Re: Sendmail security problem

[Brian A. Seklecki]

On Fri, 24 Mar 2006, Joachim Schipper wrote:


On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:

On 2006/03/24 14:12, Alexander Bochmann wrote:

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:


P gnu/usr.sbin/sendmail/libsm/refill.c
P gnu/usr.sbin/sendmail/sendmail/collect.c
P gnu/usr.sbin/sendmail/sendmail/conf.c
P gnu/usr.sbin/sendmail/sendmail/deliver.c
P gnu/usr.sbin/sendmail/sendmail/headers.c
P gnu/usr.sbin/sendmail/sendmail/mime.c
P gnu/usr.sbin/sendmail/sendmail/parseaddr.c
P gnu/usr.sbin/sendmail/sendmail/savemail.c
P gnu/usr.sbin/sendmail/sendmail/sendmail.h
P gnu/usr.sbin/sendmail/sendmail/sfsasl.c
P gnu/usr.sbin/sendmail/sendmail/sfsasl.h
P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c
P gnu/usr.sbin/sendmail/sendmail/usersmtp.c
P gnu/usr.sbin/sendmail/sendmail/util.c



I am pretty certain a fix was imported for 3.7-stable, too.



Yep.

Why was there no Security Advisory or entry in the Daily Changelog for 
this?


There's an errata entry, but no announcement =/

~BAS


Joachim

Re: Sendmail security problem

[Zoong PHAM]

On Friday, 24 March 2006 at 14:12:44 +0100, Alexander Bochmann wrote:
 
 Replacing OpenBSDs sendmail with sendmail.org's version 
 is a non-issue (as in just works) on any OpenBSD version 
 which ships = 8.12. 

Do you  mind to share the instruction of how to replace OpenBSD's
sendmail with sendmail.org's 8.13.6?

TIA,

Re: Sendmail security problem

[Moritz Grimm]

Zoong PHAM wrote:

Do you  mind to share the instruction of how to replace OpenBSD's
sendmail with sendmail.org's 8.13.6?


Just forget about that administration nightmare and go either -stable or 
-current. Not sure whether this warrants and errata entry (too much hype 
for my taste), but if it does, there'll be a patch there eventually, too.



Moritz

Possible systrace evidence [Was: Re: Sendmail security problem]

[James Strandboge]

On Fri, 2006-03-24 at 14:14 +, Stuart Henderson wrote:

 The patch is in 3.8-stable now, and -current has 8.13.6, so
 people following either of these just need to update.
 

I run sendmail under systrace (OpenBSD 3.8) and a couple of weeks ago
(sometime after the exploit was initially reported) I started getting
this in my logs:

Mar 13 13:29:15 example systrace: deny user: root,
prog: /usr/libexec/sendmail/sendmail, pid: 24218(1)[21120],
policy: /usr/libexec/sendmail/sendmail, filters: 161, syscall:
native-connect(98)

Admittedly, not much to go on.  Normal mail was getting through fine, so
I didn't adjust my systrace policy, but instead decided to wait.  I am
very particular on who and what sendmail can connect, so I wasn't going
to to just 'permit' all native-connect calls.  After upgrading sendmail
to 3.8 STABLE last night, systrace hasn't reported these errors again.

FYI...

Jamie Strandboge

Re: Sendmail security problem

[Alexey E. Suslikov]

Claus Assmann wrote:


On Thu, Mar 23, 2006, Alexey E. Suslikov wrote:



All I know, sendmail.org says I can not patch versions below
8.13.5:



That's wrong. See the 8.13.6 note:

   and 8.12 are availabe at our FTP site. However, note that those
   patches do not (cleanly) apply to versions other than 8.13.5 and
   8.12.11, respectively, at least the patch for sendmail/version.c will
   fail, but that can be ignored. Moreover, these patches may not even
   work with older version as there have been other changes before.

That is, you can apply the patch and if only version.c fails,
then you can give it a try. However, sendmail.org won't provide
support for such a patched version.


what wrong?

can you trust this patched version, if even sendmail.org says these
patches may not even work with older version?

Re: Sendmail security problem

[Alexander Bochmann]

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:

  I installed 8.13.6 last night from the source tar ball on two machines 
  (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging 
  along happily. Can't speak to the specific security issue though.

Replacing OpenBSDs sendmail with sendmail.org's version 
is a non-issue (as in just works) on any OpenBSD version 
which ships = 8.12. 

If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc 
contains the ENVDEFs to add to site.config.m4.

Alex.

Re: Sendmail security problem

[Stuart Henderson]

On 2006/03/24 14:12, Alexander Bochmann wrote:
 ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:
 
   I installed 8.13.6 last night from the source tar ball on two machines 
   (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging 
   along happily. Can't speak to the specific security issue though.
 
 Replacing OpenBSDs sendmail with sendmail.org's version 
 is a non-issue (as in just works) on any OpenBSD version 
 which ships = 8.12. 
 
 If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc 
 contains the ENVDEFs to add to site.config.m4.

The patch is in 3.8-stable now, and -current has 8.13.6, so
people following either of these just need to update.

Re: Sendmail security problem

[Joachim Schipper]

On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:
 On 2006/03/24 14:12, Alexander Bochmann wrote:
  ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:
  
I installed 8.13.6 last night from the source tar ball on two machines 
(one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging 
along happily. Can't speak to the specific security issue though.
  
  Replacing OpenBSDs sendmail with sendmail.org's version 
  is a non-issue (as in just works) on any OpenBSD version 
  which ships = 8.12. 
  
  If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc 
  contains the ENVDEFs to add to site.config.m4.
 
 The patch is in 3.8-stable now, and -current has 8.13.6, so
 people following either of these just need to update.

I am pretty certain a fix was imported for 3.7-stable, too.

Joachim

Re: Sendmail security problem

[Martin Schröder]

On 2006-03-24 17:10:27 +0100, Joachim Schipper wrote:
 On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:
  The patch is in 3.8-stable now, and -current has 8.13.6, so
  people following either of these just need to update.
 
 I am pretty certain a fix was imported for 3.7-stable, too.

Can we have an entry on http://www.openbsd.org/errata37.html,
pretty please?

And AFAIK there is a mailing list for openbsd and security...


Best
Martin
-- 
http://www.tm.oneiros.de

Sendmail security problem

[Alexey E. Suslikov]

Raul Aldaz wrote:


Any comment about this? (see sendmail.org).


All I know, sendmail.org says I can not patch versions below
8.13.5:

If you cannot upgrade to 8.13.6, then you can apply a patch
to 8.13.5, or a patch for 8.12.11. Note: these patches do not
apply cleanly to older versions; moreover, they may not even
work properly due to other changes that have been made in the
latest versions. Hence we strongly suggest all users of
sendmail 8 to upgrade to sendmail 8.13.6.

So fix is currently unknown for 3.8-stable with 8.13.4. Looks
like we need to wait millert@'s work for stable branches...

One way to fix 3.8-stable is to pull in 8.13.6 entirely but
anyway it needs testing as in case with sendmail.org's patch:
it is complex and ~70Kb long.

Re: Sendmail security problem

[Anthony Howe]

Alexey E. Suslikov wrote:

Raul Aldaz wrote:


Any comment about this? (see sendmail.org).



So fix is currently unknown for 3.8-stable with 8.13.4. Looks
like we need to wait millert@'s work for stable branches...

One way to fix 3.8-stable is to pull in 8.13.6 entirely but
anyway it needs testing as in case with sendmail.org's patch:
it is complex and ~70Kb long.


I installed 8.13.6 last night from the source tar ball on two machines 
(one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging 
along happily. Can't speak to the specific security issue though.


--
Anthony C Howe  Skype: SirWumpusSnertSoft
+33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions
http://www.snert.com/ ICQ: 7116561  http://www.snertsoft.com/

Re: Sendmail security problem

[Claus Assmann]

On Thu, Mar 23, 2006, Alexey E. Suslikov wrote:

 All I know, sendmail.org says I can not patch versions below
 8.13.5:

That's wrong. See the 8.13.6 note:

   and 8.12 are availabe at our FTP site. However, note that those
   patches do not (cleanly) apply to versions other than 8.13.5 and
   8.12.11, respectively, at least the patch for sendmail/version.c will
   fail, but that can be ignored. Moreover, these patches may not even
   work with older version as there have been other changes before.

That is, you can apply the patch and if only version.c fails,
then you can give it a try. However, sendmail.org won't provide
support for such a patched version.

Sendmail security problem

[Raul Aldaz]

Hi,

Any comment about this? (see sendmail.org).




Este correo electrsnico y la informacisn contenida en el mismo es de
 caracter confidencial y esta sometida al secreto profesional, dirigiindose
 exclusivamente al destinatario mencionado en el encabezamiento, cuyos datos
 forman parte de un fichero responsabilidad del GRUPO CARRERAS  y cuya
 finalidad es contactar con el titular de los datos a travis del correo
 electrsnico. Le informamos que cuenta con los derechos de acceso,
 rectificacisn y cancelacisn, que podra ejercitar  mediante el envmo de un e-
 mail a la siguiente direccion: [EMAIL PROTECTED]
 Si  el  receptor de la comunicacisn no fuera el destinatario, le informamos
 que cualquier divulgacisn, copia,  distribucisn  o utilizacisn  no
 autorizada de la informacisn contenida en la misma esta prohibida por la
 legislacisn vigente.

http://www.grupocarreras.com