>Subject: FW: SENDMAIL SECURITY ALERT
>Date: Mon, 3 Mar 2003 14:47:42 -0600
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>X-RCPT-TO: <[EMAIL PROTECTED]>
>
>
>
>
>SECURITY ALERT
>
>Today Internet Security Systems and the Sendmail Consortium announced
>the discovery of a security vulnerability in the sendmail mail transfer
>agent.
>
>This vulnerability is serious, and Sendmail, Inc. urges customers to
>apply the supplied security patch as soon as possible.
>
>The vulnerability derives from a potential buffer overflow in sendmail's
>header handling code. In a worst-case scenario, the vulnerability
>provides the ability for an attacker to remotely gain root access to the
>targeted system.
>
>While there have been no known exploits of this vulnerability to this
>point, we believe that unpatched systems could become exploitable very
>soon. For that reason we are immediately providing software patches for
>the following releases of Sendmail's commercial products. These include:
>
>Sendmail Switch 3.0.x on Solaris, Linux, and AIX
>Sendmail Switch 2.2.x on Solaris, Linux, AIX, Windows NT/2000 and S390 Linux
>Sendmail Switch 2.1.x on HP-UX
>Sendmail Switch 2.2.xJ on Windows NT/2000
>Sendmail Advanced Message Server 1.2 on Solaris, Linux, AIX, and S390 Linux
>Sendmail Advanced Message Server 1.3 on Windows 2000
>Sendmail for NT Version 3.x
>
>You may download the patch from the following URL:
>
>
>http://www.sendmail.com/support/download/
>
>We have provided MD5 checksums at the end of this message to assist you
>in validating the integrity of the downloaded patches.
>
>
>More information on this vulnerability and the fix in Sendmail's
>commercial products is available by visiting Sendmail's security
>information page at:
>
>http://www.sendmail.com/security/
>
>More information on this vulnerability and the fix in Open Source
>sendmail is avaialable from the Sendmail Consortium's Web site at:
>
>http://www.sendmail.org/
>
>The original ISS announcement can be found on ISS's Web site at
>
>http://www.iss.net/
>
>--------
>
>Checksums
>
>Verifying the MD5 Checksum
>After you have downloaded the package, you should check, if the MD5
>checksum matches the one provided at the end of this email. Each file
>has an individual checksum, that you can verify with the following
>command:
>
>shell> md5sum <filename>
>
>Note, that not all operating systems support the md5sum command - on
>some it is simply called md5, others do not ship it at all. On Linux, it
>is part of the GNU Text Utilities package, which is available for a wide
>range of platforms. You can download the source code from
>http://www.gnu.org/software/textutils/ as well. If you have OpenSSL
>installed, you can also use the command openssl md5 <package> instead. A
>DOS/Windows implementation of the md5 command is available from
>http://www.fourmilab.ch/md5/.
>
>You should check, if the resulting checksum matches the one provided in
>this email to the left the respective filename:
>
>MD5(Patch2.1.5/CONTENTS)= 954a3723b44f6ad60282bc0ae601366c
>MD5(Patch2.1.5/README)= 8ec2cfffbd4d62afff573c7693a0bf15
>MD5(Patch2.1.5/smswitch-patch-2.1.5-HP-UX.tar.Z)=
>d10afe2bfde06519bc811faac84b7e9c
>MD5(Patch2.2.5/CONTENTS)= 2a131cf257431d5f4d8458126d22489e
>MD5(Patch2.2.5/README-Windows-225-JP.txt)= 9b03ab8bb0aecc1775b95e0a8d6e1f54
>MD5(Patch2.2.5/README_UNIX)= 9d0437be2ce12f4bce8222f523e07cab
>MD5(Patch2.2.5/README_WINDOWS.txt)= 6789d90f0c4441ca6bbb57338ddabe2d
>MD5(Patch2.2.5/RELEASE_NOTES_UNIX)= 6d21a1d5f4eef9cd2a5587b40879e888
>MD5(Patch2.2.5/RELEASE_NOTES_WINDOWS.txt)= 16850d9256115db65ddba59048249cb7
>MD5(Patch2.2.5/RELEASE_NOTES_Windows-225-JP.txt)=
>f1afe8cf09998564a0de238dd373185e
>MD5(Patch2.2.5/smswitch-patch-2.2.5-390SuSE.tar.gz)=
>08d0932b42a9064b1390ded293c9e191
>MD5(Patch2.2.5/smswitch-patch-2.2.5-AIX.tar.Z)=
>8204d6af447bfb1ff20ccdda95a8a4d3
>MD5(Patch2.2.5/smswitch-patch-2.2.5-RedHat.tar.gz)=
>ac96c8a1bab2e01de3e3d453c116a3db
>MD5(Patch2.2.5/smswitch-patch-2.2.5-Solaris.tar.Z)=
>19b84c15a3e2cc91c85c7eb55ca2e0ed
>MD5(Patch2.2.5/smswitch-patch-2.2.5-Solaris8.tar.Z)=
>923cbb9752ca89e5744c836987a367dd
>MD5(Patch2.2.5/smswitch-patch-2.2.5-SuSE.tar.gz)=
>30e8c197cba5441509f9649af50c651a
>MD5(Patch2.2.5/smswitch-patch-2.2.5-Windows.zip)=
>ec917fcbf34f6bc2ede4b95e12a97009
>MD5(Patch2.6.2NT/CONTENTS)= 8d8e510f4b95bdb4dff69f73ca5364f2
>MD5(Patch2.6.2NT/README-Windows-262-JP.txt)=
>80e70085cbb8936d4d350a0e2897433a
>MD5(Patch2.6.2NT/README-Windows-262.txt)= 3a575453ccdd879eb6ec2b7c28014484
>MD5(Patch2.6.2NT/sendmailNT-patch-2.6.2-Windows.zip)=
>dce2c335af0e476e9ec5ac06fc1ad184
>MD5(Patch3.0.3/CONTENTS)= d15909ff79f6af37e453a4ee72531014
>MD5(Patch3.0.3/README.txt)= ef4930e2d58a7887757b32867dccaea8
>MD5(Patch3.0.3/RELEASE_NOTES.txt)= a91eafcacd92ea948d53d32eef466cfa
>MD5(Patch3.0.3/smswitch-patch-3.0.3-AIX.tar.Z)=
>1e07845f608e897421fa25f4374f7167
>MD5(Patch3.0.3/smswitch-patch-3.0.3-Linux.tar.gz)=
>eb0c16530ed6cfa1d0190fc906f7b42e
>MD5(Patch3.0.3/smswitch-patch-3.0.3-Solaris.tar.Z)=
>2fa4e1c61b1121df871f1d79602ce4dc
>MD5(Patch3.0.3/smswitch-patch-3.0.3-Solaris8.tar.Z)=
>26f0817c868b46942eff7c44b66312b2
>MD5(Patch3.0.3NT/CONTENTS)= 2f3e1a5d71048795e71e0be08a138145
>MD5(Patch3.0.3NT/README-PATCH.txt)= 709541150ce09a9295483fbbe186e991
>MD5(Patch3.0.3NT/README-Windows-303-JP.txt)=
>5aa26b179a3120dca27754719756470b
>MD5(Patch3.0.3NT/sendmailNT-patch-3.0.3-Windows.zip)=
>2652751268529e548872b9e22d759de0
>
>
>
>To unsubscribe, send a message to [EMAIL PROTECTED] with
> unsubscribe alert-current
>as the BODY of the message. The SUBJECT is ignored.
>
>oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
>Have you discovered a security vulnerability related to Windows or a
>commercial product which runs on Windows?
>
>Need assistance crafting the format or translating your advisory to English?
>
>Need to verify it, or having problems contacting the Vendor?
>
>Contact mailto:[EMAIL PROTECTED]
