OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 19-Sep-2003 10:10:34
Branch: HEAD Handle: 2003091909103400
Added files:
openpkg-web/security OpenPKG-SA-2003.041-sendmail.txt
Modified files:
openpkg-web/security page.pl
Log:
add Sendmail SA
Summary:
Revision Changes Path
1.1 +98 -0 openpkg-web/security/OpenPKG-SA-2003.041-sendmail.txt
1.26 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.041-sendmail.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.041-sendmail.txt
--- /dev/null 2003-09-19 10:10:34.000000000 +0200
+++ OpenPKG-SA-2003.041-sendmail.txt 2003-09-19 10:10:34.000000000 +0200
@@ -0,0 +1,98 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.041 19-Sep-2003
+________________________________________________________________________
+
+Package: sendmail
+Vulnerability: remote root exploit
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= sendmail-8.12.9-20030801 >= sendmail-8.12.10-20030917
+OpenPKG 1.3 <= sendmail-8.12.9-1.3.0 >= sendmail-8.12.9-1.3.1
+OpenPKG 1.2 <= sendmail-8.12.7-1.2.3 >= sendmail-8.12.7-1.2.4
+
+Dependent Packages: none
+
+Description:
+ According to a confirmed [1] security advisory from Michal Zalewski
+ [2], a remotely exploitable vulnerability exists in all versions
+ prior to 8.12.10 of the Sendmail [0] MTA. An error in its prescan()
+ function could allow an attacker to write past the end of a buffer,
+ corrupting memory structures. Depending on platform and operating
+ system architecture, the attacker may be able to execute arbitrary
+ code with a specially crafted email message.
+
+ The email attack vector is message-oriented as opposed to
+ connection-oriented. This means that the vulnerability is triggered
+ by the contents of a specially crafted email message rather than by
+ lower-level network traffic. The Common Vulnerabilities and Exposures
+ (CVE) project assigned the id CAN-2003-0694 [3] to the problem.
+
+ Additionally, we have included a fix for a potential buffer overflow
+ in Sendmail's ruleset parsing. This problem is not exploitable in the
+ default Sendmail configuration; it is exploitable only if non-standard
+ rulesets recipient (2), final (4), or mailer-specific envelope
+ recipients rulesets are used. The Common Vulnerabilities and Exposures
+ (CVE) project assigned the id CAN-2003-0681 [4] to this problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm
+ -q sendmail". If you have the "sendmail" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution) [5][6]
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
+ location, verify its integrity [11], build a corresponding binary
+ RPM from it [5] and update your OpenPKG installation by applying the
+ binary RPM [6]. For the current release OpenPKG 1.3, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/1.3/UPD
+ ftp> get sendmail-8.12.9-1.3.1.src.rpm
+ ftp> bye
+ $ <prefix>/bin/rpm -v --checksig sendmail-8.12.9-1.3.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild sendmail-8.12.9-1.3.1.src.rpm
+ $ su -
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/sendmail-8.12.9-1.3.1.*.rpm
+________________________________________________________________________
+
+References:
+ [0] http://www.sendmail.org/
+ [1] http://www.sendmail.org/8.12.10.html
+ [2] http://www.securityfocus.com/archive/1/337839/2003-09-16/2003-09-22/0
+ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694
+ [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681
+ [5] http://www.openpkg.org/tutorial.html#regular-source
+ [6] http://www.openpkg.org/tutorial.html#regular-binary
+ [7] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.4.src.rpm
+ [8] ftp://ftp.openpkg.org/release/1.3/UPD/sendmail-8.12.9-1.3.1.src.rpm
+ [9] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [10] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [11] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD4DBQE/arnPgHWT4GPEy58RAsmLAJiH9OqLxetLP4nGrjxpt0+ChXRRAJ9n0IqN
+c/jaIaEn3EpRDeHv5p5gAQ==
+=xfNO
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.25 -r1.26 page.pl
--- openpkg-web/security/page.pl 17 Sep 2003 08:29:01 -0000 1.25
+++ openpkg-web/security/page.pl 19 Sep 2003 08:10:34 -0000 1.26
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.04[1-9]|);
+ next if ($name =~ m|^2003\.04[2-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
