Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. This is a FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#RELEASE-CANDIDATE mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. Thanks again. On Mon, 10 Mar 2003, Mike Meyer wrote: In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. This is a FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#RELEASE-CANDIDATE mike -- Mike Meyer [EMAIL PROTECTED]http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. The #0 is a counter of the number of builds done in that kernel build directory. You somehow started with a clean directory this time, so the number was reset to zero. If you build that kernel again - with or without cvsup - without cleaning out the directory, it will go to 1, then 2, and so on. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
I cleaned /usr/obj/usr/... but not /usr/src which was at some version of 4.7. Also my root partition is a bit small so I played some games with /modules /modules.old and kernel.old. The count is driven off one of those? I did not mess with anything in /usr/src including /sys/../compile/. On Mon, 10 Mar 2003, Mike Meyer wrote: In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. The #0 is a counter of the number of builds done in that kernel build directory. You somehow started with a clean directory this time, so the number was reset to zero. If you build that kernel again - with or without cvsup - without cleaning out the directory, it will go to 1, then 2, and so on. mike -- Mike Meyer [EMAIL PROTECTED]http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
[Context lost to top posting] In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: I cleaned /usr/obj/usr/... but not /usr/src which was at some version of 4.7. Also my root partition is a bit small so I played some games with /modules /modules.old and kernel.old. The count is driven off one of those? Cleaning out /usr/obj/ will reset the counter, as the build directory for the *kernel targets is in /usr/obj/usr/src/sys. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. From the announcement: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10, respectively). [NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is labeled `4.8-RC1'.] My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
On Mon, 10 Mar 2003 at 00:47:59 -0500, [EMAIL PROTECTED] wrote: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. From the announcement: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10, respectively). [NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is labeled `4.8-RC1'.] My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. No, the label of RC1 doesn't apply if you cvsup and build/install world, it only applies to snapshots and ISOs for QA purposes. If you update build/install world you'll only see RC. This is normal, and you're not seeing anything out of the ordinary. - jim -- - jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org - - freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
Anybody know how we should approach this for older versions of FreeBSD? Is
upgrading source and rebuilding the only way? I was wondering if there
were binary versions or patches for older versions so we don't have
upgrade, rebuild and reboot.
At 09:11 AM 3/3/2003 -0800, FreeBSD Security Advisories, you wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-03:04.sendmail Security Advisory
The FreeBSD Project
Topic: sendmail header parsing buffer overflow
Category: contrib
Module: contrib_sendmail
Announced: 2003-03-03
Credits:Mark Dowd (ISS)
Affects:All releases prior to 4.8-RELEASE and 5.0-RELEASE-p4
FreeBSD 4-STABLE prior to the correction date
Corrected: 2003-03-03
FreeBSD only: NO
I. Background
FreeBSD includes sendmail(8), a general purpose internetwork mail
routing facility, as the default Mail Transfer Agent (MTA).
II. Problem Description
ISS has identified a buffer overflow that may occur during header
parsing in all versions of sendmail after version 5.79.
In addition, Sendmail, Inc. has identified and corrected a defect in
buffer handling within sendmail's RFC 1413 ident protocol support.
III. Impact
A remote attacker could create a specially crafted message that may
cause sendmail to execute arbitrary code with the privileges of the
user running sendmail, typically root. The malicious message might be
handled (and therefore the vulnerability triggered) by the initial
sendmail MTA, any relaying sendmail MTA, or by the delivering sendmail
process. Exploiting this defect is particularly difficult, but is
believed to be possible.
The defect in the ident routines is not believed to be exploitable.
IV. Workaround
There is no workaround, other than disabling sendmail.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0,
RELENG_4_7, or RELENG_4_6 security branch dated after the correction
date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10,
respectively).
[NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is
labeled `4.8-RC1'.]
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 5.0, 4.7,
and 4.6 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch /path/to/patch
# cd /usr/src/lib/libsm
# make obj make depend make
# cd /usr/src/lib/libsmutil
# make obj make depend make
# cd /usr/src/usr.sbin/sendmail
# make obj make depend make make install
3) For i386 systems only, a patched sendmail binary is available.
Select the correct binary based on your FreeBSD version and whether or
not you want STARTTLS support. If you want STARTTLS support, you must
have the crypto distribution installed.
a) Download the relevant binary from the location below, and verify
the detached PGP signature using your PGP utility.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz.asc
b) Install the binary. Execute the following commands as root.
Note that these examples utilizes the FreeBSD 4.7 crypto binary.
Substitute BINARYGZ with the file name which you downloaded in
step (a).
# BINARYGZ=/path/to/sendmail-4.7-i386-crypto.bin.gz
# gunzip ${BINARYGZ}
# install -s -o root -g smmsp -m 2555 ${BINARYGZ%.gz}
/usr/libexec/sendmail/sendmail
c) Restart sendmail. Execute the following command as root.
# /bin/sh /etc/rc.sendmail restart
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
On Mon, Mar 03, 2003 at 03:56:40PM -0600, Oscar Ricardo Silva wrote: Anybody know how we should approach this for older versions of FreeBSD? Is upgrading source and rebuilding the only way? I was wondering if there were binary versions or patches for older versions so we don't have upgrade, rebuild and reboot. What you see in the advisory is all that is provided by FreeBSD. If you're on an older release, it's not supported any longer and you need to figure out how to fix it on your own. That may involve upgrading to a supported release, or manually fixing the problem described in the advisory. In this case you can probably disable the base system sendmail and use the sendmail port. Kris pgp0.pgp Description: PGP signature
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], Kris Kennaway [EMAIL PROTECTED] typed: On Mon, Mar 03, 2003 at 03:56:40PM -0600, Oscar Ricardo Silva wrote: Anybody know how we should approach this for older versions of FreeBSD? Is upgrading source and rebuilding the only way? I was wondering if there were binary versions or patches for older versions so we don't have upgrade, rebuild and reboot. What you see in the advisory is all that is provided by FreeBSD. If you're on an older release, it's not supported any longer and you need to figure out how to fix it on your own. That may involve upgrading to a supported release, or manually fixing the problem described in the advisory. In this case you can probably disable the base system sendmail and use the sendmail port. Or the postfix port, or the qmail port, or the exim port. At least two of those three have had zero security problems, and it's probably true for all three of them. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
