[RHSA-2003:073-06] Updated sendmail packages fix critical sec urity issues

Mariano Absatz mailscanner at LISTS.COM.AR
Mon Mar 3 18:36:39 GMT 2003


As Matt said, it not only affects RedHat (or Linux, for that matter):
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.cert.org/advisories/CA-2003-07.html

See http://sendmail.org/8.12.8.html for new version/patches

It seems that, after 5 or 6 years (not counting last years' trojan distro) 
sendmail security bugs are back in action... :-(


El 3 Mar 2003 a las 10:17, Nathan Johanson escribió:

> Thanks for the post! That was timely.
> 
> --
> Sincerely,
> 
> Nathan Johanson
> Email: nathan at tcpnetworks.net
> 
> 
> -----Original Message-----
> From: Richard, Matt [mailto:matthew.richard at COCC.COM] 
> Sent: Monday, March 03, 2003 9:49 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: FW: [RHSA-2003:073-06] Updated sendmail packages fix critical
> sec urity issues
> 
> 
> For those who have not already seen the advisory.  It appears to effect
> sendmail on many different platforms.
> 
> Matt Richard
> 
> -----Original Message-----
> From: bugzilla at redhat.com [mailto:bugzilla at redhat.com]
> Sent: Monday, March 03, 2003 12:05 PM
> To: redhat-watch-list at redhat.com; redhat-announce-list at redhat.com
> Subject: [RHSA-2003:073-06] Updated sendmail packages fix critical
> security
> issues
> 
> 
> ---------------------------------------------------------------------
>                    Red Hat, Inc. Red Hat Security Advisory
> 
> Synopsis:          Updated sendmail packages fix critical security
> issues
> Advisory ID:       RHSA-2003:073-06
> Issue date:        2003-02-07
> Updated on:        2003-03-03
> Product:           Red Hat Linux
> Keywords:          sendmail smrsh security bug
> Cross references:
> Obsoletes:         RHSA-2002:106
> CVE Names:         CAN-2002-1337
> ---------------------------------------------------------------------
> 
> 1. Topic:
> 
> Updated Sendmail packages are available to fix a vulnerability that
> may allow remote attackers to gain root privileges by sending a
> carefully crafted message.
> 
> These packages also fix a security bug if sendmail is configured to use
> smrsh.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Linux 6.2 - i386
> Red Hat Linux 7.0 - i386
> Red Hat Linux 7.1 - i386
> Red Hat Linux 7.2 - i386, ia64
> Red Hat Linux 7.3 - i386
> Red Hat Linux 8.0 - i386
> 
> 3. Problem description:
> 
> Sendmail is a widely used Mail Transport Agent (MTA) which is included
> in all Red Hat Linux distributions.
> 
> During a code audit of Sendmail by ISS, a critical vulnerability was
> uncovered that affects unpatched versions of Sendmail prior to version
> 8.12.8.  A remote attacker can send a carefully crafted email message
> which, when processed by sendmail, causes arbitrary code to be
> executed as root.
> 
> We are advised that a proof-of-concept exploit is known to exist, but
> is not believed to be in the wild.
> 
> Since this is a message-based vulnerability, MTAs other than Sendmail
> may pass on the carefully crafted message.  This means that unpatched
> versions of Sendmail inside a network could still be at risk even if
> they do not accept external connections directly.
> 
> In addition, the restricted shell (SMRSH) in Sendmail  allows attackers
> to
> bypass the intended restrictions of smrsh by inserting additional
> commands
> after "||" sequences or "/" characters, which are not properly filtered
> or
> verified.  A sucessful attack would allow an attacker who has a local
> account on a system which has explicitly enabled smrsh to execute
> arbitrary
> binaries as themselves by utilizing their .forward file.
> 
> All users are advised to update to these erratum packages.  For Red Hat
> Linux 8.0 we have included Sendmail version 8.12.8 which is not
> vulnerable
> to these issues.  For all other distributions we have included a
> backported
> patch which corrects these vulnerabilities.
> 
> Red Hat would like to thank Eric Allman for his assistance with this
> vulnerability.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
> 
> To update all RPMs for your particular architecture, run:
> 
> rpm -Fvh [filenames]
> 
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those
> RPMs which are currently installed will be updated.  Those RPMs which
> are
> not installed but included in the list will not be updated.  Note that
> you
> can also use wildcards (*.rpm) if your current directory *only* contains
> the
> desired RPMs.
> 
> Please note that this update is also available via Red Hat Network.
> Many
> people find this an easier way to apply updates.  To use Red Hat
> Network,
> launch the Red Hat Update Agent with the following command:
> 
> up2date
> 
> This will start an interactive process that will result in the
> appropriate
> RPMs being upgraded on your system.
> 
> 5. RPMs required:
> 
> Red Hat Linux 6.2:
> 
> SRPMS:
> ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm
> 
> i386:
> ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
> ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.r
> pm
> ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.
> rpm
> 
> Red Hat Linux 7.0:
> 
> SRPMS:
> ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm
> 
> i386:
> ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
> ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rp
> m
> ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386
> .rpm
> ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.r
> pm
> 
> Red Hat Linux 7.1:
> 
> SRPMS:
> ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm
> 
> i386:
> ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
> ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rp
> m
> ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386
> .rpm
> ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.r
> pm
> 
> Red Hat Linux 7.2:
> 
> SRPMS:
> ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm
> 
> i386:
> ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rp
> m
> ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386
> .rpm
> ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.r
> pm
> 
> ia64:
> ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
> ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rp
> m
> ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64
> .rpm
> ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.r
> pm
> 
> Red Hat Linux 7.3:
> 
> SRPMS:
> ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm
> 
> i386:
> ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rp
> m
> ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386
> .rpm
> ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.r
> pm
> 
> Red Hat Linux 8.0:
> 
> SRPMS:
> ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm
> 
> i386:
> ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
> ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.
> rpm
> ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rp
> m
> 
> 
> 
> 6. Verification:
> 
> MD5 sum                          Package Name
> ------------------------------------------------------------------------
> --
> 35d83351ea84fdae048b3e6f556bfc4a
> 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm
> 71ddff0b307887232ad2b57c6f828dbd
> 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm
> 3b398feb4f97b05873a864be5d914ee8
> 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm
> ba2e0d80e5efc7fe3ba2d55f9caa9cb1
> 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm
> e3a9eb220d844e1e3a1bd84ada63c853
> 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm
> f3bdb70c4b1d95d10a827db33bf77a46
> 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm
> e7a8c264257e207d18257dfe075a5fd1
> 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm
> c6cf8af32a436d42d0982b99260ce811
> 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm
> ba9251c4ed7fc2916e27c8bc406d7f58
> 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm
> c2eb6d0135dc60e83506f0c20148822c
> 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm
> c3a518db2157a56edc5a94f42c32f8db
> 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm
> 6cb3a88c447b56f37d0ebba1df4adb23
> 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm
> f2fa0e42d15c723c33c876ea075b4508
> 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm
> 2cee572aa2fe1eddb3d22f7ab4d43a20
> 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm
> 854ee4390631bdcb818fe6cdc132f7da
> 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm
> dbce6be563a5642400d0a8a9e97f88fc
> 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm
> 92b8773b155b2cce446645dd55842e87
> 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm
> d810fe7d6a61550e3b0ac3a509d00fed
> 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm
> 722780636eb24b8168f8464817e21de4
> 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm
> e83825fb7552ad321cb09ecf86df4a29
> 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm
> 70e2f72dffad5ec8565dc957f5c0b111
> 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm
> 8d86d83586e75cbd03f7bccdfb5b97f2
> 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm
> 16eac17677891e77e8eb70bf76dac135
> 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm
> 2049d17db0e321ba6028ee4a7ca2ae93
> 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm
> ce6852e4c389405bed1f498514b5fa0f
> 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm
> f994f26ab50b8141ec27a6b04e819d37
> 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm
> d6da03d08cdd8e9933616c0e66841302
> 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm
> 5fb65ba4b8e91d9d87451e2d1400411f
> 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm
> 29d277537beb532d6b5f48ad30d81d45
> 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm
> 8bba0d1400ab2e96e3d3c78ce5015597
> 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm
> 55ef5ca9c777278eddd48e365ba471c2
> 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm
> 87aecce2ae343a69fe1df716b5e89685
> 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm
> d945b47a44597e5da06f79658e38b9d8
> 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm
> 
> 
> These packages are GPG signed by Red Hat, Inc. for security.  Our key
> is available at http://www.redhat.com/about/contact/pgpkey.html
> 
> You can verify each package with the following command:
> 
>     rpm --checksig -v <filename>
> 
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> 
>     md5sum <filename>
> 
> 
> 7. References:
> 
> http://www.cert.org/advisories/CA-2003-07.html
> http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337
> 
> 8. Contact:
> 
> The Red Hat security contact is <security at redhat.com>.  More contact
> details at http://www.redhat.com/solutions/security/news/contact.html
> 
> Copyright 2003 Red Hat, Inc.


--
Mariano Absatz
El Baby
----------------------------------------------------------
Quote me as saying I was misquoted.
      -- Groucho Marx




More information about the MailScanner mailing list