OpenPKG-SA-2003.037-sendmail.txt

Ralf S. Engelschall Thu, 28 Aug 2003 08:35:32 +0000

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   28-Aug-2003 10:34:45
  Branch: HEAD                             Handle: 2003082809344400

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.037-sendmail.txt

  Log:
    final polishing, bugfixing and signing

  Summary:
    Revision    Changes     Path
    1.2         +19 -20     openpkg-web/security/OpenPKG-SA-2003.037-sendmail.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.037-sendmail.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.037-sendmail.txt
  --- openpkg-web/security/OpenPKG-SA-2003.037-sendmail.txt     26 Aug 2003 10:24:18 
-0000      1.1
  +++ openpkg-web/security/OpenPKG-SA-2003.037-sendmail.txt     28 Aug 2003 08:34:44 
-0000      1.2
  @@ -6,28 +6,27 @@
   OpenPKG Security Advisory                            The OpenPKG Project
   http://www.openpkg.org/security.html              http://www.openpkg.org
   [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  -OpenPKG-SA-SA-2003.037                                       26-Aug-2003
  +OpenPKG-SA-SA-2003.037                                       28-Aug-2003
   ________________________________________________________________________
   
   Package:             sendmail
  -Vulnerability:       denial of service
  +Vulnerability:       Denial of Service
   OpenPKG Specific:    no
   
  -Affected Releases:   Affected Packages:          Corrected Packages:
  -OpenPKG CURRENT      none                        N.A.
  -OpenPKG 1.3          none                        N.A.
  -OpenPKG 1.2          <= sendmail-8.12.7-1.2.2    >= sendmail-8.12.7-1.2.3
  +Affected Releases:   Affected Packages:        Corrected Packages:
  +OpenPKG CURRENT      none                      N.A.
  +OpenPKG 1.3          none                      N.A.
  +OpenPKG 1.2          <= sendmail-8.12.7-1.2.2  >= sendmail-8.12.7-1.2.3
   
   Dependent Packages:  none
   
   Description:
  -  Oleg Bulyzhin discovered [1] a confirmed [2] denial of service
  -  vulnerability in all version of the Sendmail [0] MTA earlier than
  -  8.12.9. In dns_free_data() sendmail tries to free an allocated chain
  -  of structures: it's going through chain using rr_next pointer and
  -  stops when rr_next == NULL. Garbage in the rr_next field then causes
  -  sendmail to call free() on random addresses. This usually causes
  -  sendmail to crash.
  +  Oleg Bulyzhin reported to FreeBSD [1] a confirmed [2] Denial of
  +  Service (DoS) vulnerability in all version of the Sendmail MTA [0]
  +  earlier than 8.12.9. Due to a wrong initialization of an internal
  +  structure, if Sendmail gets a bad DNS reply (with actual reply size
  +  not equal the announced reply size), it later calls free() on a random
  +  address. This usually cause Sendmail to crash.
   
     Please check whether you are affected by running "<prefix>/bin/rpm
     -q sendmail". If you have the "sendmail" package installed and its
  @@ -39,13 +38,13 @@
     [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
     verify its integrity [7], build a corresponding binary RPM from it [3]
     and update your OpenPKG installation by applying the binary RPM [4].
  -  For the current release OpenPKG 1.3, perform the following operations
  +  For the affected release OpenPKG 1.2, perform the following operations
     to permanently fix the security problem (for other releases adjust
     accordingly).
   
     $ ftp ftp.openpkg.org
     ftp> bin
  -  ftp> cd release/1.3/UPD
  +  ftp> cd release/1.2/UPD
     ftp> get sendmail-8.12.7-1.2.3.src.rpm
     ftp> bye
     $ <prefix>/bin/rpm -v --checksig sendmail-8.12.7-1.2.3.src.rpm
  @@ -60,8 +59,8 @@
     [2] http://www.sendmail.org/dnsmap1.html
     [3] http://www.openpkg.org/tutorial.html#regular-source
     [4] http://www.openpkg.org/tutorial.html#regular-binary
  -  [5] ftp://ftp.openpkg.org/release/1.3/UPD/sendmail-8.12.7-1.2.3.src.rpm
  -  [6] ftp://ftp.openpkg.org/release/1.3/UPD/
  +  [5] ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.3.src.rpm
  +  [6] ftp://ftp.openpkg.org/release/1.2/UPD/
     [7] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
  @@ -75,7 +74,7 @@
   -----BEGIN PGP SIGNATURE-----
   Comment: OpenPKG <[EMAIL PROTECTED]>
   
  -iD8DBQE+huYSgHWT4GPEy58RAhdpAKDGqKOKSGwfuxVT5imK+1H0LBDcPACgu1nq
  -cia1t2PI8lNReMIeza3KLKI=
  -=38Sm
  +iD8DBQE/Tb6CgHWT4GPEy58RAvwxAJ9UTBU0+AOk1uAa+0iBYyR+EoLFxwCfcv+o
  +vrSYiCHVbvn9VPIEBlHoTvo=
  +=avEZ
   -----END PGP SIGNATURE-----
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.037-sendmail.txt

Reply via email to