Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1
From: Mike Tancsa (mike@sentex.net)
Date: 02/23/01
- Next message: Doug Barton: "Re: Bind problems"
- Previous message: Cy Schubert - ITSD Open Systems Group: "Re: Best way for one-way DNS traffic"
- Next in thread: Gregory Neil Shapiro: "Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1"
- Reply: Gregory Neil Shapiro: "Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Feb 2001 20:24:18 -0500 To: security@freebsd.org From: Mike Tancsa <mike@sentex.net>
Is this a LINUX specific thing, or Sendmail in general ??
>Approved-By: beng@SECURITYFOCUS.COM
>Delivered-To: bugtraq@lists.securityfocus.com
>Delivered-To: bugtraq@securityfocus.com
>User-Agent: Mutt/1.2.5i
>X-Mailman-Version: 1.1
>List-Id: Announcements-only security list
> <tl-security-announce.www.turbolinux.com>
>X-BeenThere: tl-security-announce@www.turbolinux.com
>Date: Thu, 22 Feb 2001 14:09:35 -0800
>Reply-To: security@TURBOLINUX.COM
>Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
>From: security@TURBOLINUX.COM
>Subject: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1
>X-To: tl-security-announce@www1.turbolinux.com
>To: BUGTRAQ@SECURITYFOCUS.COM
>X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (amavis.org)
>
>
>
>___________________________________________________________________________
>
> TurboLinux Security Announcement
>
>
> Vulnerable Packages: All versions previous to 8.11.2-5
> Date: 02/21/2001 5:00 PDT
>
> Affected TurboLinux versions:TL 6.1 WorkStation,
> All TurboLinux versions
> 6.0.5 and earlier
>
> TurboLinux Advisory ID#: TLSA2001003-1
>
> Credits: Vulnerability discovered by Michal Zalewski
> of the Internet for Schools project(IdS).
>___________________________________________________________________________
>
>A security hole was discovered in the package mentioned above.
>Please update the package in your installation as soon as possible.
>___________________________________________________________________________
>
>1. Problem Summary
>
> Sendmail, launched with the -bt command-line switch, enters its special
> "address test" mode. Under these conditions, it is vulnerable to a
> segmentation fault which can occur when trying to set a class in ad-
> dress test mode due to a negative array index.
>
>2. Impact
>
> A user can gain root privileges.
>
>3. Solution
>
> Update the package from our ftp server by running the following command:
>
> rpm -Uvh ftp_path_to_filename
>
> Where ftp_path_to_filename is the following:
>
>
>ftp://ftp.turbolinux.com/pub/updates/6.0/security/sendmail-8.11.2-5.i386.rpm
>
> The source RPM can be downloaded here:
>
> ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/sendmail-8.11.2-5.src.rpm
>
> **Note: You must rebuild and install the RPM if you choose to download
> and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE
> THE SECURITY HOLE.
>
> Please verify the MD5 checksums of the updates before you install:
>
> MD5 sum Package Name
>---------------------------------------------------------------------------
>38eee0653839595aedad386cc8d2346f sendmail-8.11.2-5.i386.rpm
>cfe857414b7e3cdbf658a898bd592b71 sendmail-8.11.2-5.src.rpm
>___________________________________________________________________________
>
>These packages are GPG signed by TurboLinux for security. Our key
>is available here:
>
> http://www.turbolinux.com/security/tlgpgkey.asc
>
>To verify a package, use the following command:
>
> rpm --checksig name_of_rpm
>
>To examine only the md5sum, use the following command:
>
> rpm --checksig --nogpg name_of_rpm
>
>**Note: Checking GPG keys requires RPM 3.0 or higher.
>
>___________________________________________________________________________
>You can find more updates on our ftp server:
>
> ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation
> and Server security updates
> ftp://ftp.turbolinux.com/pub/updates/4.0/security/ for TL4.0 Workstation
> and Server security updates
>
>Our webpage for security announcements:
>
> http://www.turbolinux.com/security
>
>If you want to report vulnerabilities, please contact:
>
> security@turbolinux.com
>___________________________________________________________________________
>
>Subscribe to the TurboLinux Security Mailing lists:
>
> TL-security - A moderated list for discussing security issues
> TurboLinux products.
> Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security
>
> TL-security-announce - An announce-only mailing list for security updates
> and alerts.
> Subscribe at:
>
> http://www.turbolinux.com/mailman/listinfo/tl-security-announce
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Doug Barton: "Re: Bind problems"
- Previous message: Cy Schubert - ITSD Open Systems Group: "Re: Best way for one-way DNS traffic"
- Next in thread: Gregory Neil Shapiro: "Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1"
- Reply: Gregory Neil Shapiro: "Re: Fwd: [TL-Security-Announce] Sendmail-8.11.2-5 TLSA2001003-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
