Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. This is a FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#RELEASE-CANDIDATE mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. Thanks again. On Mon, 10 Mar 2003, Mike Meyer wrote: In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. This is a FAQ: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/admin.html#RELEASE-CANDIDATE mike -- Mike Meyer [EMAIL PROTECTED]http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. The #0 is a counter of the number of builds done in that kernel build directory. You somehow started with a clean directory this time, so the number was reset to zero. If you build that kernel again - with or without cvsup - without cleaning out the directory, it will go to 1, then 2, and so on. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
I cleaned /usr/obj/usr/... but not /usr/src which was at some version of 4.7. Also my root partition is a bit small so I played some games with /modules /modules.old and kernel.old. The count is driven off one of those? I did not mess with anything in /usr/src including /sys/../compile/. On Mon, 10 Mar 2003, Mike Meyer wrote: In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: Got it and thank you to all who replied. It is my memory that with some builds I have gotten something other than #0. But maybe that was from building something other than RELENG_4. I the sendmail fix was important enough where I felt the need for some reassurance. The #0 is a counter of the number of builds done in that kernel build directory. You somehow started with a clean directory this time, so the number was reset to zero. If you build that kernel again - with or without cvsup - without cleaning out the directory, it will go to 1, then 2, and so on. mike -- Mike Meyer [EMAIL PROTECTED]http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
[Context lost to top posting] In [EMAIL PROTECTED], [EMAIL PROTECTED] typed: I cleaned /usr/obj/usr/... but not /usr/src which was at some version of 4.7. Also my root partition is a bit small so I played some games with /modules /modules.old and kernel.old. The count is driven off one of those? Cleaning out /usr/obj/ will reset the counter, as the build directory for the *kernel targets is in /usr/obj/usr/src/sys. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. From the announcement: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10, respectively). [NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is labeled `4.8-RC1'.] My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. _ Douglas Denault [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Upgrading for FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
On Mon, 10 Mar 2003 at 00:47:59 -0500, [EMAIL PROTECTED] wrote: As per this announcement I updated my source tree to 'date=2003.03.08.10.10.00' picking a date later than the Mar 4th date of FreeBSD-SA-03:04. From the announcement: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10, respectively). [NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is labeled `4.8-RC1'.] My question is that I get: Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC #0: Sun Mar 9 23:03:55 EST 2003 Does the label not apply if I specify a date? Does the 4.8-RC #0 represent a problem? I did get the correct version of sendmail. No, the label of RC1 doesn't apply if you cvsup and build/install world, it only applies to snapshots and ISOs for QA purposes. If you update build/install world you'll only see RC. This is normal, and you're not seeing anything out of the ordinary. - jim -- - jim mock. email: [EMAIL PROTECTED] web: http://soupnazi.org - - freebsd project: [EMAIL PROTECTED]opendarwin: [EMAIL PROTECTED] - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
Anybody know how we should approach this for older versions of FreeBSD? Is upgrading source and rebuilding the only way? I was wondering if there were binary versions or patches for older versions so we don't have upgrade, rebuild and reboot. At 09:11 AM 3/3/2003 -0800, FreeBSD Security Advisories, you wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-03:04.sendmail Security Advisory The FreeBSD Project Topic: sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-03-03 Credits:Mark Dowd (ISS) Affects:All releases prior to 4.8-RELEASE and 5.0-RELEASE-p4 FreeBSD 4-STABLE prior to the correction date Corrected: 2003-03-03 FreeBSD only: NO I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). II. Problem Description ISS has identified a buffer overflow that may occur during header parsing in all versions of sendmail after version 5.79. In addition, Sendmail, Inc. has identified and corrected a defect in buffer handling within sendmail's RFC 1413 ident protocol support. III. Impact A remote attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. The malicious message might be handled (and therefore the vulnerability triggered) by the initial sendmail MTA, any relaying sendmail MTA, or by the delivering sendmail process. Exploiting this defect is particularly difficult, but is believed to be possible. The defect in the ident routines is not believed to be exploitable. IV. Workaround There is no workaround, other than disabling sendmail. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p4, 4.7-RELEASE-p7, or 4.6.2-RELEASE-p10, respectively). [NOTE: At the time of this writing, the FreeBSD 4-STABLE branch is labeled `4.8-RC1'.] 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.0, 4.7, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libsm # make obj make depend make # cd /usr/src/lib/libsmutil # make obj make depend make # cd /usr/src/usr.sbin/sendmail # make obj make depend make make install 3) For i386 systems only, a patched sendmail binary is available. Select the correct binary based on your FreeBSD version and whether or not you want STARTTLS support. If you want STARTTLS support, you must have the crypto distribution installed. a) Download the relevant binary from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz.asc b) Install the binary. Execute the following commands as root. Note that these examples utilizes the FreeBSD 4.7 crypto binary. Substitute BINARYGZ with the file name which you downloaded in step (a). # BINARYGZ=/path/to/sendmail-4.7-i386-crypto.bin.gz # gunzip ${BINARYGZ} # install -s -o root -g smmsp -m 2555 ${BINARYGZ%.gz} /usr/libexec/sendmail/sendmail c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart VI. Correction details The following list contains the revision numbers of each file that was corrected in
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
On Mon, Mar 03, 2003 at 03:56:40PM -0600, Oscar Ricardo Silva wrote: Anybody know how we should approach this for older versions of FreeBSD? Is upgrading source and rebuilding the only way? I was wondering if there were binary versions or patches for older versions so we don't have upgrade, rebuild and reboot. What you see in the advisory is all that is provided by FreeBSD. If you're on an older release, it's not supported any longer and you need to figure out how to fix it on your own. That may involve upgrading to a supported release, or manually fixing the problem described in the advisory. In this case you can probably disable the base system sendmail and use the sendmail port. Kris pgp0.pgp Description: PGP signature
Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail
In [EMAIL PROTECTED], Kris Kennaway [EMAIL PROTECTED] typed: On Mon, Mar 03, 2003 at 03:56:40PM -0600, Oscar Ricardo Silva wrote: Anybody know how we should approach this for older versions of FreeBSD? Is upgrading source and rebuilding the only way? I was wondering if there were binary versions or patches for older versions so we don't have upgrade, rebuild and reboot. What you see in the advisory is all that is provided by FreeBSD. If you're on an older release, it's not supported any longer and you need to figure out how to fix it on your own. That may involve upgrading to a supported release, or manually fixing the problem described in the advisory. In this case you can probably disable the base system sendmail and use the sendmail port. Or the postfix port, or the qmail port, or the exim port. At least two of those three have had zero security problems, and it's probably true for all three of them. mike -- Mike Meyer [EMAIL PROTECTED] http://www.mired.org/consulting.html Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message