Yellow Dog Linux Security Advisory: YDU-20030917-2

Terra Soft Security Team yellowdog-updates@lists.terrasoftsolutions.com
17 Sep 2003 22:36:09 -0600 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	sendmail	
Issue Date:	Sep 17,2003   
Priority:	high
Advisory ID: 	YDU-20030917-2


1. 	Topic:

	Updated sendmail packages are available.


2. 	Problem:

	"Updated Sendmail packages that fix a potentially-exploitable vulnerability
	are now available.

	Sendmail is a widely used Mail Transport Agent (MTA) and is included in all
	[Yellow Dog] Linux distributions.

	Michal Zalewski found a bug in the prescan() function of unpatched Sendmail
	versions prior to 8.12.10. The sucessful exploitation of this bug can lead
	to heap and stack structure overflows. Although no exploit currently
	exists, this issue is locally exploitable and may also be remotely
	exploitable. The Common Vulnerabilities and Exposures project
	(cve.mitre.org) has assigned the name CAN-2003-0694 to this issue.

	Additionally, for [Yellow Dog Linux 3.0] we have included a fix for a
	potential buffer overflow in ruleset parsing. This problem is not
	exploitable in the default sendmail configuration; it is exploitable only
	if non-standard rulesets recipient (2), final (4), or mailer-specific
	envelope recipients rulesets are used. The Common Vulnerabilities and
	Exposures project (cve.mitre.org) has assigned the name CAN-2003-0681 to
	this issue.

	All users are advised to update to these erratum packages containing a
	backported patch which corrects these vulnerabilities."
	(from Red Hat Advisory)


3. 	Solution:

	Updates are available immediately via YDL.Net Enhanced.

   	a) Updating via yum... 
	We suggest that you use the yum program to keep your
        system up-to-date. The following command(s) will retrieve
	and install the fixed version of this update onto your system:

		yum update sendmail

	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
			ppc/sendmail-8.12.8-9.90.ppc.rpm
			ppc/sendmail-cf-8.12.8-9.90.ppc.rpm
			ppc/sendmail-devel-8.12.8-9.90.ppc.rpm
			ppc/sendmail-doc-8.12.8-9.90.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
3a5bf029ea75ec5159ea3ddc54f7b973  SRPMS/sendmail-8.12.8-9.90.src.rpm
2bf11c277a1108834e1a411dbd4873f2  ppc/sendmail-8.12.8-9.90.ppc.rpm
bdd699dc394a1306d66675d7c9e5b118  ppc/sendmail-cf-8.12.8-9.90.ppc.rpm
00389b26a272d0de34af2270d50ef825  ppc/sendmail-devel-8.12.8-9.90.ppc.rpm
590a8eafe943ef0200b734c89b088967  ppc/sendmail-doc-8.12.8-9.90.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: md5sum <filename>


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml