TUCoPS :: Linux :: Conectiva :: bt1457.txt

sendmail (revised) CLA-2003:614 



----- Original Message -----
From: "Conectiva Updates" <secure@conectiva.com.br>
To: <conectiva-updates@papaleguas.conectiva.com.br>
Sent: Wednesday, April 30, 2003 10:13 AM
Subject: [CLA-2003:614] REVISED: Conectiva Security Announcement - sendmail


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
--
> CONECTIVA LINUX SECURITY ANNOUNCEMENT
> - ------------------------------------------------------------------------
--
>
> PACKAGE   : sendmail
> SUMMARY   : Buffer overflow vulnerability
> DATE      : 2003-04-04 15:10:00
> REVISED   : 2003-04-30 14:50:00
> ID        : CLA-2003:614
> RELEVANT
> RELEASES  : 6.0, 7.0, 8, 9
>
> - ------------------------------------------------------------------------
-
>
> DESCRIPTION
>
>  NOTE: this is a revision of the CLA-2003:614 advisory. The only change
>  is the inclusion of this note and packages for Conectiva Linux 9 which
>  was not addressed before.
>
>  Sendmail[1] is a widely used Mail Transfer Agent (MTA).
>
>  Michal Zalewski reported[6] a remote vulnerability[5] in sendmail
>  versions 8.12.8 and below. The vulnerability lies in the address
>  parser which performs insufficient bounds checking in certain
>  conditions due to a char to int conversion.
>
>  It is believed to be possible for remote attackers to cause a Denial
>  of Service condition and to even execute arbitrary commands with the
>  same permissions under which the sendmail daemon runs, which is
>  root.
>
>  The sendmail authors have released a new version[2], 8.12.9, which
>  fixes this vulnerability. They have also made available patches[3]
>  for older versions, which the packages provided via this announcement
>  contain.
>
>  Starting with Conectiva Linux 7.0, sendmail is no longer the default
>  mail server and has been replaced with Postfix. But sendmail is still
>  shipped in all Conectiva Linux versions.
>
>
> SOLUTION
>  All sendmail users should upgrade immediately. If the service is
>  already active, it should be restarted after the upgrade in order to
>  close the vulnerability. To do so, execute the following command as
>  root:
>
>  /sbin/service sendmail restart
>
>
>  REFERENCES
>  1. http://www.sendmail.org/
>  2. http://www.sendmail.org/8.12.9.html
>  3. http://www.sendmail.org/patchps.html
>  4. http://www.cert.org/advisories/CA-2003-12.html
>  5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
>  6. http://marc.theaimsgroup.com/?l=bugtraq&m=104897487512238&w=2
>
>
> UPDATED PACKAGES
>
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_4cl.src.r
pm
>
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_4cl.i386.r
pm
>
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_4cl.i38
6.rpm
>
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_4cl.i3
86.rpm
>
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_4cl.src.r
pm
>
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_4cl.i386.r
pm
>
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_4cl.i38
6.rpm
>
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_4cl.i3
86.rpm
>
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_4cl.src.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_4cl.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_4cl.i386.
rpm
>
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_4cl.i386
.rpm
>
ftp://atualizacoes.conectiva.com.br/9/SRPMS/sendmail-8.12.5-26986U90_1cl.src
.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-8.12.5-26986U90_1cl.i386
.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-cf-8.12.5-26986U90_1cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-doc-8.12.5-26986U90_1cl.
i386.rpm
>
>
> ADDITIONAL INSTRUCTIONS
>  The apt tool can be used to perform RPM packages upgrades:
>
>  - run:                 apt-get update
>  - after that, execute: apt-get upgrade
>
>  Detailed instructions reagarding the use of apt and upgrade examples
>  can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
>
> - ------------------------------------------------------------------------
-
> All packages are signed with Conectiva's GPG key. The key and instructions
> on how to import it can be found at
> http://distro.conectiva.com.br/seguranca/chave/?idioma=en
> Instructions on how to check the signatures of the RPM packages can be
> found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
>
> - ------------------------------------------------------------------------
-
> All our advisories and generic update instructions can be viewed at
> http://distro.conectiva.com.br/atualizacoes/?idioma=en
>
> - ------------------------------------------------------------------------
-
> Copyright 2003 (c) Conectiva Inc.
> http://www.conectiva.com
>
> - ------------------------------------------------------------------------
-
> subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
> unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+sA8v42jd0JmAcZARApnPAKCF3empH5UMCNS4HK3JmOW9d9MOEACg5vYM
> Gx9Lj9/JX3PUduOyI+G/A4A=
> =RVKW
> -----END PGP SIGNATURE-----
>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH