Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux Advisory: sendmail

Aug 29, 2003, 15:58 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated sendmail package for SOT Linux 2003
Advisory ID: SLSA-2003:39
Date: Friday, August 29, 2003
Product: SOT Linux 2003

1. Problem description

Sendmail is a widely used Mail Transport Agent (MTA).

There is a vulnerability in sendmail that can be exploited to cause a denial-of-service condition and could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root.

Also a bug has been discovered in the handling of DNS maps in Sendmail 8.12 versions before 8.12.9. A remote attacker can exploit this issue to crash the instance of Sendmail dealing with the request. We believe that the nature of the bug would make remote exploitation of this issue difficult, if at all possible. The Common Vulnerabilities and Exposures project (cve.mitre.org//) has assigned the name CAN-2003-0688 to this issue.

Sendmail users are advised to update to the packages contained within this erratum which include a backported patch to correct this vulnerability.

2. Updated packages

SOT Linux 2003 Desktop:

ftp://ftp.sot.com/updates/2003/Desktop/i386/sendmail-8.12.7-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Desktop/SRPMS/sendmail-8.12.7-2.src.rpm

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/sendmail-8.12.7-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/sendmail-8.12.7-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Desktop/i386/sendmail-8.12.7-2.i386.rpm 8c3ed392bc664fdd7e66c3c24241a6d2
/Desktop/SRPMS/sendmail-8.12.7-2.src.rpm 7b0efd9864a4d11ff13c40548c01f3a6
/Server/i386/sendmail-8.12.7-2.i386.rpm 8c3ed392bc664fdd7e66c3c24241a6d2
/Server/SRPMS/sendmail-8.12.7-2.src.rpm 7b0efd9864a4d11ff13c40548c01f3a6

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0688

Copyright(c) 2001-2003 SOT