Advisories

Mandriva Advisories

Package name	sendmail
Date	September 17th, 2003
Advisory ID	MDKSA-2003:092
Affected versions	8.2, 9.0, 9.1, CS2.1
Synopsis	Updated sendmail packages fix buffer overflow vulnerability

Problem Description

A buffer overflow vulnerability was discovered in the address parsing
code in all versions of sendmail prior to 8.12.10 by Michal Zalewski,
with a patch to fix the problem provided by Todd C. Miller. This
vulnerability seems to be remotely exploitable on Linux systems running
on the x86 platform; the sendmail team is unsure of other platforms
(CAN-2003-0694).

Another potential buffer overflow was fixed in ruleset parsing which is
not exploitable in the default sendmail configuration. A problem may
occur if non-standard rulesets recipient (2), final (4), or mailer-
specific envelope recipients rulesets are use. This problem was
discovered by Timo Sirainen (CAN-2003-0681).

MandrakeSoft encourages all users who use sendmail to upgrade to the
provided packages which are patched to fix both problems.

Updated Packages

Mandrakelinux 8.2

 87a2d830b724bc67640ea4e267a60517  8.2/RPMS/sendmail-8.12.1-4.5mdk.i586.rpm
b21c82a3f1b554aecd5227ab7269aea4  8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.i586.rpm
aed850225f1902657b02010a703d744c  8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.i586.rpm
aca8d9015390056de17b16db3fecc3e4  8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.i586.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba  8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm

Mandrakelinux 8.2/PPC

 993a8769ba667651e4319c27c9e82b7e  ppc/8.2/RPMS/sendmail-8.12.1-4.5mdk.ppc.rpm
6c9e501287a7eccec51b10dce7c6e6fb  ppc/8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.ppc.rpm
e8d204f807ee1ea4a364fb4afdc24439  ppc/8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.ppc.rpm
cb695b306b372a540e363006adfc5f54  ppc/8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.ppc.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba  ppc/8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm

Mandrakelinux 9.0

 7870e3e3f35647266197194e933f5ed7  9.0/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4  9.0/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b  9.0/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d  9.0/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5  9.0/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm

Mandrakelinux 9.1

 abf1ad68f3835ce7f2593f935af97c95  9.1/RPMS/sendmail-8.12.9-1.2mdk.i586.rpm
26427faee7bc48e521e370a7957865a7  9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.i586.rpm
a531c3ec3b6807428968254854d863b2  9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.i586.rpm
3e70938f6cb88c69f3a004c96b3ec347  9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.i586.rpm
1d575885387c5130d993d15cdfec56e5  9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm

Mandrakelinux 9.1/PPC

 ff80af8ecc2af755689271c495cffed2  ppc/9.1/RPMS/sendmail-8.12.9-1.2mdk.ppc.rpm
d29850a5cd7322d7d908a2c7299133ea  ppc/9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.ppc.rpm
503d3aae07c0b8f707fd0f6187990dbd  ppc/9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.ppc.rpm
10c1cb226d1e991eed8f974d1b62dc33  ppc/9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.ppc.rpm
1d575885387c5130d993d15cdfec56e5  ppc/9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm

Corporate Server 2.1

 7870e3e3f35647266197194e933f5ed7  corporate/2.1/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4  corporate/2.1/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b  corporate/2.1/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d  corporate/2.1/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5  corporate/2.1/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm

Corporate Server 2.1/X86_64

 be2b785589385b663e68eee7333a3e0b  x86_64/corporate/2.1/RPMS/sendmail-8.12.6-3.5mdk.x86_64.rpm
cee3ca36ad6b93e4f904fd100ab88232  x86_64/corporate/2.1/RPMS/sendmail-cf-8.12.6-3.5mdk.x86_64.rpm
e85ead3a1faa38e0f75877d376c29e4d  x86_64/corporate/2.1/RPMS/sendmail-devel-8.12.6-3.5mdk.x86_64.rpm
502927ac1e70df157079e8779f919527  x86_64/corporate/2.1/RPMS/sendmail-doc-8.12.6-3.5mdk.x86_64.rpm
e9aa39db8dad6941af1e3a6e8c857cb5  x86_64/corporate/2.1/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html
http://www.sendmail.org/8.12.10.html

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer