Re: Package sendmail-tls with openssl vulnerability?
[repost with subscribed email-address] On Thu, 19 Sep 2002, Hatto von Hatzfeld wrote:
After updating the OpenSSL packages (and restarting the services ) [...] But on the smtp port 25 with option -s (i.e. with TLS) I get:
VULNERABLE: does not detect small overflow
What's wrong? Or: How to close this hole?
To the SuSE-Security-Team: SuSE 7.1: # rpm -qf /usr/sbin/sendmail sendmail-tls-8.11.2-36 # ldd /usr/sbin/sendmail libdl.so.2 => /lib/libdl.so.2 (0x4001d000) libdb.so.2 => /lib/libdb.so.2 (0x40020000) libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000) libresolv.so.2 => /lib/libresolv.so.2 (0x40044000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000) libc.so.6 => /lib/libc.so.6 (0x40060000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000) libpam.so.0 => /lib/libpam.so.0 (0x401a9000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) (no libssl or libcrypto here -> openssl hardlinked!) The last Update for 7.1 and sendmail-tls is dated Feb 9 2002, and thus before the openssl-hole. # rpm -qf /usr/sbin/sendmail --changelog * Wed Aug 22 2001 - werner@suse.de - Security Update: Fix for a signedness buffer overflow in tTflag() (bugtraq ID 3163) [...] How many packages are still there and hardlinked against openssl, but without updates? i.A. Sven Koch Server Management -- com.unit GmbH http://www.comunit.net/ Eiffestr. 598 20537 Hamburg | Germany Fon +49-40-2111 05 25 Fax +49-40-2111 05 26
What's wrong? Or: How to close this hole?
To the SuSE-Security-Team:
Thanks for Cc: security@suse.de. Good idea.
SuSE 7.1:
# rpm -qf /usr/sbin/sendmail sendmail-tls-8.11.2-36
# ldd /usr/sbin/sendmail libdl.so.2 => /lib/libdl.so.2 (0x4001d000) libdb.so.2 => /lib/libdb.so.2 (0x40020000) libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000) libresolv.so.2 => /lib/libresolv.so.2 (0x40044000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000) libc.so.6 => /lib/libc.so.6 (0x40060000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000) libpam.so.0 => /lib/libpam.so.0 (0x401a9000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
(no libssl or libcrypto here -> openssl hardlinked!)
statically linked, yes. I just had a brief talk with the maintainer of the SuSE sendmail-tls package a few doors down the hallway. He said that he regrets that sendmail-tls is statically linked, but it was a requirement from a time long ago, imposed by a customer. So I guess that customer is to blame. Olaf will sent out an announcement in a few minutes that should clarify the missing snippets in the puzzle for everybody. In fact, more packages other than just the openssl packages need to be updated in some rare cases. Stand by. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
On Thu, Sep 19, 2002 at 06:17:20PM +0200, Roman Drahtmueller wrote:
I just had a brief talk with the maintainer of the SuSE sendmail-tls package a few doors down the hallway. He said that he regrets that sendmail-tls is statically linked, but it was a requirement from a time long ago, imposed by a customer. So I guess that customer is to blame.
And when may we expect a new package, which hopefully will not be statically linked? Thanks and bye, Hatto von Hatzfeld
On Thu, Sep 19, 2002 at 06:17:20PM +0200, Roman Drahtmueller wrote:
I just had a brief talk with the maintainer of the SuSE sendmail-tls package a few doors down the hallway. He said that he regrets that sendmail-tls is statically linked, but it was a requirement from a time long ago, imposed by a customer. So I guess that customer is to blame.
Olaf will sent out an announcement in a few minutes that should clarify the missing snippets in the puzzle for everybody. In fact, more packages other than just the openssl packages need to be updated in some rare cases.
Does that mean that one has to wait quite long until sendmail-tls gets updated (or becomes a dynamically linked package)? Since there are already several exploits of apache ssl, I think it's too risky to run a vulnerable sendmail-tls. I hope this hint is okay: To deactivate TLS in sendmail it seems to be sufficient to insert a wrong filename in the line "O ServerCertFile=..." Of course I'd prefer to have a working sendmail-tls. Otherwise I'll get a lot of question from people who wonder why they cannot send mails any more...
Stand by.
OK. How long? Thanks and bye, Hatto
On Tue, 24 Sep 2002, Hatto von Hatzfeld wrote:
Stand by.
OK. How long?
There are new packages on ftp.suse.com/ftp.suse.de since some days, I suspect they are fixed (but the rpm's do not contain new changelog-lines) For example 7.1/patches/sendmail-tls-6600: | Longdescription.english: | Security update: This update fixes a security vulnerability | in the SSL server code. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
On Wed, Sep 25, 2002 at 03:19:00AM +0200, Sven Koch wrote:
There are new packages on ftp.suse.com/ftp.suse.de since some days, I suspect they are fixed (but the rpm's do not contain new changelog-lines)
That is because they haven't been changed. These packages were just recompiled with the fixed openssl libs. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hello! Does anyone know of a how-to for getting SAMBA authentication / authorization on a Linux server to work through Active Directory on Win2k? Thanks, John
Hello, At 08:27 25.09.2002 -0400, you wrote:
Does anyone know of a how-to for getting SAMBA authentication / authorization on a Linux server to work through Active Directory on Win2k?
I'm not sure, but Active Directory is a type of LDAP-Service. If you want some functionality like AD, try some docs about LDAP on the samba-site. Additional it should be possible to use "normal" authentication with W2k even for NT4, which is not able to use AD. mit freundlichen Grüßen Jörgen -------------------------------------------------------------------------- Mad Jörgen ET-Student der Technischen UNI Wien - Laxenburgerstraße 70/2/2E01 AktionsGemeinschaft TU - 1100 Wien ... and don't forget: astronomers do it at night! - --------------------------------------------------------------------------
At 08:27 25.09.2002 -0400, you wrote:
Hello!
Does anyone know of a how-to for getting SAMBA authentication / authorization on a Linux server to work through Active Directory on Win2k?
I tried google: Active Directory samba authentication what led me to some nice documents. mit freundlichen Grüßen Jörgen -------------------------------------------------------------------------- Mad Jörgen ET-Student der Technischen UNI Wien - Laxenburgerstraße 70/2/2E01 AktionsGemeinschaft TU - 1100 Wien ... and don't forget: astronomers do it at night! - --------------------------------------------------------------------------
And after all, DO NOT USE "REPLY-TO" TO START A NEW THREAD, ok? If you're too lazy to type in the list-address, make an alias in your addressbook. There are some nice features in Mail-Clients, e.g. the possibility to display mails in a threaded manner... So guess where your mails now show up?... Markus On Wednesday 25 September 2002 14:27, John Olson wrote:
Hello!
Does anyone know of a how-to for getting SAMBA authentication / authorization on a Linux server to work through Active Directory on Win2k?
Thanks, John
-- The meek are getting ready.
On Wed, Sep 25, 2002 at 02:12:23PM +0200, Olaf Kirch wrote:
On Wed, Sep 25, 2002 at 03:19:00AM +0200, Sven Koch wrote:
There are new packages on ftp.suse.com/ftp.suse.de since some days, I suspect they are fixed (but the rpm's do not contain new changelog-lines)
That is because they haven't been changed. These packages were just recompiled with the fixed openssl libs.
Where can I find those recompiled rpm's? At least regarding sendmail-tls I have not found packages which were compiled in Sep 02... Bye, Hatto
participants (8)
-
Hatto von Hatzfeld -
John Olson -
Jörgen Mad -
Markus Kohli -
Olaf Kirch -
Roman Drahtmueller -
Sven Koch -
Sven Koch