-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : sendmail SUMMARY : Remote vulnerability DATE : 2003-03-03 19:30:00 ID : CLA-2003:571 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Sendmail[1] is a widely used Mail Transfer Agent (MTA). Researchers at ISS[2] discovered and published[3] a remote vulnerability[4][5] in sendmail that could be used by an attacker to execute arbitrary code as root. This vulnerability can be exploited by creating and sending to a vulnerable sendmail server a carefully crafted email message. This message will trigger the vulnerability and arbitrary commands can be executed with administrative privileges. Please note that non-vulnerable mail servers can be used to pass such messages along so that, for example, even internal sendmail servers could be reached. Starting with Conectiva Linux 7.0, sendmail is no longer the default mail server and has been replaced with Postfix. But sendmail is still shipped in all Conectiva Linux versions. As with many other services, the email service, even if installed, is not started by default in Conectiva Linux. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-1337[7] to this issue. SOLUTION All sendmail users should upgrade their packages immediately. After the upgrade, the sendmail service will be automatically restarted if it was already running. REFERENCES 1.http://www.sendmail.org/ 2.http://www.iss.net/ 3.http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 4.http://www.cert.org/advisories/CA-2003-07.html 5.http://www.kb.cert.org/vuls/id/398025 6.http://www.sendmail.com/security/ 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_3cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribeat_private unsubscribe: conectiva-updates-unsubscribeat_private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Y+Nh42jd0JmAcZARAj6TAKDkgvTGscDsT95XBbE/yEO7jjOO9gCgrglI s7NfdorrA+FnQm0Xy67kRSA= =ZySZ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 15:10:20 PST