Re: Sendmail patch questions...
On Tue, Mar 04, 2003 at 04:22:49AM +0200, Giorgos Keramidas wrote: PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the maintainer of Sendmail on FreeBSD, has already merged the latest Sendmail version (8.12.8) to the RELENG_4 branch. Actually, according to what I can see in a quick trawl through cvsweb, he's MFC'd sendmail patches on all RELENG_x and RELENG_x_y branches back to and including RELENG_3: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/sendmail/src/?sortby=dateonly_with_tag=RELENG_3 However, it seems that his modifications don't constitute a complete upgrade to sendmail-8.12.8 except on RELENG_4 and HEAD. Hence the confusion over the binary updates given in the original security alert. Your sendmail binary will be immune to this attack if you've built it out of a recently cvsup'd source tree or installed one of the binary patches so that: -- you're running sendmail-8.12.8 or better or -- the string 'Dropped invalid comments from header address' appears in the sendmail binary. Thanks to Claus Assmann for pointing out the second test. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Sendmail patch questions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday, March 04, 2003 2:20 AM Matthew Seaman mailto:[EMAIL PROTECTED] wrote: On Tue, Mar 04, 2003 at 04:22:49AM +0200, Giorgos Keramidas wrote: PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the maintainer of Sendmail on FreeBSD, has already merged the latest Sendmail version (8.12.8) to the RELENG_4 branch. Actually, according to what I can see in a quick trawl through cvsweb, he's MFC'd sendmail patches on all RELENG_x and RELENG_x_y branches back to and including RELENG_3: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/sendmail/src/?sortby=dateonly_with_tag=RELENG_3 However, it seems that his modifications don't constitute a complete upgrade to sendmail-8.12.8 except on RELENG_4 and HEAD. Hence the confusion over the binary updates given in the original security alert. Your sendmail binary will be immune to this attack if you've built it out of a recently cvsup'd source tree or installed one of the binary patches so that: -- you're running sendmail-8.12.8 or better or -- the string 'Dropped invalid comments from header address' appears in the sendmail binary. Thanks to Claus Assmann for pointing out the second test. Cheers, Matthew Thanks Matt. Few questions though: 1. What is `BP'? 2. I appllied the patch and now I'm building world with my exsisting 4.4 sources. Is this not `safe' as cvsuping and then buidling world? I'm not sure I understand the implications of not cvsuping, especially since the patch has been applied to 8.11.6 in the 4.4 branch. - --- Randomly Generated Quote: A free society is one where it's safe to be unpopular. --Adlai E. Stevenson Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -BEGIN PGP SIGNATURE- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPmSYuGjZbUnRudGOEQJWPgCgvbrt9oAX6RJy/T4kHvX+aP+8v9AAnRDu mQLlUgh4bGNv8SB8ormwrzq9 =3Qur -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
Step by step instructions ftp sendmail.org login anonymously cd pub/sendmail get sendmail-8.12.8.tar.gz quit tar xvzf sendmail-8.12.8.tar.gz cd sendmail-8.12.8 ./Build ./Build install kill -1 (SIGHUP) sendmail You're now upgraded At 08:53 PM 3/3/2003 -0600, you wrote: On Mon, Mar 03, 2003 at 05:49:50PM -0600, Mike Loiterman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 1. Is this the correct location for the patch? 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? Thanks... I'm also running 8.11.6. I installed the correct patch from sendmail.org but haven't figured out how to get it to compile. The README says: * !! DO NOT USE MAKE !! in this directory to compile sendmail -- * instead, use the Build script located in the sendmail directory. However, there is no Build script. Now what? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Peter Elsner [EMAIL PROTECTED] Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say Daddy, where were you when they took freedom of the press away from the Internet? -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On Tue, Mar 04, 2003 at 06:14:49AM -0600, Mike Loiterman wrote: On Tuesday, March 04, 2003 2:20 AM Matthew Seaman mailto:[EMAIL PROTECTED] wrote: On Tue, Mar 04, 2003 at 04:22:49AM +0200, Giorgos Keramidas wrote: PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the maintainer of Sendmail on FreeBSD, has already merged the latest Sendmail version (8.12.8) to the RELENG_4 branch. Actually, according to what I can see in a quick trawl through cvsweb, he's MFC'd sendmail patches on all RELENG_x and RELENG_x_y branches back to and including RELENG_3: http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/sendmail/src/?sortby=dateonly_with_tag=RELENG_3 However, it seems that his modifications don't constitute a complete upgrade to sendmail-8.12.8 except on RELENG_4 and HEAD. Hence the confusion over the binary updates given in the original security alert. Your sendmail binary will be immune to this attack if you've built it out of a recently cvsup'd source tree or installed one of the binary patches so that: -- you're running sendmail-8.12.8 or better or -- the string 'Dropped invalid comments from header address' appears in the sendmail binary. Thanks to Claus Assmann for pointing out the second test. Cheers, Matthew Thanks Matt. Few questions though: 1. What is `BP'? If you're talking about CVS tags that stands for Branch Point -- ie. RELENG_4_7_BP marks the state of the sources at the point that the RELENG_4_7 branch was created out of the RELENG_4 sources. It's not a particularly rewarding place to look for a fixed version of sendmail though. 2. I appllied the patch and now I'm building world with my exsisting 4.4 sources. Is this not `safe' as cvsuping and then buidling world? I'm not sure I understand the implications of not cvsuping, especially since the patch has been applied to 8.11.6 in the 4.4 branch. There's different interpretations of safe. If you're running production services on your machine and you can't afford the time to run through regression tests and the like which you should do when upgrading to a new OS version, then a conservative upgrade, like applying the patches from the advisory or cvsup'ing to the latest RELENG_4_4 sources sounds like a good idea. On the other hand, if this is a personal machine and you can cope with the sort of fallout you may encounter by doing a wholesale upgrade[*] then generally, running the latest available 4.x version will give you maximum benefit of all the development that's gone into the system over the last year or so with minimum teething problems due to untried code. Cheers, Matthew [*] Not that FreeBSD upgrades tend to generate that much in terms of fallout anyhow. I can't remember the last time I broke a system or a software package by attempting to upgrade. -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: Sendmail patch questions...
On 2003-03-03 21:15, Terry Todd [EMAIL PROTECTED] wrote:
On Mon, Mar 03, 2003 at 08:53:26PM -0600, Terry Todd wrote:
I'm also running 8.11.6. I installed the correct patch from
sendmail.org but haven't figured out how to get it to compile.
The README says:
*
!! DO NOT USE MAKE !! in this directory to compile sendmail --
* instead, use the Build script located in
the sendmail directory.
However, there is no Build script.
Now what?
Looks like in FreeBSD you need to cd to /usr/src/usr/sbin/sendmail
and run make install after applying the patch from sendmail.org
Then restart sendmail.
Is there a way to test that the vulnerability has been fixed?
There are also a few other things you need to recompile:
# cd /usr/src
# for dirname in lib/libsm lib/libsmdb lib/libsmutil \
lib/libmilter bin/rmail libexec/mail.local \
libexec/smrsh usr.bin/vacation usr.sbin/editmap \
usr.sbin/mailstats usr.sbin/makemap \
usr.sbin/praliases usr.sbin/sendmail
do
cd ${dirname}
make cleandir make cleandir
make obj make depend make make install
cd /usr/src
done
- Giorgos
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
upgrading sendmail from ports was Re: Sendmail patch questions...
I would like to upgrade sendmail from the ports collections. However, I have been using sendmail 8.12.6 from the base install of freebsd 4.6.2 release and I believe that installing sendmail from the ports collection will add files to /usr/local rather then /usr where sendmail is currently located. From the research I've done after I install sendmail from the ports collection, I will need to add the following lines to sendmail.mc file: define(`confEBINDIR', `/usr/local/libexec')dnl define(`UUCP_MAILER_PATH', `/usr/local/bin/uux')dnl as well as change the mailer.conf file. Am I missing any other steps? Any help would be greatly appreciated since this is my first attempt at upgrading sendmail. Thank you, Michelle On Tuesday, March 4, 2003, at 06:43 AM, Peter Elsner wrote: Step by step instructions ftp sendmail.org login anonymously cd pub/sendmail get sendmail-8.12.8.tar.gz quit tar xvzf sendmail-8.12.8.tar.gz cd sendmail-8.12.8 ./Build ./Build install kill -1 (SIGHUP) sendmail You're now upgraded At 08:53 PM 3/3/2003 -0600, you wrote: On Mon, Mar 03, 2003 at 05:49:50PM -0600, Mike Loiterman wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Just applied the patch to /usr/src/contrib/sendmail/src > > I'm running sendmail 8.11.6 > > > 1. Is this the correct location for the patch? > 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? > > Thanks... I'm also running 8.11.6. I installed the correct patch from sendmail.org but haven't figured out how to get it to compile. The README says: * !! DO NOT USE MAKE !! in this directory to compile sendmail -- * instead, use the Build script located in the sendmail directory. However, there is no Build script. Now what? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Peter Elsner [EMAIL PROTECTED]> Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say Daddy, where were you when they took freedom of the press away from the Internet? -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Sendmail patch questions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 1. Is this the correct location for the patch? 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? Thanks... - --- Randomly Generated Quote: 'I like the word 'indolence'. It makes my laziness seem classy.' -- Bern Williams Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -BEGIN PGP SIGNATURE- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPmPqHWjZbUnRudGOEQIxuACcDbTnPBWb7aeao/X0nv0rkFJVdSkAoMSn 3vFfqEMYdkU5YCN6HXUUfaCn =pxNq -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On 2003-03-03 17:49, Mike Loiterman [EMAIL PROTECTED] wrote: Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 What patch did you apply? 1. Is this the correct location for the patch? Depends on the patch. If it's the one from www.sendmail.org for the 8.11.x versions of Sendmail, then yes... you applied it in the right part of the source tree. 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? It's probably better to do a full buildworld, to see if the patch breaks anything. Note though that even if a buildworld succeeds, you're effectively trying to backport the fixes to an older, unsupported branch of development. Without more testing it's not easy to answer questions like ``Will my Sendmail installation setup work without any sort of problem afterwards?'' - Giorgos PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the maintainer of Sendmail on FreeBSD, has already merged the latest Sendmail version (8.12.8) to the RELENG_4 branch. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On Mon, Mar 03, 2003 at 05:49:50PM -0600, Mike Loiterman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 1. Is this the correct location for the patch? 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? Thanks... I'm also running 8.11.6. I installed the correct patch from sendmail.org but haven't figured out how to get it to compile. The README says: * !! DO NOT USE MAKE !! in this directory to compile sendmail -- * instead, use the Build script located in the sendmail directory. However, there is no Build script. Now what? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On Mon, Mar 03, 2003 at 08:53:26PM -0600, Terry Todd wrote: On Mon, Mar 03, 2003 at 05:49:50PM -0600, Mike Loiterman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 1. Is this the correct location for the patch? 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? Thanks... I'm also running 8.11.6. I installed the correct patch from sendmail.org but haven't figured out how to get it to compile. The README says: * !! DO NOT USE MAKE !! in this directory to compile sendmail -- * instead, use the Build script located in the sendmail directory. However, there is no Build script. Now what? Looks like in FreeBSD you need to cd to /usr/src/usr/sbin/sendmail and run make install after applying the patch from sendmail.org Then restart sendmail. Is there a way to test that the vulnerability has been fixed? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On Mon, Mar 03, 2003 at 09:15:05PM -0600, Terry Todd wrote: On Mon, Mar 03, 2003 at 08:53:26PM -0600, Terry Todd wrote: On Mon, Mar 03, 2003 at 05:49:50PM -0600, Mike Loiterman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 1. Is this the correct location for the patch? 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? Thanks... I'm also running 8.11.6. I installed the correct patch from sendmail.org but haven't figured out how to get it to compile. The README says: * !! DO NOT USE MAKE !! in this directory to compile sendmail -- * instead, use the Build script located in the sendmail directory. However, there is no Build script. Now what? Looks like in FreeBSD you need to cd to /usr/src/usr/sbin/sendmail Correction: cd /usr/src/usr.sbin/sendmail and run make install after applying the patch from sendmail.org Then restart sendmail. Is there a way to test that the vulnerability has been fixed? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Sendmail patch questions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, March 03, 2003 8:23 PM Giorgos Keramidas mailto:[EMAIL PROTECTED] wrote: On 2003-03-03 17:49, Mike Loiterman [EMAIL PROTECTED] wrote: Just applied the patch to /usr/src/contrib/sendmail/src I'm running sendmail 8.11.6 What patch did you apply? 1. Is this the correct location for the patch? Depends on the patch. If it's the one from www.sendmail.org for the 8.11.x versions of Sendmail, then yes... you applied it in the right part of the source tree. 2. Do I need to do a `make world' or can I just do a make install from with the /usr/src/contrib/sendmail directory and restart sendmail? It's probably better to do a full buildworld, to see if the patch breaks anything. Note though that even if a buildworld succeeds, you're effectively trying to backport the fixes to an older, unsupported branch of development. Without more testing it's not easy to answer questions like ``Will my Sendmail installation setup work without any sort of problem afterwards?'' - Giorgos PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the maintainer of Sendmail on FreeBSD, has already merged the latest Sendmail version (8.12.8) to the RELENG_4 branch. Hrmm That seems like an awfull lot of upgrading for one patch (upgrading to RELENG_4). My system is extremely stable and I'd hate to rock the boat for this tiny patch. Seems like there is a better chance of something `breaking' during a full system upgrade rather then applying the patch and doing the buildworld. I've only got about two years of FreeBSD experience so I may be missing something. I certainly welcome input from more experienced admins. - --- Randomly Generated Quote: Too much of a good thing is *wonderful*. Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -BEGIN PGP SIGNATURE- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPmQ/qmjZbUnRudGOEQLXAACgrKEH6WsraeCi7sEIZA93GgZQYa4AnjxX vdGn4MpPwplQJXgK/FvZHTkR =BiXb -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Sendmail patch questions...
On Mon, Mar 03, 2003 at 09:15:05PM -0600, Terry Todd wrote: Is there a way to test that the vulnerability has been fixed? As Claus Assmann posted over in freebsd-security, you can test that your sendmail binary has been patched by: % strings /usr/libexec/sendmail/sendmail | grep 'Dropped invalid comments from header address' If that text is present in the binary, then you have a patched version. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
