sendmail 8.12.9 available (fwd)

Sun Mar 30 01:18:14 UTC 2003


	For your edification and weekend enjoyment...


> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Sendmail, Inc., and the Sendmail Consortium announce the availability
> of sendmail 8.12.9.  It contains a fix for a critical security
> problem discovered by Michal Zalewski whom we thank for bringing
> this problem to our attention.  Sendmail urges all users to either
> upgrade to sendmail 8.12.9 or apply a patch for your sendmail version
> that is part of this announcement.  Remember to check the PGP
> signatures of patches or releases obtained via FTP or HTTP (to check
> the correctness of the patches in this announcement please verify
> the PGP signature of it).  For those not running the open source
> version, check with your vendor for a patch.
> 
> We apologize for releasing this information today (2003-03-29) but
> we were forced to do so by an e-mail on a public mailing list (that
> has been sent by an irresponsible individual) which contains
> information about the security flaw.
> 
> For a complete list of changes see the release notes down below.
> 
> Please send bug reports to sendmail-bugs at sendmail.org as usual.
> 
> Note: We have changed the way we digitally sign the source code
> distributions to simplify verification: in contrast to earlier
> versions two .sig files are provided, one each for the gzip'ed
> version and the compressed version. That is, instead of signing the
> tar file, we sign the compressed/gzip'ed files, so you do not need
> to uncompress the file before checking the signature.
> 
> This version can be found at
> 
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig
> 
> and the usual mirror sites.
> 
> MD5 signatures:
> 
> 3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz
> 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig
> 268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z
> 19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig
> 
> You either need the first two files or the third and fourth, i.e.,
> the gzip'ed version or the compressed version and the corresponding
> .sig file.  The PGP signature was created using the Sendmail Signing
> Key/2003, available on the web site (http://www.sendmail.org/) or
> on the public key servers.
> 
> Since sendmail 8.11 and later includes hooks to cryptography, the
> following information from OpenSSL applies to sendmail as well.
> 
>    PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
>    SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
>    TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
>    PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
>    COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
>    SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
>    YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
>    AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
>    ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
> 
> 
> 			SENDMAIL RELEASE NOTES
>       $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $
> 
> 
> This listing shows the version of the sendmail binary, the version
> of the sendmail configuration files, the date of release, and a
> summary of the changes in that release.
> 
> 8.12.9/8.12.9	2003/03/29
> 	SECURITY: Fix a buffer overflow in address parsing due to
> 		a char to int conversion problem which is potentially
> 		remotely exploitable.  Problem found by Michal Zalewski.
>   		Note: an MTA that is not patched might be vulnerable to
> 		data that it receives from untrusted sources, which
> 		includes DNS.
> 	To provide partial protection to internal, unpatched sendmail MTAs,
> 		8.12.9 changes by default (char)0xff to (char)0x7f in
> 		headers etc.  To turn off this conversion compile with
> 		-DALLOW_255 or use the command line option -d82.101.
> 	To provide partial protection for internal, unpatched MTAs that may be
> 		performing 7->8 or 8->7 bit MIME conversions, the default
> 		for MaxMimeHeaderLength has been changed to 2048/1024.
> 		Note: this does have a performance impact, and it only
> 		protects against frontal attacks from the outside.
> 		To disable the checks and return to pre-8.12.9 defaults,
> 		set MaxMimeHeaderLength to 0/0.
> 	Do not complain about -ba when submitting mail.  Problem noted
> 		by Derek Wueppelmann.
> 	Fix compilation with Berkeley DB 1.85 on systems that do not
> 		have flock(2).  Problem noted by Andy Harper of Kings
> 		College London.
> 	Properly initialize data structure for dns maps to avoid various
> 		errors, e.g., looping processes.  Problem noted by
> 		Maurice Makaay.
> 	CONFIG: Prevent multiple application of rule to add smart host.
> 		Patch from Andrzej Filip.
> 	CONFIG: Fix queue group declaration in MAILER(`usenet').
> 	CONTRIB: buildvirtuser: New option -t builds the virtusertable
> 		text file instead of the database map.
> 	Portability:
> 		Revert wrong change made in 8.12.7 and actually use the
> 			builtin getopt() version in sendmail on Linux.
> 			This can be overridden by using -DSM_CONF_GETOPT=0
> 			in which case the OS supplied version will be used.
> 
> 
> Instructions to extract and apply the patches for sendmail:
> 
> The data below is a uuencoded, gzip'ed tar file.  Store the data
> between "========= begin patch ========" and "========= end patch
> ==========" into a file called "patch.sm" and apply the following
> command:
> 
> uudecode -p < patch.sm | gunzip -c | tar -xf -
> 
> This will give you these files (explanation for each file is on
> the left, only "prescan.VERSION.patch" are the files).
> 
> prescan.8.12.8.patch	only for 8.12.8, changes version string to 8.12.8p1
> prescan.8.12.patch	for 8.12.0 - 8.12.7, does not change version string
> prescan.8.11.6.patch	only for 8.11.6, changes version string to 8.11.6p2
> prescan.8.11.patch	for 8.11.0 - 8.11.5, does not change version string
> prescan.8.9.3.patch	only for 8.9.3, changes version string to 8.9.3p2
> prescan.8.9.patch	for 8.9.0 - 8.9.2, does not change version string
> 
> Apply the appropriate patch to your version of the sendmail source
> code (change the version number below to the right one!), e.g.,
> 
> cd sendmail-8.12.8/sendmail
> patch < prescan.8.12.8.patch
> 
> recompile sendmail, and install the new binary.
> 
> ========= begin patch ========
> begin 644 prescan.tar.gz
> M'XL("%)UA#X"`W!R97-C86XN=&%R`.U<?5/;1A/G7_,I%J<%&V3[3CJ],FD?
> MIX&!#B84T_:9)\DPPCYC38SD2#(A3]OOWCV]&XSI3(&0<!MF9-W=WN[=[=WN
> M3RME&O)HX/IMJTUIVVA/W7 at P7KEGHH08C,$*@$JH+JY()+L"&*K&`$R#46*J
> MFFD`4)6:^@J0E4>@612[(<#*P%W>[M.8\\G*-T?[_I!?.3`(_%%[L/KRW]/J
> M\4]]&'D3[D!G<!EU(NX/+UQOTDE%*)>K(8]#CU]Z_CF$>(F\P`>K;3"CK2;_
> M+//.)K:Z.O1&(V at -H!7.\UXKP):;FYO9^&HJ at 9]G$S1#0D'5'-UP=!5:!*EV
> M38-6JU4P6=!#$T$F#8CA$-5AQ@*F5%*5$LF:117-,B`I$+VF!1;@[]8J0.UU
> MX,<'P>##,7>'NSAO$;R$D^-?=[;3RMG9A+\*9OZ`=X?#$.OJTR"*+]PHYF$]
> M:=-SK_:0EX?1`??/XS&VZ77_N_?ZN'^P<[B]NI6TZ'D7/&U5;72P?[A3;;'K
> M\<FP;+"`K0-J+G0W"#^YX7#'%VLEM":BYH4W at GZW?R`:=6?QN,<'8]?WH at O1
> MPN>?HCAL='\]V3OM[?RTUSW<[_?ZS>W5S`RG;ABAM&'XP+98D7.K0>*IU&9M
> MJBVOMN8,,>>IWEB)&50DUBB#[NR\L$)B.8(C,ZA"K+"5*I=JEF9(;8<1AZK7
> MN:R%)LB8H3`T]*0`X"^Q3.)O#5X,^<CS.1R^P;4XKM5:M-;9A,@[]]T)^$$\
> M%H/V?)@$P0=WC)I`''S@/FQVTBYP:4-(.IVF?J0AE%5 at R"?>A0+3R^G9;)1>
> M(^__/*N8QM@$.XK=LV8RS%S!;$LL4;#1HLU'5W'1G.J:JNB:66[KM*#<UDA"
> M3\X!-T0\YB'^B"`, at HM4-=$`:QH?X8>7L)ZJ\3;7`K"_]\VLU1]B at PJEXR"8
> M!/ZYDY779E'(P[!1UW4-]#9M4Q!'!(\BU#P`T;3>W,X;"UFX]R8\G8`F_`"-
> M_O[_=DY/FN(D..SV=G*!M43:VZST/>[;C7=D8WOQ/#!-$?(SVQ+,?Z43G\_`
> MQYD7AGP"7 at SN)_=S.?K-CUM;V/<@4[%D0ZY0+*0KS at M<V^DL3I;1'>"9)_C7
> M1*L!\FY.M[8R=C$^+$IUS4;R1ZG&T'//_2#BX/I#2*(<F$WA#*5$G_W8O1+=
> M)LO(&(YG;AGO'L]6<NJM=0\.WOQ^JNJZ6+!,I890O`F)9MGO%H7U=5B+3X8-
> M2U6`$MIL9APXJ'4\1Z_,D3B57^!QA7V at T++K>YV^AIB_)JRC1$)&H_N;R466
> M8A!5,4AEQ^"-8F`\>&VJQ95/HF3?H!YKJ,?:!OSY)V"@%G.AUR_]D[F]<<=>
> MVRHWP++-EC6KG0=Q`)7M5NR@;,(WWKW;*,HP1(@]?\:WBP$L'+IE*(9-*T.W
> MF6(2M1PZJB\6JW)TI0IC at 9B!C^EXL]'>-=9_-M);QEF,DFQ4[$$8JXK&JAG-
> MPB(RGWV)@0>ZQ`?VV(646_TUT]`#:O:</\[**CJ*Y2CN1#Q8>&+*'*8["$5R
> MGYIW*!:L9*%VZ895ZJBVHV5N>.'24UVA5GXZ"@OV!JE+\H9OQ<E:_T_C1?.[
> M_6%E'I7+<C2):AUB=5#30L'S:.Q.O3"`G:LI?)<$@96C`B:>'V?N;RV15?LM
> M[3H5F"(]Y!+C2M7+S/`)J3=5D6]%TH/3M(K_'P3]WXG_=6)J!?['%@+_$\HD
> M_I?X7^)_B?\E_I?X7^)_B?\E_I?X7^+_)X3_)7CZMO`?QKU?)O]+6(G_-%5/
> M\[]$XK]GA?]L,X%1YM)J39\+MW.>R at VVJ.`]M+:?7;^(F:GIT/+Y7B'Q-JRG
> M(]!SB'V-(95P,\@V,(8U*V=\6J#-X;RC,#CC^S[ZX9$[2##3ZZ/]TZ/C-Z]V
> MT,-_I8BOMHNJ]:<3#(A>`IW#@$\0UFFZC8O(EM8:<U:6<51^&S<AG54:&B$.
> MHPZS"KO)12Y#=$1U--O1M6M,QBVAE(61$WNZ@"Y7\"L"="(D,VS[>HQ&OB9`
> M]R]PG$ETQ<3C\EO!<28Q%%,E$L?=.X[#0$TQC<I&P1O%-,UG at .,L9BN6SLJA
> M6[JI6(8N\[CWF,>EA*'CHVS.!^>%MV9RYR(]T]$Q=BM]:='ETE0NLFGTGZ9R
> M\:_?.\51[K]NW)8D+906$CJ$=E#)0K>!F^5'FTLRH0C)%B5J'TWXE,HT[#/"
> M_U\J_TL*_$\R_$^H)O&_Q/\2_TO\+_&_Q/\2_TO\+_&_Q/\2_\L\KJ2'P7]V
> M6WL@`'@7_C,Q;,[SOTQ+WO^EU)#X[UGA/Z8;M]<(G#;_88=NY->DKH+Y3-CE
> M9XCV,)8CIJ,:CJ:7GW2 at D"5O]FJ.JE;;YEW?<`2J92AJ]86>M$#[RE_JC?QI
> MZ/GQJ)%$T,+3!"-(?M>_C[Z/ALC3GO!8**DDWN/TJ'NR=_I;]_BD=W2SY&W6
> M0[4,79?Z/@E*.AOP(]3KX$"]4W^:KP!3W;Z]1CP*F']&K=OY-:F[CA%O&"8C
> MY1-JW;[SA5_54;4J0R[DYJ,(HBF,V(O@(3R1%WXS#1?@0WBJ`)'A%F?5/9\6
> MJ%\*(#[^N[[,-A4]?X/S&\"(S+84G:H2(]X[1M1U0]&-RE[!&RRPG\.[OIJI
> M&$RM/$=BNF+HFLP1WW#-<QG<=A!ZY[63\2SQDL"`8N1FB4^MA,>\EKG]G0\3
> MWTCMI)DF8CSA)Q?G;9E"S46?X$:#053]SK7L/T5#%!JO>/B!3_CG)J@=UA&:
> M7/N>%?W1W5^T8F=Y&C?19<'WMH^I2_7CVBK^>Z#TW]WY/V86^(^(_PN*4E.7
> M[_]*_"?QG\1_$O])_"?QG\1_$O])_"?QG\P12I(D29(D29(D29(D29(D29(D
> ?29(D29(D29(D29(D29(D29(D29JCOP%S5E@?`'@``)(D
> `
> end
> ========= end patch ==========
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (OpenBSD)
> 
> iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0
> JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT
> L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK
> hjC59XbAdSk=
> =t4zn
> -----END PGP SIGNATURE-----
>