[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.027-sendmail.txt

Sun, 30 Mar 2003 03:46:22 -0800 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   30-Mar-2003 13:48:16
  Branch: HEAD                             Handle: 2003033012481500

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.027-sendmail.txt

  Log:
    more polishing and inclusion of disclosers name

  Summary:
    Revision    Changes     Path
    1.4         +20 -17     openpkg-web/security/OpenPKG-SA-2003.027-sendmail.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.027-sendmail.txt
  ============================================================================
  $ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2003.027-sendmail.txt
  --- openpkg-web/security/OpenPKG-SA-2003.027-sendmail.txt     30 Mar 2003 11:34:12 
-0000      1.3
  +++ openpkg-web/security/OpenPKG-SA-2003.027-sendmail.txt     30 Mar 2003 11:48:15 
-0000      1.4
  @@ -18,24 +18,26 @@
   Dependent Packages:  none
   
   Description:
  -  According to a message on BugTraq [1], a buffer overflow vulnerability
  -  exists in all version of the Sendmail MTA [0] earlier than 8.12.9.
  -  Attackers may remotely exploit this vulnerability to gain "root"
  -  or superuser control of any vulnerable Sendmail server. The Common
  -  Vulnerabilities and Exposures (CVE) project assigned the id
  -  CAN-2003-0161 [2] to the problem.
  +  Michal Zalewski discovered [1] a confirmed [2] buffer overflow
  +  vulnerability in all version of the Sendmail [0] MTA earlier than
  +  8.12.9. The mail address parser performs insufficient bounds checking
  +  in certain conditions due to a data type conversion, making it
  +  possible for an attacker to take control of the application. Attackers
  +  may remotely exploit this vulnerability to gain "root" access of any
  +  vulnerable Sendmail server. The Common Vulnerabilities and Exposures
  +  (CVE) project assigned the id CAN-2003-0161 [3] to the problem.
   
     Please check whether you are affected by running "<prefix>/bin/rpm
     -q sendmail". If you have the "sendmail" package installed and its
     version is affected (see above), we recommend that you immediately
     upgrade it (see Solution) and it's dependent packages (see above), if
  -  any, too. [3][4]
  +  any, too. [4][5]
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  -  [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
  -  verify its integrity [7], build a corresponding binary RPM from it [3]
  -  and update your OpenPKG installation by applying the binary RPM [4].
  +  [6], fetch it from the OpenPKG FTP service [7] or a mirror location,
  +  verify its integrity [8], build a corresponding binary RPM from it [4]
  +  and update your OpenPKG installation by applying the binary RPM [5].
     For the current release OpenPKG 1.2, perform the following operations
     to permanently fix the security problem (for other releases adjust
     accordingly).
  @@ -53,13 +55,14 @@
   
   References:
     [0] http://www.sendmail.org/
  -  [1] http://www.securityfocus.com/archive/1/316760/2003-03-26/2003-04-01/0
  -  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
  -  [3] http://www.openpkg.org/tutorial.html#regular-source
  -  [4] http://www.openpkg.org/tutorial.html#regular-binary
  -  [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.2.src.rpm
  -  [6] ftp://ftp.openpkg.org/release/1.2/UPD/
  -  [7] http://www.openpkg.org/security.html#signature
  +  [1] http://lists.netsys.com/pipermail/full-disclosure/2003-March/008973.html
  +  [2] http://www.securityfocus.com/archive/1/316760/2003-03-26/2003-04-01/0
  +  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
  +  [4] http://www.openpkg.org/tutorial.html#regular-source
  +  [5] http://www.openpkg.org/tutorial.html#regular-binary
  +  [6] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.2.src.rpm
  +  [7] ftp://ftp.openpkg.org/release/1.2/UPD/
  +  [8] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
   For security reasons, this advisory was digitally signed with the
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to