Re: Sendmail security problem
On Fri, 24 Mar 2006, Joachim Schipper wrote: On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote: On 2006/03/24 14:12, Alexander Bochmann wrote: ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: P gnu/usr.sbin/sendmail/libsm/refill.c P gnu/usr.sbin/sendmail/sendmail/collect.c P gnu/usr.sbin/sendmail/sendmail/conf.c P gnu/usr.sbin/sendmail/sendmail/deliver.c P gnu/usr.sbin/sendmail/sendmail/headers.c P gnu/usr.sbin/sendmail/sendmail/mime.c P gnu/usr.sbin/sendmail/sendmail/parseaddr.c P gnu/usr.sbin/sendmail/sendmail/savemail.c P gnu/usr.sbin/sendmail/sendmail/sendmail.h P gnu/usr.sbin/sendmail/sendmail/sfsasl.c P gnu/usr.sbin/sendmail/sendmail/sfsasl.h P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c P gnu/usr.sbin/sendmail/sendmail/usersmtp.c P gnu/usr.sbin/sendmail/sendmail/util.c I am pretty certain a fix was imported for 3.7-stable, too. Yep. Why was there no Security Advisory or entry in the Daily Changelog for this? There's an errata entry, but no announcement =/ ~BAS Joachim
Re: Sendmail security problem
On Friday, 24 March 2006 at 14:12:44 +0100, Alexander Bochmann wrote: Replacing OpenBSDs sendmail with sendmail.org's version is a non-issue (as in just works) on any OpenBSD version which ships = 8.12. Do you mind to share the instruction of how to replace OpenBSD's sendmail with sendmail.org's 8.13.6? TIA,
Re: Sendmail security problem
Zoong PHAM wrote: Do you mind to share the instruction of how to replace OpenBSD's sendmail with sendmail.org's 8.13.6? Just forget about that administration nightmare and go either -stable or -current. Not sure whether this warrants and errata entry (too much hype for my taste), but if it does, there'll be a patch there eventually, too. Moritz
Possible systrace evidence [Was: Re: Sendmail security problem]
On Fri, 2006-03-24 at 14:14 +, Stuart Henderson wrote: The patch is in 3.8-stable now, and -current has 8.13.6, so people following either of these just need to update. I run sendmail under systrace (OpenBSD 3.8) and a couple of weeks ago (sometime after the exploit was initially reported) I started getting this in my logs: Mar 13 13:29:15 example systrace: deny user: root, prog: /usr/libexec/sendmail/sendmail, pid: 24218(1)[21120], policy: /usr/libexec/sendmail/sendmail, filters: 161, syscall: native-connect(98) Admittedly, not much to go on. Normal mail was getting through fine, so I didn't adjust my systrace policy, but instead decided to wait. I am very particular on who and what sendmail can connect, so I wasn't going to to just 'permit' all native-connect calls. After upgrading sendmail to 3.8 STABLE last night, systrace hasn't reported these errors again. FYI... Jamie Strandboge
Re: Sendmail security problem
Claus Assmann wrote: On Thu, Mar 23, 2006, Alexey E. Suslikov wrote: All I know, sendmail.org says I can not patch versions below 8.13.5: That's wrong. See the 8.13.6 note: and 8.12 are availabe at our FTP site. However, note that those patches do not (cleanly) apply to versions other than 8.13.5 and 8.12.11, respectively, at least the patch for sendmail/version.c will fail, but that can be ignored. Moreover, these patches may not even work with older version as there have been other changes before. That is, you can apply the patch and if only version.c fails, then you can give it a try. However, sendmail.org won't provide support for such a patched version. what wrong? can you trust this patched version, if even sendmail.org says these patches may not even work with older version?
Re: Sendmail security problem
...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: I installed 8.13.6 last night from the source tar ball on two machines (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging along happily. Can't speak to the specific security issue though. Replacing OpenBSDs sendmail with sendmail.org's version is a non-issue (as in just works) on any OpenBSD version which ships = 8.12. If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc contains the ENVDEFs to add to site.config.m4. Alex.
Re: Sendmail security problem
On 2006/03/24 14:12, Alexander Bochmann wrote: ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: I installed 8.13.6 last night from the source tar ball on two machines (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging along happily. Can't speak to the specific security issue though. Replacing OpenBSDs sendmail with sendmail.org's version is a non-issue (as in just works) on any OpenBSD version which ships = 8.12. If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc contains the ENVDEFs to add to site.config.m4. The patch is in 3.8-stable now, and -current has 8.13.6, so people following either of these just need to update.
Re: Sendmail security problem
On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote: On 2006/03/24 14:12, Alexander Bochmann wrote: ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: I installed 8.13.6 last night from the source tar ball on two machines (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging along happily. Can't speak to the specific security issue though. Replacing OpenBSDs sendmail with sendmail.org's version is a non-issue (as in just works) on any OpenBSD version which ships = 8.12. If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc contains the ENVDEFs to add to site.config.m4. The patch is in 3.8-stable now, and -current has 8.13.6, so people following either of these just need to update. I am pretty certain a fix was imported for 3.7-stable, too. Joachim
Re: Sendmail security problem
On 2006-03-24 17:10:27 +0100, Joachim Schipper wrote: On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote: The patch is in 3.8-stable now, and -current has 8.13.6, so people following either of these just need to update. I am pretty certain a fix was imported for 3.7-stable, too. Can we have an entry on http://www.openbsd.org/errata37.html, pretty please? And AFAIK there is a mailing list for openbsd and security... Best Martin -- http://www.tm.oneiros.de
Sendmail security problem
Raul Aldaz wrote: Any comment about this? (see sendmail.org). All I know, sendmail.org says I can not patch versions below 8.13.5: If you cannot upgrade to 8.13.6, then you can apply a patch to 8.13.5, or a patch for 8.12.11. Note: these patches do not apply cleanly to older versions; moreover, they may not even work properly due to other changes that have been made in the latest versions. Hence we strongly suggest all users of sendmail 8 to upgrade to sendmail 8.13.6. So fix is currently unknown for 3.8-stable with 8.13.4. Looks like we need to wait millert@'s work for stable branches... One way to fix 3.8-stable is to pull in 8.13.6 entirely but anyway it needs testing as in case with sendmail.org's patch: it is complex and ~70Kb long.
Re: Sendmail security problem
Alexey E. Suslikov wrote: Raul Aldaz wrote: Any comment about this? (see sendmail.org). So fix is currently unknown for 3.8-stable with 8.13.4. Looks like we need to wait millert@'s work for stable branches... One way to fix 3.8-stable is to pull in 8.13.6 entirely but anyway it needs testing as in case with sendmail.org's patch: it is complex and ~70Kb long. I installed 8.13.6 last night from the source tar ball on two machines (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging along happily. Can't speak to the specific security issue though. -- Anthony C Howe Skype: SirWumpusSnertSoft +33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions http://www.snert.com/ ICQ: 7116561 http://www.snertsoft.com/
Re: Sendmail security problem
On Thu, Mar 23, 2006, Alexey E. Suslikov wrote: All I know, sendmail.org says I can not patch versions below 8.13.5: That's wrong. See the 8.13.6 note: and 8.12 are availabe at our FTP site. However, note that those patches do not (cleanly) apply to versions other than 8.13.5 and 8.12.11, respectively, at least the patch for sendmail/version.c will fail, but that can be ignored. Moreover, these patches may not even work with older version as there have been other changes before. That is, you can apply the patch and if only version.c fails, then you can give it a try. However, sendmail.org won't provide support for such a patched version.
Sendmail security problem
Hi, Any comment about this? (see sendmail.org). Este correo electrsnico y la informacisn contenida en el mismo es de caracter confidencial y esta sometida al secreto profesional, dirigiindose exclusivamente al destinatario mencionado en el encabezamiento, cuyos datos forman parte de un fichero responsabilidad del GRUPO CARRERAS y cuya finalidad es contactar con el titular de los datos a travis del correo electrsnico. Le informamos que cuenta con los derechos de acceso, rectificacisn y cancelacisn, que podra ejercitar mediante el envmo de un e- mail a la siguiente direccion: [EMAIL PROTECTED] Si el receptor de la comunicacisn no fuera el destinatario, le informamos que cualquier divulgacisn, copia, distribucisn o utilizacisn no autorizada de la informacisn contenida en la misma esta prohibida por la legislacisn vigente. http://www.grupocarreras.com