Yellow Dog Security Advisory: YDU-20030304-1

Rick Thomas yellowdog-general@lists.terrasoftsolutions.com
Thu Mar 6 09:38:05 2003 

Will these patched RPMs work on YDL 2.2?

Or do I have to bite the bullet and update to YDL 2.3?

I was hoping that YDL 3.0 would come out before I had to do do 2.3.

Rick




On 3/4/03 4:02 PM, "security@terrasoftsolutions.com"
<security@terrasoftsolutions.com> wrote:

> Yellow Dog Linux Security Announcement
> --------------------------------------
> 
> Package:    sendmail
> Issue Date:    March 04, 2003
> Priority:    high
> Advisory ID:     YDU-20030304-1
> 
> 
> 1.     Topic:
> 
> Updated sendmail packages are available.
> 
> 
> 2.     Problem:
> 
> "During a code audit of Sendmail by ISS, a critical vulnerability was
> uncovered that affects unpatched versions of Sendmail prior to version
> 8.12.8. A remote attacker can send a carefully crafted email message
> which, when processed by sendmail, causes arbitrary code to be
> executed as root.
> 
> We are advised that a proof-of-concept exploit is known to exist, but
> is not believed to be in the wild.
> 
> Since this is a message-based vulnerability, MTAs other than Sendmail
> may pass on the carefully crafted message. This means that unpatched
> versions of Sendmail inside a network could still be at risk even if
> they do not accept external connections directly.
> 
> In addition, the restricted shell (SMRSH) in Sendmail allows attackers to
> bypass the intended restrictions of smrsh by inserting additional commands
> after "||" sequences or "/" characters, which are not properly filtered or
> verified. A sucessful attack would allow an attacker who has a local
> account on a system which has explicitly enabled smrsh to execute arbitrary
> binaries as themselves by utilizing their .forward file.
> 
> All users are advised to update to these erratum packages."
> (from Red Hat Advisory)
> 
> 
> 3.     Solution:
> 
> a) Updating via apt...
> We suggest that you use the apt-get program to keep your
> system up-to-date. The following command(s) will retrieve
> and install the fixed version of this update onto your system:
> 
> apt-get update
> apt-get install sendmail
> 
> b) Updating manually...
> Download the updates below and then run the following rpm command.
> (Please use a mirror site)
> 
> rpm -Fvh [filenames]
> ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
> ppc/sendmail-8.11.6-23a.72.ppc.rpm
> ppc/sendmail-cf-8.11.6-23a.72.ppc.rpm
> ppc/sendmail-devel-8.11.6-23a.72.ppc.rpm
> ppc/sendmail-doc-8.11.6-23a.72.ppc.rpm
> 
> 
> 4. Verification
> 
> MD5 checksum              Package
> --------------------------------  ----------------------------
> a204c252209d59600bfddb9eeb1b6f18  ppc/sendmail-8.11.6-23a.72.ppc.rpm
> 916517f67ecbb524aecf89d61ebd24f8  ppc/sendmail-cf-8.11.6-23a.72.ppc.rpm
> 28fdd43e4d952ebb54d6276654890e83  ppc/sendmail-devel-8.11.6-23a.72.ppc.rpm
> 2e531410ed6395ffafa1e597ed7bdec0  ppc/sendmail-doc-8.11.6-23a.72.ppc.rpm
> 6d5fa214631a0fd99da4fb51cfb08a0d  SRPMS/sendmail-8.11.6-23a.72.src.rpm
> 
> I wish to verify that each package has not been corrupted or tampered with,
> examine the md5sum with the following command: rpm --checksig --nogpg filename
> 
> 
> 5. Misc.
> 
> Terra Soft has setup a moderated mailing list where these security, bugfix,
> and package
> enhancement announcements will be posted. See
> http://lists.terrasoftsolutions.com/ for more
> information.
> 
> For information regarding the usage of apt-get, see:
> http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml
> 
> _______________________________________________
> yellowdog-updates mailing list
> yellowdog-updates@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-updates
>