-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : sendmail SUMMARY : Buffer overflow vulnerability DATE : 2003-04-04 15:10:00 ID : CLA-2003:614 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Sendmail[1] is a widely used Mail Transfer Agent (MTA). Michal Zalewski reported[6] a remote vulnerability[5] in sendmail versions 8.12.8 and below. The vulnerability lies in the address parser which performs insufficient bounds checking in certain conditions due to a char to int conversion. It is believed to be possible for remote attackers to cause a Denial of Service condition and to even execute arbitrary commands with the same permissions under which the sendmail daemon runs, which is root. The sendmail authors have released a new version[2], 8.12.9, which fixes this vulnerability. They have also made available patches[3] for older versions, which the packages provided via this announcement contain. Starting with Conectiva Linux 7.0, sendmail is no longer the default mail server and has been replaced with Postfix. But sendmail is still shipped in all Conectiva Linux versions. SOLUTION All sendmail users should upgrade immediately. If the service is already active, it should be restarted after the upgrade in order to close the vulnerability. To do so, execute the following command as root: /sbin/service sendmail restart REFERENCES 1. http://www.sendmail.org/ 2. http://www.sendmail.org/8.12.9.html 3. http://www.sendmail.org/patchps.html 4. http://www.cert.org/advisories/CA-2003-12.html 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 6. http://marc.theaimsgroup.com/?l=bugtraq&m=104897487512238&w=2 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_4cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_4cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright 2003 (c) Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribeat_private unsubscribe: conectiva-updates-unsubscribeat_private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+jcsL42jd0JmAcZARAhZ1AJ4sJBRCqsidplEwb+1enXnQ7YvDbQCgxZqI R+s9lXU4A6fzu3aPze+Z5cg= =ZmI8 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 10:34:59 PST