SuSE Security Announcement: sendmail, sendmail-tls (SuSE-SA:2003:040)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: sendmail, sendmail-tls
Announcement-ID: SuSE-SA:2003:040
Date: Saturday, Sep 20th 2003 18:00 MEST
Affected products: 7.2, 7.3, 8.0, 8.1, 8.2
SuSE Linux Database Server,
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local/remote privilege escalation
Severity (1-10): 7
SuSE default package: yes (until SuSE Linux 8.0 and SLES7)
Cross References: CAN-2003-0694
CERT http://www.kb.cert.org/vuls/id/784980
http://www.securityfocus.com/archive/1/337839
http://www.sendmail.org/8.12.10.html
Content of this advisory:
1) security vulnerability resolved: sendmail, sendmail-tls
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- mysql
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
sendmail is the most widely used mail transport agent (MTA) in the
internet. A remotely exploitable buffer overflow has been found in all
versions of sendmail that come with SuSE products. These versions include
sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem
that is installed by default on all SuSE products up to and including
SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7.
The vulnerability discovered is known as the prescan()-bug and is not
related to the vulnerability found and fixed in April 2003. The error
in the code can cause heap or stack memory to be overwritten, triggered
by (but not limited to) functions that parse header addresses.
There is no known workaround for this vulnerability other than using a
different MTA. The vulnerability is triggered by an email message sent
through the sendmail MTA subsystem. In that respect, it is different
from commonly known bugs that occur in the context of an open TCP
connection. By consequence, the vulnerability also exists if email
messages get forwarded over a relay that itself does not run a vulnerable
MTA. This specific detail and the wide distribution of sendmail in the
internet causes this vulnerability to be considered a flaw of major
severity. We recommend to install the update packages that are provided
for download at the locations listed below.
We thank Michal Zalewski who discovered this vulnerability and the
friendly people from Sendmail Inc (Claus Assmann) who have communicated
problem to SuSE Security.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
SPECIAL INSTALL INSTRUCTIONS:
==============================
After performing the update, it is necessary to restart all running
instances of sendmail using the command "rcsendmail restart" as root.
Intel i386 Platform:
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.rpm
98b411a03df3a657dcef79be8f5d1ab2
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.rpm
59c84f025e29401fb798d3253a67bd70
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-8.12.7-77.i586.patch.rpm
99c717aee89be0a9d791a48cec41a57d
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/sendmail-devel-8.12.7-77.i586.patch.rpm
9feac7f2b475531d07279a3606dd3b37
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/sendmail-8.12.7-77.src.rpm
ffb2d8b0fd28a9a5244f2696879f3762
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.rpm
3b96f198fa7e9726e4e575444baa10d6
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.rpm
0b56d4ac6453c5962bf9e9d363b83849
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-159.i586.patch.rpm
92f7e4376ea2ed5f4f7652e3e47a7638
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-devel-8.12.6-159.i586.patch.rpm
843a111a942d24a6380f91f7f21e9316
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-159.src.rpm
d4a2d5463ef5bfcc5c36bd3b9da36271
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.rpm
85d6d62eb31223c8bc607b65551ea024
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.rpm
24d814266bf8c305dbd275009655f7e4
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-78.i386.patch.rpm
7f384fedbc35b23d92da843e2fc38046
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/sendmail-devel-8.12.3-78.i386.patch.rpm
95de8a86f1dad5f1b3e28bb9cb40c02c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-78.src.rpm
92c4a75367211fb0b23b1706a2b893f1
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-167.i386.rpm
51d281703157e04e39e48f5b21cb1469
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/sendmail-tls-8.11.6-169.i386.rpm
1131ad179e17de3c7d0a8d0a7a7e5348
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-8.11.6-167.src.rpm
5c547ec8f50f6fa756e160063076365c
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-tls-8.11.6-169.src.rpm
eb0a06b8a387297463cbccb639e5fb6f
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-112.i386.rpm
3bed3854baec797e2ff6d14f9582fcda
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-116.i386.rpm
2713adc9c6feecc146a796034b3f7b98
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-112.src.rpm
1b28f2aca4bb0b9231869267cbd4a06d
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-tls-8.11.3-116.src.rpm
352f504b486334537d952aa90b82ac08
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/sendmail-8.11.6-67.sparc.rpm
24c874c51666ca5b9f5ce2a7431af63e
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/sendmail-tls-8.11.6-67.sparc.rpm
5d41fe793f6744e70f6bde005363884c
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-8.11.6-67.src.rpm
7f27980cf2fb11453a80964355aaddbc
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-tls-8.11.6-67.src.rpm
dda3511ac3f95af3623837e19b6a80f6
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/sendmail-8.11.6-126.ppc.rpm
0442e3a7504bb4bb57e896fcd83e80b9
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/sendmail-tls-8.11.6-125.ppc.rpm
cbf8c7e5e9f61c3017ad5d80b7c4c76b
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-8.11.6-126.src.rpm
47031fa3484a66081f623760fcf53dc1
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-tls-8.11.6-125.src.rpm
9ce8128f4847f6fb0d8b0662f3145388
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- As already announced in SuSE-SA:2003:038 and SuSE-SA:2003:039, we are
working on update packages for the mysql buffer overflow vulnerability.
The packages will be made available as soon as possible.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Can I assume a nice'n & pleasant update experience if I choose to utilize the Sendmail RPM Package intended for SuSE Linux 7.2, but in effect will patch the Sendmail of a no longer supported SuSE Linux 7.1 system still residing on our corporate server? Thanks! - Philippe Wiede Roman Drahtmueller wrote:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: sendmail, sendmail-tls Announcement-ID: SuSE-SA:2003:040 Date: Saturday, Sep 20th 2003 18:00 MEST Affected products: 7.2, 7.3, 8.0, 8.1, 8.2 SuSE Linux Database Server, SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: local/remote privilege escalation Severity (1-10): 7 SuSE default package: yes (until SuSE Linux 8.0 and SLES7) Cross References: CAN-2003-0694 CERT http://www.kb.cert.org/vuls/id/784980 http://www.securityfocus.com/archive/1/337839 http://www.sendmail.org/8.12.10.html
Content of this advisory: 1) security vulnerability resolved: sendmail, sendmail-tls problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - mysql 3) standard appendix (further information)
Can I assume a nice'n & pleasant update experience if I choose to utilize the Sendmail RPM Package intended for SuSE Linux 7.2, but in effect will patch the Sendmail of a no longer supported SuSE Linux 7.1 system still residing on our corporate server?
That might work, yes. 7.1 has glibc 2.2, 7.2 is at 2.2.2, and I think that might work. If you see sendmail coredumping at any chance, then you know it doesn't work. :-/ But I'd advise you to install an 8.2 on that machine. 7.2 is about to die now, since it's more than 2 years old...
Thanks! - Philippe Wiede
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Can I assume a nice'n & pleasant update experience if I choose to utilize the Sendmail RPM Package intended for SuSE Linux 7.2, but in effect will patch the Sendmail of a no longer supported SuSE Linux 7.1 system still residing on our corporate server?
That might work, yes. 7.1 has glibc 2.2, 7.2 is at 2.2.2, and I think
Hi, Roman Thank you for answering. When trying to install via: # rpm -ivh sendmail-8.11.3-112.i386.rpm or # rpm -iv --force sendmail-8.11.3-112.i386.rpm I receive one error: # libsasl.so.7 is needed by sendmail Any insight to this? Thanks! - Philippe Wiede Roman Drahtmueller wrote: that
might work. If you see sendmail coredumping at any chance, then you know it doesn't work. :-/ But I'd advise you to install an 8.2 on that machine. 7.2 is about to die now, since it's more than 2 years old...
Thanks! - Philippe Wiede
Thanks, Roman.
Hi !
# rpm -ivh sendmail-8.11.3-112.i386.rpm or # rpm -iv --force sendmail-8.11.3-112.i386.rpm
I receive one error:
# libsasl.so.7 is needed by sendmail
Any insight to this?
--> Yes, on my 8.0 system, this library is provided by the cyrus-sasl package: armin@ady-office-pc:~> rpm -q --whatprovides /usr/lib/libsasl.so.7 cyrus-sasl-1.5.27-125 armin@ady-office-pc:~> So you should install the package cyrus-sasl either from your SuSE CD or you can get it from the SuSE FTP servers. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
On Mon, Sep 22, 2003 at 08:21:25PM +0200, PW wrote:
Can I assume a nice'n & pleasant update experience if I choose to utilize the Sendmail RPM Package intended for SuSE Linux 7.2, but in effect will patch the Sendmail of a no longer supported SuSE Linux 7.1 system still residing on our corporate server?
Thanks! - Philippe Wiede
well, what you could also do is the following: take the latest src.rpm you can get, you have to have one from the last updates on March/April :-) Install it with rpm -hiv sendmail-INSERT_YOUR_VERSION.src.rpm copy the patch from sendmail.org to /usr/src/packages/SOURCES/parse8.359.2.8.patch add the following to /usr/src/packages/SPECS/sendmail.spec: Patch5: sendmail.8.11.6.security.cr.patch Patch6: prescan.8.11.patch + Patch7: parse8.359.2.8.patch it might be not Patch7 for you, i did this on a 7.0 system with all updates since patches are no longer available :-) ---some lines down in sendmail.spec: %prep %setup -b 2 %patch -P 5 -p 0 %patch -P 1 -p 0 -b .dif cd sendmail %patch -P 6 + %patch -P 7 cd .. again, it is possible that this is a little different on your system. now cd /usr/src/packages/SPECS/ rpm -bc sendmail.spec if it compiles without errors, lucky you! mv /usr/sbin/sendmail /usr/sbin/sendmail.original cp /usr/src/packages/BUILD/sendmail-8.10.2/obj*/sendmail/sendmail /usr/sbin # the path could be different on your sendmail-version touch /usr/sbin/sendmail_is_patched_until_20030916 check the file permissions on /usr/sbin/sendmail etc, and restart the daemon. Everything should work fine I did not install it with "rpm -bb" or "rpm -ba" because on old SuSE-Version, don't know until which one, the rpm build was not chrooted, so you could shoot your whole setup. Since i only needed to replace the sendmail binary, this is ok for me. If you are scared by this description, you probably better upgrade your machine to 8.2 or SLES8, where you are supported and get ready-made packages ;-) Another possibility (this is what i did with the openssh-stuff a week ago) is to take the source.rpm from 7.2 and rebuild it with "rpm -bb name.spec" but beware of overwriting your config on an old system. Backup at least /etc. Good Luck Stefan -- Stefan Seyfried Senior Consultant community4you GmbH, Chemnitz, Germany. http://www.community4you.de http://www.open-eis.com
Following the tread I simply 1: rpm -ivh sasl.rpm package 2: rpm -Uvh sendmail.rpm for 7.2 And it worked fine Dr.Leisen Antal Grid International Magyarország antal.leisen@kreorg.hu +36-1-321-0031 -----Eredeti üzenet----- Feladó: Stefan Seyfried [mailto:seife@community4you.de] Küldve: Tuesday, September 23, 2003 12:00 PM Címzett: suse-security@suse.com Tárgy: Re: [suse-security] Re: SuSE Security Announcement: sendmail, sendmail-tls (SuSE-SA:2003:040) On Mon, Sep 22, 2003 at 08:21:25PM +0200, PW wrote:
Can I assume a nice'n & pleasant update experience if I choose to utilize the Sendmail RPM Package intended for SuSE Linux 7.2, but in
effect will patch the Sendmail of a no longer supported SuSE Linux 7.1 system still residing on our corporate server?
Thanks! - Philippe Wiede
well, what you could also do is the following: take the latest src.rpm you can get, you have to have one from the last updates on March/April :-) Install it with rpm -hiv sendmail-INSERT_YOUR_VERSION.src.rpm copy the patch from sendmail.org to /usr/src/packages/SOURCES/parse8.359.2.8.patch add the following to /usr/src/packages/SPECS/sendmail.spec: Patch5: sendmail.8.11.6.security.cr.patch Patch6: prescan.8.11.patch + Patch7: parse8.359.2.8.patch it might be not Patch7 for you, i did this on a 7.0 system with all updates since patches are no longer available :-) ---some lines down in sendmail.spec: %prep %setup -b 2 %patch -P 5 -p 0 %patch -P 1 -p 0 -b .dif cd sendmail %patch -P 6 + %patch -P 7 cd .. again, it is possible that this is a little different on your system. now cd /usr/src/packages/SPECS/ rpm -bc sendmail.spec if it compiles without errors, lucky you! mv /usr/sbin/sendmail /usr/sbin/sendmail.original cp /usr/src/packages/BUILD/sendmail-8.10.2/obj*/sendmail/sendmail /usr/sbin # the path could be different on your sendmail-version touch /usr/sbin/sendmail_is_patched_until_20030916 check the file permissions on /usr/sbin/sendmail etc, and restart the daemon. Everything should work fine I did not install it with "rpm -bb" or "rpm -ba" because on old SuSE-Version, don't know until which one, the rpm build was not chrooted, so you could shoot your whole setup. Since i only needed to replace the sendmail binary, this is ok for me. If you are scared by this description, you probably better upgrade your machine to 8.2 or SLES8, where you are supported and get ready-made packages ;-) Another possibility (this is what i did with the openssh-stuff a week ago) is to take the source.rpm from 7.2 and rebuild it with "rpm -bb name.spec" but beware of overwriting your config on an old system. Backup at least /etc. Good Luck Stefan -- Stefan Seyfried Senior Consultant community4you GmbH, Chemnitz, Germany. http://www.community4you.de http://www.open-eis.com -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
That worked fined with cyrus-sasl.rpm for 7.2, indeed :) Thank you! - Philippe Wiede webmaster wrote:
Following the tread I simply
1: rpm -ivh sasl.rpm package 2: rpm -Uvh sendmail.rpm for 7.2
And it worked fine
Dr.Leisen Antal Grid International Magyarország
Hi. How do I add this public key to KMail so it doesn't show up in Yellow? Using OpenGPG in KMail. On Saturday 20 September 2003 12:12, Roman Drahtmueller wrote:
participants (6)
-
Armin Schoech
-
PW
-
Rob Collins (dreams0in1digital)
-
Roman Drahtmueller
-
Stefan Seyfried
-
webmaster