release notes down below. > > Please send bug reports to [email protected] as usual. > > Note: We have changed the way we digitally sign the source code > distributions to simplify verification: in contrast to earlier > versions two .sig files are provided, one each for the gzip'ed > version and the compressed version. That is, instead of signing the > tar file, we sign the compressed/gzip'ed files, so you do not need > to uncompress the file before checking the signature. > > This version can be found at > > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig > > and the usual mirror sites. > > MD5 signatures: > > 3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz > 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig > 268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z > 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig > > You either need the first two files or the third and fourth, i.e., > the gzip'ed version or the compressed version and the corresponding > .sig file. The PGP signature was created using the Sendmail Signing > Key/2003, available on the web site (http://www.sendmail.org/) or > on the public key servers. > > Since sendmail 8.11 and later includes hooks to cryptography, the > following information from OpenSSL applies to sendmail as well. > > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME > PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR > COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL > SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE > YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT > AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR > ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. > > > SENDMAIL RELEASE NOTES > $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $ > > > This listing shows the version of the sendmail binary, the version > of the sendmail configuration files, the date of release, and a > summary of the changes in that release. > > 8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > To provide partial protection to internal, unpatched sendmail MTAs, > 8.12.9 changes by default (char)0xff to (char)0x7f in > headers etc. To turn off this conversion compile with > -DALLOW_255 or use the command line option -d82.101. > To provide partial protection for internal, unpatched MTAs that may be > performing 7->8 or 8->7 bit MIME conversions, the default > for MaxMimeHeaderLength has been changed to 2048/1024. > Note: this does have a performance impact, and it only > protects against frontal attacks from the outside. > To disable the checks and return to pre-8.12.9 defaults, > set MaxMimeHeaderLength to 0/0. > Do not complain about -ba when submitting mail. Problem noted > by Derek Wueppelmann. > Fix compilation with Berkeley DB 1.85 on systems that do not > have flock(2). Problem noted by Andy Harper of Kings > College London. > Properly initialize data structure for dns maps to avoid various > errors, e.g., looping processes. Problem noted by > Maurice Makaay. > CONFIG: Prevent multiple application of rule to add smart host. > Patch from Andrzej Filip. > CONFIG: Fix queue group declaration in MAILER(`usenet'). > CONTRIB: buildvirtuser: New option -t builds the virtusertable > text file instead of the database map. > Portability: > Revert wrong change made in 8.12.7 and actually use the > builtin getopt() version in sendmail on Linux. > This can be overridden by using -DSM_CONF_GETOPT=0 > in which case the OS supplied version will be used. > > > Instructions to extract and apply the patches for sendmail: > > The data below is a uuencoded, gzip'ed tar file. Store the data > between "========= begin patch ========" and "========= end patch > ==========" into a file called "patch.sm" and apply the following > command: > > uudecode -p < patch.sm | gunzip -c | tar -xf - > > This will give you these files (explanation for each file is on > the left, only "prescan.VERSION.patch" are the files). > > prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1 > prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string > prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2 > prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string > prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2 > prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string > > Apply the appropriate patch to your version of the sendmail source > code (change the version number below to the right one!), e.g., > > cd sendmail-8.12.8/sendmail > patch < prescan.8.12.8.patch > > recompile sendmail, and install the new binary. > > ========= begin patch ======== > begin 644 prescan.tar.gz > M'XL("%)UA#X"`W!R97-C86XN=&%R`.U<?5/;1A/G7_,I%J<%&V3[3CJ],FD? > MIX&!#B84T_:9)\DPPCYC38SD2#(A3]OOWCV]&XSI3(&0<!MF9-W=WN[=[=WN > M3RME&O)HX/IMJTUIVVA/[email protected],$*@$JH+JY()+L"&*K&`$R#46*J > MFFD`4)6:^@J0E4>@612[(<#*P%W>[M.8\\G*-T?[_I!?.3`(_%%[L/KRW]/J > M\4]]&'D3[D!G<!EU(NX/+UQOTDE%*)>K(8]#CU]Z_CF$>(F\P`>K;3"CK2;_ > M+//.)K:Z.O1&([email protected]!7.\UXKP):;FYO9^&[email protected]]G$S1#0D'5'-UP=!5:!*EV > M38-6JU4P6=!#$T$F#[email protected]*F5%*5$LF:117-,B`I$+VF!1;@[]8J0.UU > MX,<'P>##,7>'NSAO$;R$D^-?=[;3RMG9A+\*9OZ`=X?#$.OJTR"*+]PHYF$] > M:=-SK_:0EX?1`??/XS&VZ77_N_?ZN'^P<[B]NI6TZ'D7/&U5;72P?[A3;;'K > M\<FP;+"`K0-J+G0W"#^YX7#'%VLEM":[email protected]?R`:=6?QN,<'8][email protected] > MPN>?HCAL='\]V3OM[?RTUSW<[_?ZS>W5S`RG;ABAM&'XP+98D7.K0>*IU&9M > MJBVOMN8,,>>IWEB)&50DUBB#[NR\L$)B.8(C,ZA"K+"5*I=JEF9(;8<1AZK7 > MN:R%)LB8H3`T]*0`X"^Q3.)O#5X,^<CS.1R^P;4XKM5:M-;9A,@[]]T)^$$\ > M%H/V?)@$P0=WC)I`''[email protected]/FQVTBYP:4-(.IVF?J0AE%[email protected]"?>A0+3R^G9;)1> > M(^__/*[email protected]$.XK=LV8RS%S!;$LL4;#1HLU'5W'1G.J:JNB:66[KM*#<UDA" > M3\X!-T0\YB'^B"`,@HM4-=$`:QH?X8>7L)ZJ\3;7`K"_]\VLU1][email protected]"8 > M!/ZYDY779E'(P[!1UW4-]#9M4Q!'!(\BU#P`T;3>W,X;"UFX]R8\G8`F_`"- > M_O[_=DY/FN(D..SV=G*!M43:VZST/>[;C7=D8WOQ/#!-$?(SVQ+,?Z43G\_` > MQYD7AGP"[email protected])_=S.?K-CUM;V/<@4[%D0ZY0+*[email protected]<V^DL3I;1'>"9)_C7 > M1*L!\FY.M[8R=C$^+$IUS4;R1ZG&T'//_2#BX/I#2*(<F$WA#*5$G_W8O1+= > M)LO(&(YG;AGO'L]6<NJM=0\.WOQ^JNJZ6+!,I890O`F)9MGO%H7U=5B+3X8- > M2U6`$MIL9APXJ'4\1Z_,D3B57^[email protected]++K>YV^AIB_)JRC1$)&H_N;R466 > M8A!5,4AEQ^"-8F`\>&VJQ95/HF3?H!YKJ,?:!OSY)V"@%G.AUR_]D[F]<<=> > MVRHWP++-EC6KG0=Q`)[email protected];,(WWKW;*,HP1(@]?\:WBP$L'+IE*(9-*T.W > MF6(2M1PZJB\6JW)[email protected]!C^EXL]'>-=9_-M);QEF,DFQ4[$$8JXK&JAG- > MPB(RGWV)@0>ZQ`?VV(646_TUT]`#:O:</\[**CJ*Y2CN1#Q8>&+*'*8["$5R > MGYIW*!:L9*%VZ895ZJBVHV5N>.'24UVA5GXZ"@OV!JE+\H9OQ<E:_T_C1?.[ > M_6%E'I7+<C2):AUB=5#30L'S:.Q.O3"`G:LI?)<[email protected]`B:>'V?N;RV15?LM > M[3H5F"(]Y!+C2M7+S/`)J3=5D6]%TH/3M(K_'P3]WXG_=6)J!?['%@+_$\HD > M_I?X7^)_B?\E_I?X7^)_B?\E_I?X7^+_)X3_)7CZMO`?QKU?)O]+6(G_-%5/ > M\[]$XK]GA?]L,X%1YM)J39\+MW.>[email protected]`]M+:?7;^(F:GIT/+Y7B'Q-JRG > M(]!SB'V-(95P,\@V,(8U*V=\6J#-X;RC,#CC^S[ZX9$[2##3ZZ/]TZ/C-Z]V > MT,-_I8BOMHNJ]:<3#(A>`IW#@$\0UFFZC8O(EM8:<U:6<51^&S<AG54:&B$. > MHPZS"KO)12Y#=$1U--O1M6M,QBVAE([email protected]"Y7\"L"="(D,VS[>HQ&OB9` > M]R]PG$ETQ<3C\EO!<28Q%%,E$L?=.X[#0$TQC<I&P1O%-,[email protected],L9BN6SLJA > M6[JI6(8N\[CWF,>EA*'CHVS.!^>%MV9RYR(]T]$Q=BM]:='ETE0NLFGTGZ9R > M\:_?.\51[K]NW)8D+906$CJ$=E#)0K>!F^5'FTLRH0C)%B5J'TWXE,HT[#/" > M_U\J_TL*_$\R_$^H)O&_Q/\2_TO\+_&_Q/\2_TO\+_&_Q/\2_\L\KJ2'P7]V > [email protected]`'@7_C,Q;,[SOTQ+WO^EU)#X[UGA/Z8;M]<(G#;_88=NY->DKH+Y3-CE > M9XCV,)8CIJ,:CJ:[email protected]"5O]FJ.JE;;YEW?<`2J92AJ]86>M$#[RE_JC?QI > MZ/GQJ)%$T,+3!"-(?M>_C[Z/ALC3GO!8**DDWN/TJ'NR=_I;]_BD=W2SY&W6 > M0[4,79?Z/@E*.AOP(]3KX$"]4W^:KP!3W;Z]1CP*F']&K=OY-:F[CA%O&"8C > MY1-JW;[SA5_54;4J0R[DYJ,(HBF,V([email protected](3R1%WXS#[email protected]`)'A%F?5/9\6 > MJ%\*(#[^N[[,-A4]?X/S&\"(S+84G:H2(]X[1M1U0]&-RE[!&RRPG\.[OIJI > M&$RM/$=BNF+HFLP1WW#-<QG<=A!ZY[63\2SQDL"`8N1FB4^MA,>\EKG]G0\3 > MWTCMI)DF8CSA)Q?G;9E"S46?X$:#053]SK7L/T5#%!JO>/B!3_CG)[email protected]=UA&: > M7/N>%?W1W5^T8F=Y&C?19<'WMH^I2_7CVBK^>Z#TW]WY/V86^(^(_PN*4E.7 > M[_]*_"?QG\1_$O])_"?QG\1_$O])_"?QG\P12I(D29(D29(D29(D29(D29(D > ?29(D29(D29(D29(D29(D29(D29JCOP%[email protected]?`'@``)(D > ` > end > ========= end patch ========== > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (OpenBSD) > > iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0 > JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT > L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK > hjC59XbAdSk= > =t4zn > -----END PGP SIGNATURE----- >
|