Upgrade if you use sendmail 8.12
-suresh
_____________________________________________
From: Claus Assmann <[EMAIL PROTECTED]>
Newsgroups: comp.mail.sendmail
Subject: sendmail 8.12.1 available
Date: 2 Oct 2001 10:33:18 +0100
Organization: Daresbury Laboratory, Warrington, U.K.
Message-ID: <9pc1ku$qth$[EMAIL PROTECTED]>
-----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.1.
A potential security problem has been uncovered in 8.12.0 which might
be exploited locally by malicious users to gain access to the client
mail queue. However, as long as the MTA accepts local connections,
the possible consequences of this potential local exploit are small.
Notice: some operating systems don't provide a way to completely drop
privileges from a set-group-ID program. In that case sendmail refuses
to run if unsafe options are given. The program test/t_dropgid.c can
be used to test which calls work on an operating system. This program
shows that recent versions of FreeBSD and NetBSD are not vulnerable
in their standard configuration. However, to be sure please run the
test on your system to decide whether you need to upgrade.
sendmail 8.12.1 fixes also a few other small problems found in 8.12.0
as listed in the RELEASE NOTES attached below.
The version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.sig
MD5 signatures:
0c3c0442c138d5b00a48ca48d95a71eb sendmail.8.12.1.tar.gz
69bee71f4c021f3e948b09afb69458f2 sendmail.8.12.1.tar.Z
1e89d89a8c7907580ac28321a914cf5a sendmail.8.12.1.tar.gz.sig
You only need one of the first two files (either the gzip'ed version or the
compressed version). The .sig file contains the PGP signature of the tar
file (after uncompressing it). The PGP signature was created using the
Sendmail Signing Key/2001, available on the web site
(http://www.sendmail.org/) or on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1154 2001/09/27 18:01:26 ca Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.12.1/8.12.1 2001/10/01
SECURITY: Check whether dropping group privileges actually succeeded
to avoid possible compromises of the mail system by
supplying bogus data. Add configuration options for
different set*gid() calls to reset saved gid. Problem
found by Michal Zalewski.
PRIVACY: Prevent information leakage when sendmail has extra
privileges by disabling debugging (command line -d flag)
during queue runs and disabling ETRN when sendmail -bs is
used. Suggested by Michal Zalewski.
Avoid memory corruption problems resulting from bogus .cf files.
Problem found by Michal Zalewski.
Set the ${server_addr} macro to name of mailer when doing LMTP
delivery. LMTP systems may offer SMTP Authentication or
STARTTLS causing sendmail to use this macro in rulesets.
If debugging is turned on (-d0.10) print not just the default
values for configuration file and pid file but also the
selected values. Problem noted by Brad Chapman.
Continue dealing with broken nameservers by ignoring SERVFAIL
errors returned on T_AAAA (IPv6) lookups at delivery time
if ResolverOptions=WorkAroundBrokenAAAA is set. Previously
this only applied to hostname canonification. Problem
noted by Bill Fenner of AT&T Research.
Ignore comments in NIS host records when trying to find the
canonical name for a host.
When sendmail has extra privileges, limit mail submission command
line flags (i.e., -G, -h, -F, etc.) to mail submission
operating modes (i.e., -bm, -bs, -bv, etc.). Idea based on
suggestion from Michal Zalewski.
Portability:
AIX: Use `oslevel` if available to determine OS version.
`uname` does not given complete information.
Problem noted by Keith Neufeld of the Cessna
Aircraft Company.
OpenUNIX: Use lockf() for LDA delivery (affects mail.local).
Problem noticed by Boyd Lynn Gerber of ZENEX.
Avoid compiler warnings by not using pointers to pass
integers. Problem noted by Todd C. Miller of
Courtesan Consulting.
CONFIG: Add restrictqrun to PrivacyOptions for the MSP to minimize
problems with potential misconfigurations.
CONFIG: Fix comment showing default value of MaxHopCount. Problem
noted by Greg Robinson of the Defence Science and
Technology Organisation of Australia.
CONFIG: dnsbl: If an argument specifies an error message in case
of temporary lookup failures for DNS based blacklists
then use it.
LIBMILTER: Install mfdef.h, required by mfapi.h. Problem noted by
Richard A. Nelson of Debian.
LIBMILTER: Add __P definition for OS that lack it. Problem noted
by Chris Adams from HiWAAY Informations Services.
LIBSMDB: Fix a lock race condition that affects makemap, praliases,
and vacation.
MAKEMAP: Avoid going beyond the end of an input line if it does
not contain a value for a key. Based on patch from
Mark Bixby from Hewlett-Packard.
New Files:
test/Build
test/Makefile
test/Makefile.m4
test/README
test/t_dropgid.c
test/t_setgid.c
Deleted Files:
include/sm/stdio.h
include/sm/sysstat.h
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBO7iLxjgi20fMN08tAQEYCAP9GSJJqarjIQs8fo+gjEehKdKdPRp+szY0
N/2iDhgtj8oJS73P3Lf/iUOnocj8X1nT1BHKs5yGFDtS3iWlh6IeeIg6NYu/HCcR
/vno8Hs2sgPazgNCbraS+5f+HRmqMGkguEu+GQFT3uMTrx1RELpL0E4ypdZUAoxX
BEwDRxsqawE=
=QxgK
-----END PGP SIGNATURE-----
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
