Yellow Dog Linux Security Advisory: YDU-20030917-2
Terra Soft Security Team
yellowdog-updates@lists.terrasoftsolutions.com
17 Sep 2003 22:36:09 -0600
Yellow Dog Linux Security Announcement
--------------------------------------
Package: sendmail
Issue Date: Sep 17,2003
Priority: high
Advisory ID: YDU-20030917-2
1. Topic:
Updated sendmail packages are available.
2. Problem:
"Updated Sendmail packages that fix a potentially-exploitable vulnerability
are now available.
Sendmail is a widely used Mail Transport Agent (MTA) and is included in all
[Yellow Dog] Linux distributions.
Michal Zalewski found a bug in the prescan() function of unpatched Sendmail
versions prior to 8.12.10. The sucessful exploitation of this bug can lead
to heap and stack structure overflows. Although no exploit currently
exists, this issue is locally exploitable and may also be remotely
exploitable. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0694 to this issue.
Additionally, for [Yellow Dog Linux 3.0] we have included a fix for a
potential buffer overflow in ruleset parsing. This problem is not
exploitable in the default sendmail configuration; it is exploitable only
if non-standard rulesets recipient (2), final (4), or mailer-specific
envelope recipients rulesets are used. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0681 to
this issue.
All users are advised to update to these erratum packages containing a
backported patch which corrects these vulnerabilities."
(from Red Hat Advisory)
3. Solution:
Updates are available immediately via YDL.Net Enhanced.
a) Updating via yum...
We suggest that you use the yum program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
yum update sendmail
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
ppc/sendmail-8.12.8-9.90.ppc.rpm
ppc/sendmail-cf-8.12.8-9.90.ppc.rpm
ppc/sendmail-devel-8.12.8-9.90.ppc.rpm
ppc/sendmail-doc-8.12.8-9.90.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
3a5bf029ea75ec5159ea3ddc54f7b973 SRPMS/sendmail-8.12.8-9.90.src.rpm
2bf11c277a1108834e1a411dbd4873f2 ppc/sendmail-8.12.8-9.90.ppc.rpm
bdd699dc394a1306d66675d7c9e5b118 ppc/sendmail-cf-8.12.8-9.90.ppc.rpm
00389b26a272d0de34af2270d50ef825 ppc/sendmail-devel-8.12.8-9.90.ppc.rpm
590a8eafe943ef0200b734c89b088967 ppc/sendmail-doc-8.12.8-9.90.ppc.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: md5sum <filename>
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml