|
----- Original Message ----- From: "Conectiva Updates" <secure@conectiva.com.br> To: <conectiva-updates@papaleguas.conectiva.com.br> Sent: Wednesday, April 30, 2003 10:13 AM Subject: [CLA-2003:614] REVISED: Conectiva Security Announcement - sendmail > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ -- > CONECTIVA LINUX SECURITY ANNOUNCEMENT > - ------------------------------------------------------------------------ -- > > PACKAGE : sendmail > SUMMARY : Buffer overflow vulnerability > DATE : 2003-04-04 15:10:00 > REVISED : 2003-04-30 14:50:00 > ID : CLA-2003:614 > RELEVANT > RELEASES : 6.0, 7.0, 8, 9 > > - ------------------------------------------------------------------------ - > > DESCRIPTION > > NOTE: this is a revision of the CLA-2003:614 advisory. The only change > is the inclusion of this note and packages for Conectiva Linux 9 which > was not addressed before. > > Sendmail[1] is a widely used Mail Transfer Agent (MTA). > > Michal Zalewski reported[6] a remote vulnerability[5] in sendmail > versions 8.12.8 and below. The vulnerability lies in the address > parser which performs insufficient bounds checking in certain > conditions due to a char to int conversion. > > It is believed to be possible for remote attackers to cause a Denial > of Service condition and to even execute arbitrary commands with the > same permissions under which the sendmail daemon runs, which is > root. > > The sendmail authors have released a new version[2], 8.12.9, which > fixes this vulnerability. They have also made available patches[3] > for older versions, which the packages provided via this announcement > contain. > > Starting with Conectiva Linux 7.0, sendmail is no longer the default > mail server and has been replaced with Postfix. But sendmail is still > shipped in all Conectiva Linux versions. > > > SOLUTION > All sendmail users should upgrade immediately. If the service is > already active, it should be restarted after the upgrade in order to > close the vulnerability. To do so, execute the following command as > root: > > /sbin/service sendmail restart > > > REFERENCES > 1. http://www.sendmail.org/ > 2. http://www.sendmail.org/8.12.9.html > 3. http://www.sendmail.org/patchps.html > 4. http://www.cert.org/advisories/CA-2003-12.html > 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 > 6. http://marc.theaimsgroup.com/?l=bugtraq&m=104897487512238&w=2 > > > UPDATED PACKAGES > ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_4cl.src.r pm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_4cl.i386.r pm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_4cl.i38 6.rpm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_4cl.i3 86.rpm > ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_4cl.src.r pm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_4cl.i386.r pm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_4cl.i38 6.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_4cl.i3 86.rpm > ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_4cl.src.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_4cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_4cl.i386. rpm > ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_4cl.i386 .rpm > ftp://atualizacoes.conectiva.com.br/9/SRPMS/sendmail-8.12.5-26986U90_1cl.src .rpm > ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-8.12.5-26986U90_1cl.i386 .rpm > ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-cf-8.12.5-26986U90_1cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-doc-8.12.5-26986U90_1cl. i386.rpm > > > ADDITIONAL INSTRUCTIONS > The apt tool can be used to perform RPM packages upgrades: > > - run: apt-get update > - after that, execute: apt-get upgrade > > Detailed instructions reagarding the use of apt and upgrade examples > can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en > > - ------------------------------------------------------------------------ - > All packages are signed with Conectiva's GPG key. The key and instructions > on how to import it can be found at > http://distro.conectiva.com.br/seguranca/chave/?idioma=en > Instructions on how to check the signatures of the RPM packages can be > found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en > > - ------------------------------------------------------------------------ - > All our advisories and generic update instructions can be viewed at > http://distro.conectiva.com.br/atualizacoes/?idioma=en > > - ------------------------------------------------------------------------ - > Copyright 2003 (c) Conectiva Inc. > http://www.conectiva.com > > - ------------------------------------------------------------------------ - > subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br > unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE+sA8v42jd0JmAcZARApnPAKCF3empH5UMCNS4HK3JmOW9d9MOEACg5vYM > Gx9Lj9/JX3PUduOyI+G/A4A= > =RVKW > -----END PGP SIGNATURE----- >