[security@slackware.com: [slackware-security] Sendmail buffer overflow fixed]

From: White Vampire (whitevampire@mindless.com)
Date: 03/29/03

  • Next message: Michal Zalewski: "Sendmail: -1 gone wild" 
    Date: Sat, 29 Mar 2003 13:08:43 -0500
From: White Vampire <whitevampire@mindless.com>
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ----- Forwarded message from Slackware Security Team <security@slackware.com> -----

    Return-Path: <owner-slackware-security@bob.slackware.com>
    Delivered-To: whitvamp@localhost
    Received: (qmail 7993 invoked from network); 25 Mar 2003 17:44:33 -0000
    Received: from localhost (127.0.0.1)
      by localhost with SMTP; 25 Mar 2003 17:44:33 -0000
    Delivered-To: vampwhit@lilly.csoft.net
    Received: from mail102.csoft.net [63.111.26.110]
            by localhost with POP3 (fetchmail-5.8.3)
            for whitvamp@localhost (single-drop); Tue, 25 Mar 2003 12:44:33 -0500 (EST)
    Received: (qmail 76250 invoked from network); 4 Mar 2003 00:40:08 -0000
    Received: from unknown (HELO ws4-2.us4.outblaze.com) (205.158.62.67)
      by mail102.csoft.net with SMTP; 4 Mar 2003 00:40:08 -0000
    Received: from spf2.us4.outblaze.com (205-158-62-24.outblaze.com [205.158.62.24])
            by ws4-2.us4.outblaze.com (8.12.7/8.12.7) with ESMTP id h240bolV018458
            for <whitevampire@mindless.com>; Tue, 4 Mar 2003 00:37:50 GMT
    Received: from bob.slackware.com (slackware.com [64.57.102.34])
            by spf2.us4.outblaze.com (8.12.7/8.12.7) with ESMTP id h23NOlBK098678
            for <whitevampire@mindless.com>; Mon, 3 Mar 2003 23:27:06 GMT
    Received: (from daemon@localhost)
            by bob.slackware.com (8.11.6/8.11.6) id h23MOhp13226
            for slackware-security-outgoing; Mon, 3 Mar 2003 14:24:43 -0800
    Received: from localhost (security@localhost)
            by bob.slackware.com (8.11.6/8.11.6) with ESMTP id h23MOhm13223
            for <slackware-security@slackware.com>; Mon, 3 Mar 2003 14:24:43 -0800
    Date: Mon, 3 Mar 2003 14:24:43 -0800 (PST)
    From: Slackware Security Team <security@slackware.com>
    To: slackware-security@slackware.com
    Subject: [slackware-security] Sendmail buffer overflow fixed
    Message-ID: <Pine.LNX.4.21.0303031424220.13214-100000@bob.slackware.com>
    MIME-Version: 1.0
    Content-Type: TEXT/PLAIN; charset=US-ASCII
    Sender: owner-slackware-security@slackware.com
    Precedence: bulk
    Reply-To: Slackware Security Team <security@slackware.com>

    - -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    [slackware-security] Sendmail buffer overflow fixed

    The sendmail packages in Slackware 8.1 and -current have been patched to fix
    a security problem. All sites running sendmail should upgrade.

    More information on the problem can be found here:

    http://www.sendmail.org/8.12.8.html

    Here are the details from the Slackware 8.1 ChangeLog:
    +--------------------------+
    Mon Mar 3 10:29:01 PST 2003
    patches/packages/sendmail-8.12.8-i386-1.tgz: Upgraded to sendmail-8.12.8.
      From sendmail's RELNOTES:
        SECURITY: Fix a remote buffer overflow in header parsing by dropping sender
        and recipient header comments if the comments are too long. Problem noted
        by Mark Dowd of ISS X-Force.
      (* Security fix *)
    patches/packages/sendmail-cf-8.12.8-noarch-1.tgz: Updated config files for
      sendmail-8.12.8.
    +--------------------------+

    WHERE TO FIND THE NEW PACKAGES:
    +-----------------------------+

    Updated packages for Slackware 8.1:
    ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-8.12.8-i386-1.tgz
    ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-cf-8.12.8-noarch-1.tgz

    Updated packages for Slackware -current:
    ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/sendmail-8.12.8-i386-1.tgz
    ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/sendmail-cf-8.12.8-noarch-1.tgz

    MD5 SIGNATURES:
    +-------------+

    Here are the md5sums for the packages:

    Slackware 8.1 packages:
    c2c72b982d91d9ca0f59ab2afdf337f2 sendmail-8.12.8-i386-1.tgz
    0b8e338169dca7487dd042ba070120d1 sendmail-cf-8.12.8-noarch-1.tgz

    Slackware -current packages:
    a9db559cd852164577f26efff1e9b36d sendmail-8.12.8-i386-1.tgz
    0141c1f40e1efd148f9ccd1d5a09e7f0 sendmail-cf-8.12.8-noarch-1.tgz

    INSTALLATION INSTRUCTIONS:
    +------------------------+

    As root, upgrade the sendmail package(s) with upgradepkg:

    upgradepkg sendmail-*.tgz

    Then, restart sendmail:

    /etc/rc.d/rc.sendmail restart

    +-----+

    Slackware Linux Security Team
    http://slackware.com/gpg-key
    security@slackware.com

    +------------------------------------------------------------------------+
    | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
    +------------------------------------------------------------------------+
    | Send an email to majordomo@slackware.com with this text in the body of |
    | the email message: |
    | |
    | unsubscribe slackware-security |
    | |
    | You will get a confirmation message back. Follow the instructions to |
    | complete the unsubscription. Do not reply to this message to |
    | unsubscribe! |
    +------------------------------------------------------------------------+

    - -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+Y7AXakRjwEAQIjMRAq4iAJwIucFzraCEl/TW5xNW3/A8OBCuuACfdnpB
    KnimFQKeMEWk+HEClZ0iCXc=
    =0WNi
    - -----END PGP SIGNATURE-----

    - ----- End forwarded message -----

    - --
    \ | \ / White Vampire\Rem | http://gammaforce.org/
     \|\| \/ whitevampire@mindless.com | http://gammagear.com/
    "Silly hacker, root is for administrators." | http://webfringe.com/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.5 (GNU/Linux)

    iD8DBQE+heEq3+rxmnEDyl8RApZ3AJ9oXisP7Y2DeHQSI3FCgefQFbkCcACeL4Wt
    CHuAb00apkFPlamBSiJV+ug=
    =vvsT
    -----END PGP SIGNATURE-----

  • Next message: Michal Zalewski: "Sendmail: -1 gone wild"

    Relevant Pages

    • [slackware-security] Sendmail vulnerabilities fixed (SSA:2003-260-02)
      ... Here are the details from the Slackware 9.0 ChangeLog: ... We recommend that sites running Sendmail upgrade immediately. ... WHERE TO FIND THE NEW PACKAGES: ...
      (Bugtraq)
    • [slackware-security] OpenSSL security update (SSA:2003-273-01)
      ... We recommend sites that use OpenSSL upgrade to the fixed packages ... Here are the details from the Slackware 9.1 ChangeLog: ... We recommend sites that use OpenSSL upgrade to the fixed packages right away. ...
      (Bugtraq)
    • [slackware-security] kdepim security update (SSA:2004-014-01)
      ... New kdepim packages are available for Slackware 9.0 and 9.1 to ... A carefully crafted .VCF file potentially enables local ... WHERE TO FIND THE NEW PACKAGES: ... upgrade the packageusing upgradepkg: ...
      (Bugtraq)
    • [slackware-security] apache security update (SSA:2003-308-01)
      ... Apache httpd is a hypertext transfer protocol server, ... Sites running Apache should upgrade to the new packages. ... Here are the details from the Slackware 9.1 ChangeLog: ...
      (Bugtraq)
    • Re: machine
      ... Thanks for the excellent response to my questions about linux packaging. ... So there is a package manager of sorts for slackware. ... I wasn't actually going to upgrade because I was ... Mozilla would not install because I have galeon ...
      (alt.os.linux)