|
| From: | SENDMAIL | | Date: | 03.03.2003 | | Subject: | sendmail 8.12.8 available |
-----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the
availability
of sendmail 8.12.8. It contains a fix for a critical
security
problem discovered by Mark Dowd of ISS X-Force; we thank
ISS X-Force
for bringing this problem to our attention. Sendmail urges
all users to
either upgrade to sendmail 8.12.8 or apply the patch for
8.12 that
is part of this announcement. Patches for older versions
can be
downloaded from ftp.sendmail.org, see
http://www.sendmail.org/ for
details. Remember to check the PGP signatures of patches
or releases
obtained. For those not running the open source version,
check
with your vendor for a patch. There is a bug fix for ident
parsing
in 8.12.8. While this is not believed to be exploitable,
if you
are not upgrading to 8.12.8, you may want to turn off ident
checking
by adding this to your .mc file:
define(`confTO_IDENT', `0s')
For a complete list of changes see the release notes down
below.
Please send bug reports to sendmail-bugs@sendmail.org as
usual.
Note: We have changed the way we digitally sign the source
code
distributions to simplify verification: in contrast to
earlier
versions two .sig files are provided, one each for the
gzip'ed
version and the compressed version. That is, instead of
signing the
tar file, we sign the compressed/gzip'ed files, so you do
not need
to uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig
You either need the first two files or the third and
fourth, i.e.,
the gzip'ed version or the compressed version and the
corresponding
.sig file. The PGP signature was created using the
Sendmail Signing
Key/2003, available on the web site
(http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to
cryptography, the
following information from OpenSSL applies to sendmail as
well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL
IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO
YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL
TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR
OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY
EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT
LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR
RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41
gshapiro Exp $
This listing shows the version of the sendmail binary, the
version
of the sendmail configuration files, the date of release,
and a
summary of the changes in that release.
8.12.8/8.12.8 2003/02/11
SECURITY: Fix a remote buffer overflow in header
parsing by
dropping sender and recipient header
comments if the
comments are too long. Problem noted by
Mark Dowd
of ISS X-Force.
Fix a potential non-exploitable buffer overflow in
parsing the
.cf queue settings and potential buffer
underflow in
parsing ident responses. Problem noted by
Yichen Xie of
Stanford University Compilation Group.
Fix ETRN #queuegroup command: actually start a
queue run for
the selected queue group. Problem noted by
Jos Vos.
If MaxMimeHeaderLength is set and a malformed MIME
header is fixed,
log the fixup as "Fixed MIME header"
instead of "Truncated
MIME header". Problem noted by Ian J Hart.
CONFIG: Fix regression bug in proto.m4 that caused
a bogus
error message: "FEATURE() should be before
MAILER()".
MAIL.LOCAL: Be more explicit in some error cases,
i.e., whether
a mailbox has more than one link or whether
it is not
a regular file. Patch from John Beck of
Sun Microsystems.
Instructions to extract and apply patch for sendmail 8.12:
The data below is a uuencoded, gzip'ed tar file. Store the
data
between "========= begin patch ========" and "========= end
patch
==========" into a file called "patch.sm" and apply the
following
command:
uudecode -p < patch.sm | gunzip -c | tar -xf -
This will give you two files:
sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig
Check the integrity of the patch file using PGP or GPG,
e.g.,
gpg --verify sendmail.8.12.security.cr.patch.sig
sendmail.8.12.security.cr.patch
Then apply the patch to the sendmail source code:
cd sendmail-8.12.7
patch -p0 < sendmail.8.12.security.cr.patch
recompile sendmail, and install the new binary.
========= begin patch ========
========= end patch ==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iQCVAwUBPklPeCGD4bE5bweJAQFhywP+Kn+5RdwephTcApFNsSOWfTjKxP9wv6rE
z0XPVd1ihfdByrXE1Fr8ML9uZm6fhg4vtOfJIXzsO4j0fiAWwyqwq8Mu5YAJVKOi
k/5ncMtvDZI9aRHEGEIRXapOTg/Ui5W5E3Wpep0IYCRf5wkXPqYS6ppVa5urMqKH
x/1/OqBPUCc=
=G4ha
-----END PGP SIGNATURE-----
|
