|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : sendmail SUMMARY : Remote vulnerability DATE : 2003-09-18 15:56:00 ID : CLA-2003:742 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Sendmail[1] is a widely used Mail Transfer Agent (MTA). Michal Zalewski reported[2] a remote vulnerability[3] in sendmail versions 8.12.9 and earlier. The problem resides in the address parsing code and can be exploited to execute arbitrary code in the context of the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0694 to this issue[4]. The sendmail authors have released a new version[5], 8.12.10, which fixes this vulnerability. They have also made available a patch[6] for older versions, which the packages provided via this announcement contain. This update also includes fixes for a buffer overflow vulnerability in the ruleset parsing code. This vulnerability is not exploitable in the default configuration and requires the use of non-standard rulesets recipients. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0681 to this issue[7]. Starting with Conectiva Linux 7.0, sendmail is no longer the default mail server and has been replaced with Postfix (but sendmail is still shipped with all Conectiva Linux versions). SOLUTION All sendmail users should upgrade immediately. If the service is already active, it should be restarted after the upgrade in order to close the vulnerability. To do so, execute the following command as root: /sbin/service sendmail restart REFERENCES: 1.http://www.sendmail.org/ 2.http://www.securityfocus.com/archive/1/337839 3.http://www.kb.cert.org/vuls/id/784980 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694 5.http://www.sendmail.org/8.12.10.html 6.http://www.sendmail.org/parse8.359.2.8.html 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-8.12.5-26986U90_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-cf-8.12.5-26986U90_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-doc-8.12.5-26986U90_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/sendmail-8.12.5-26986U90_3cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/agBb42jd0JmAcZARAmkUAJwPP0jdvBaDOFvo1wZO05r4iSJtKgCfcCDa v3XRcIKd7hqFa7VwKGVPGU4= =ilss -----END PGP SIGNATURE-----