SuSE Security Announcement: sendmail (SuSE-SA:2003:023)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: sendmail, sendmail-tls
Announcement-ID: SuSE-SA:2003:023
Date: Tuesday, April 1st 2003 18:45 MEST
Affected products: 7.1, 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server,
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local/remote privilege escalation
Severity (1-10): 7
SuSE default package: yes (until SuSE Linux 8.0 and SLES7)
Cross References: http://www.cert.org/advisories/CA-2003-12.html
Content of this advisory:
1) security vulnerability resolved: sendmail, sendmail-tls
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- glibc
- vnc
- openssl
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
sendmail is the most widely used mail transport agent (MTA) in the
internet. A remotely exploitable buffer overflow has been found in all
versions of sendmail that come with SuSE products. These versions include
sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem
that is installed by default on all SuSE products up to and including
SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7.
The vulnerability was discovered by Michal Zalewski. It is not related
to the vulnerability found by ISS in the first week of March as announced
by SuSE Security in SuSE Security Announcement SuSE-SA:2003:013 (CERT
Announcement ID CA-2003-07). The impact is believed to be a local root
compromise with the possibility of a remote compromise. Even though
the remote nature of the vulnerability is not confirmed, we believe that
it is safe to assume that the vulnerability may be remotely exploitable.
The nature of the flaw is a stack overflow in a function that is called
frequently throughout the sendmail source code. The function is used for
processing email addresses.
There is no known workaround for this vulnerability other than using a
different MTA. The vulnerability is triggered by an email message sent
through the sendmail MTA subsystem. In that respect, it is different
from commonly known bugs that occur in the context of an open TCP
connection. By consequence, the vulnerability also exists if email
messages get forwarded over a relay that itself does not run a vulnerable
MTA. This specific detail and the wide distribution of sendmail in the
internet causes this vulnerability to be considered a flaw of major
severity. We recommend to install the update packages that are provided
for download at the locations listed below.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
SPECIAL INSTALL INSTRUCTIONS:
==============================
After performing the update, it is necessary to restart all running
instances of sendmail using the command "rcsendmail restart" as root.
Intel i386 Platform:
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-109.i586.rpm
bb987c277374db2cf5ec81b7abe9a476
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-109.i586.patch.rpm
f90dc4e6f63b5c4e368e5db2fe7d09be
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-109.src.rpm
dd838b1089f6686a1107e6d8159b1f98
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-75.i386.rpm
9e6949e973085ae3b628c52cadcc2c9e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-75.i386.patch.rpm
dac55a8afcb2487b8b80549b9a4d7b38
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-75.src.rpm
f6e8297e885d367a73ff9010a6cbb297
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-164.i386.rpm
7591a1d397e161225b4d594bcfc5bb02
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/sendmail-tls-8.11.6-166.i386.rpm
52c213438e8782af09a4395d402d1fea
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-8.11.6-164.src.rpm
a7b6f85673913089758f0ef0208aac6a
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-tls-8.11.6-166.src.rpm
96cbfc4f2d85bdae71196ee80a4ebbd3
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-108.i386.rpm
b107d5a44b234222de7e5fcb7998c192
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-112.i386.rpm
78a987bd0a38d067a8cffd6c6003abd8
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-108.src.rpm
0a86a2d3158110479c44c6b8a09f2bb6
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-tls-8.11.3-112.src.rpm
acf234a4fa14d9d078df10cd774da0ce
SuSE-7.1:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/sendmail-8.11.2-45.i386.rpm
abec9a5d08d89cabc662708b38cadfad
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec2/sendmail-tls-8.11.2-47.i386.rpm
36ab02484b69d9f6ac9d58b78cc0569d
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sendmail-8.11.2-45.src.rpm
e7e267fbb800277472f797f351796c6d
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sendmail-tls-8.11.2-47.src.rpm
83b8fae134f192c53fa32c2d73f8dc8c
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/sendmail-8.11.6-65.sparc.rpm
f3a9cff90e3ac9493bcab36b11dc692c
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/sendmail-tls-8.11.6-65.sparc.rpm
63c14d646d8046df26c2899c0886bb24
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-8.11.6-65.src.rpm
7f01e6aa454231f35f6ee50958bb6f29
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-tls-8.11.6-65.src.rpm
e9086795f386471e6b2476febb419aa0
AXP Alpha Platform:
SuSE-7.1:
Limited package building resources are delaying the availiability of
update packages for the SuSE Linux 7.1 for Alpha distribution.
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/sendmail-8.11.6-123.ppc.rpm
1dd1154f1b9ede1dc003be26919b4d23
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/sendmail-tls-8.11.6-122.ppc.rpm
a83a7f0885deb049a5a63d8114e47af4
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-8.11.6-123.src.rpm
2a199a60d825c8d3d2a1514fb58aea59
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-tls-8.11.6-122.src.rpm
621c390fbb8c44ffb1764d369c096d3f
SuSE-7.1:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/sendmail-8.11.2-34.ppc.rpm
c1657f4dbc2f4967fb3ca04c17e2f1f3
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec2/sendmail-tls-8.11.2-38.ppc.rpm
7f564cc83d85970cd7c0f61896c916e6
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sendmail-8.11.2-34.src.rpm
bd749453da2ff7513f09798d8b0b2e56
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sendmail-tls-8.11.2-38.src.rpm
1c347e9052b1b7dd02ae6630c56445db
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- glibc
SuSE Security is working on glibc updates for the RPC XDR integer overflow
security problem in glibc. The central function of the glibc package in a
Linux system requires extensive testing of the update packages. The update
packages will be provided for download at the usual location and
publically announced as soon as the testing is completed successfully.
- vnc
VNC (Virtual Network Computing) uses a weak cookie generation process
which can be exploited by an attacker to bypass authentication.
New packages are currently being tested and will be available on our
FTP servers soon.
- openssl
A paper regarding remote timing attacks against OpenSSL has been
published by researchers of the Stanford University. It is possible
to extract the private RSA key used by services using OpenSSL by
observing their timing behavior. Fixed packages will be available
on our FTP servers soon.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Congratulations to all SuSE security team. But I'm just satisfied with
postfix by now...
Cheers
--
<
Hi Roman, in the announcment you state that 8.2 is affected too, but there is no link to the patch. BTW: When will 8.2 be delivered? Stefan Nauber Cs2 Informatik GmbH & Co. KG - Niederlassung West - Kurfürstenanlage 3 69115 Heidelberg Germany Tel.: +49 (6221) 6041-0 Fax : +49 (6221) 6041-50 Email: mailto:stefan.nauber@cs2-informatik.de Internet: http://www.cs2-informatik.de
Hi Stefan, i got my 8.2 on 31.03.03 ;-) Carsten Am Mit, 2003-04-02 um 08.13 schrieb Stefan Nauber:
Hi Roman,
in the announcment you state that 8.2 is affected too, but there is no link to the patch.
BTW: When will 8.2 be delivered?
Stefan Nauber
Cs2 Informatik GmbH & Co. KG - Niederlassung West - Kurfürstenanlage 3 69115 Heidelberg Germany Tel.: +49 (6221) 6041-0 Fax : +49 (6221) 6041-50 Email: mailto:stefan.nauber@cs2-informatik.de Internet: http://www.cs2-informatik.de
Am Mittwoch, 2. April 2003 08:13 schrieb Stefan Nauber:
BTW: When will 8.2 be delivered?
yesterday ;) bye, [MH] -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Hallo, out there, I received the latest security-announcement about a security-related sendmail-bug. After downloading and verifying sendmail-8.11.6-164.src.rpm, I tried to build the rpm-packages as I do everytime. Building of sendmail-8.11.6-162.src.rpm a month ago worked fine. But now the build-process fails with the following state: + cd ../uucp-1.06.1 + '[' -d /usr/share/automake ']' + test -f ./config.sub + test -f ./config.guess + test -f ./ltconfig + test -f ./ltmain.sh + autoconf configure.in:21: warning: AC_COMPILE_IFELSE was called before AC_AIX configure.in:21: warning: AC_RUN_IFELSE was called before AC_AIX configure.in:409: error: do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs. LIBOBJS' Bad exit status from /var/tmp/rpm-tmp.45708 (%build) Seems that the sendmail-build works fine, but there's a problem with the uucp-subpackage. Here is my enviroment: andreas@home:~ > cat /etc/SuSE-release VERSION = 7.2 andreas@home:~ > uname -a Linux home 2.4.18-4GB #1 Mon Mar 24 14:37:51 GMT 2003 i686 unknown andreas@home:~ > rpm -q rpm autoconf automake cyrus-sasl cyrus-sasl-devel db-devel openldap2 openldap2-client openldap2-devel openssl-devel tcpd rpm-3.0.6-78 autoconf-2.53-148 automake-1.6.3-1 cyrus-sasl-1.5.24-184 cyrus-sasl-devel-1.5.24-184 db-devel-3.1.17-56 openldap2-2.0.11-67 openldap2-client-2.0.11-67 openldap2-devel-2.0.11-67 openssl-devel-0.9.6i-1 tcpd-7.6-154 andreas@home:~ > Any hints? Ciao Andreas -- ==> Informativ - Interaktiv - Internet <== ==> Pharmazeutische Kompetenz online <== ==> http://www.apo-im-plauen-park.de <== ==> Apotheker Dipl.-Pharm. Andreas Muck <==
Hi!
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:023
When I patched and recompiled sendmail-8.11.3-106 (for SuSE 7.2) yesterday, I noticed that my sendmail binary was 50% smaller than the version supplied by SuSE (this applies to the current update, too); I *think* libssl and libcrypt are linked statically in the SuSE version - is this true? And if it is - why? Martin
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:023
When I patched and recompiled sendmail-8.11.3-106 (for SuSE 7.2) yesterday, I noticed that my sendmail binary was 50% smaller than the version supplied by SuSE (this applies to the current update, too); I *think* libssl and libcrypt are linked statically in the SuSE version - is this true? And if it is - why?
It's not these two, it's /usr/lib/libldap.a and /usr/lib/liblber.a that are linked statically. The newer distributions are linked dynamically agaist these libraries, the older ones have tradeoffs. The reason for the static linking is based on dependencies between packages. Building the packages can have circular dependencies, which makes it a bit difficult at times...
Martin
Roman.
--
- -
| Roman Drahtmüller
On Wed, 2 Apr 2003, Roman Drahtmueller wrote:
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:023
When I patched and recompiled sendmail-8.11.3-106 (for SuSE 7.2) yesterday, I noticed that my sendmail binary was 50% smaller than the version supplied by SuSE (this applies to the current update, too); I *think* libssl and libcrypt are linked statically in the SuSE version - is this true? And if it is - why?
It's not these two, it's /usr/lib/libldap.a and /usr/lib/liblber.a that are linked statically.
Thanks. But one thing is strange: with my self-compiled version, "ldd /usr/sbin/sendmail" lists these references: libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40058000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40086000) These are missing from the SuSE version, so naturally I thought that SuSE linked them statically... And: /usr/lib/libldap.a and /usr/lib/liblber.a amount to about 300 KB, but the size difference of the binary I'm observing is over 500 KB - are you sure those two libs don't "pull" [parts of] libssl and libcrypto into the binary, too? (They *do* reference them...) Depending on what parts of libssl/libcrypt are actually used, this *could* have security implications, no?
The newer distributions are linked dynamically agaist these libraries, the older ones have tradeoffs. The reason for the static linking is based on dependencies between packages. Building the packages can have circular dependencies, which makes it a bit difficult at times...
Eeeeeeek - nasty stuff! I bet you'll be glad when you finally get rid of having to support those old distros... :-) Martin
Hi, Am Dienstag, 1. April 2003 18:55 schrieb Roman Drahtmueller:
SuSE-8.1: (...)
For the lucky ones like me: Is that patch included with 8.2 just shipped, and if not, can I apply the 8.1 patch ? Tia Dan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SuSE-8.1: (...)
For the lucky ones like me: Is that patch included with 8.2 just shipped, and if not, can I apply the 8.1 patch ?
Don't worry, the 8.1 patch is out as well. It just isn't stated in the announcement. SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-57.i586.rpm ea29d53ee170cb91e4fbdf1b6b0f3612 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-57.i586.patch.rpm f2dab2cba0cea34ae643fdc8de429dbe source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/sendmail-8.12.7-57.src.rpm ff1ff847142fc04ac3a71df691cbcf1d
Tia Dan
Thanks,
Roman.
- --
- -
| Roman Drahtmüller
participants (8)
-
Andreas Muck
-
Carsten Schoene
-
Dan Am
-
Martin Köhling
-
Mathias Homann
-
Miguel Albuquerque
-
Roman Drahtmueller
-
Stefan Nauber