---

Home Security

Mandrake Linux Advisory: sendmail

By

Mandrake Linux Security Update Advisory

Package name: sendmail
Advisory ID: MDKSA-2003:092
Date: September 17th, 2003
Affected versions: 8.2, 9.0, 9.1, Corporate Server 2.1

Problem Description:

A buffer overflow vulnerability was discovered in the address
parsing code in all versions of sendmail prior to 8.12.10 by Michal
Zalewski, with a patch to fix the problem provided by Todd C.
Miller. This vulnerability seems to be remotely exploitable on
Linux systems running on the x86 platform; the sendmail team is
unsure of other platforms (CAN-2003-0694).

Another potential buffer overflow was fixed in ruleset parsing
which is not exploitable in the default sendmail configuration. A
problem may occur if non-standard rulesets recipient (2), final
(4), or mailer specific envelope recipients rulesets are use. This
problem was discovered by Timo Sirainen (CAN-2003-0681).

MandrakeSoft encourages all users who use sendmail to upgrade to
the provided packages which are patched to fix both problems.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0694

http://www.sendmail.org/8.12.10.html


http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html

Updated Packages:

Corporate Server 2.1:
7870e3e3f35647266197194e933f5ed7
corporate/2.1/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4
corporate/2.1/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b
corporate/2.1/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d
corporate/2.1/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5
corporate/2.1/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm

Mandrake Linux 8.2:
87a2d830b724bc67640ea4e267a60517
8.2/RPMS/sendmail-8.12.1-4.5mdk.i586.rpm
b21c82a3f1b554aecd5227ab7269aea4
8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.i586.rpm
aed850225f1902657b02010a703d744c
8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.i586.rpm
aca8d9015390056de17b16db3fecc3e4
8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.i586.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba
8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm

Mandrake Linux 8.2/PPC:
993a8769ba667651e4319c27c9e82b7e
ppc/8.2/RPMS/sendmail-8.12.1-4.5mdk.ppc.rpm
6c9e501287a7eccec51b10dce7c6e6fb
ppc/8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.ppc.rpm
e8d204f807ee1ea4a364fb4afdc24439
ppc/8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.ppc.rpm
cb695b306b372a540e363006adfc5f54
ppc/8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.ppc.rpm
b0a8f5bbc575c2fc8b0dcaf2af00cbba
ppc/8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm

Mandrake Linux 9.0:
7870e3e3f35647266197194e933f5ed7
9.0/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
3df2666ba0c7eef233a0060d799d86c4
9.0/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
e09d65fa52f14038643602d9c41ea72b
9.0/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
6c580bbbc7212e13b2a27de1e727254d
9.0/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
e9aa39db8dad6941af1e3a6e8c857cb5
9.0/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm

Mandrake Linux 9.1:
abf1ad68f3835ce7f2593f935af97c95
9.1/RPMS/sendmail-8.12.9-1.2mdk.i586.rpm
26427faee7bc48e521e370a7957865a7
9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.i586.rpm
a531c3ec3b6807428968254854d863b2
9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.i586.rpm
3e70938f6cb88c69f3a004c96b3ec347
9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.i586.rpm
1d575885387c5130d993d15cdfec56e5
9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm

Mandrake Linux 9.1/PPC:
ff80af8ecc2af755689271c495cffed2
ppc/9.1/RPMS/sendmail-8.12.9-1.2mdk.ppc.rpm
d29850a5cd7322d7d908a2c7299133ea
ppc/9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.ppc.rpm
503d3aae07c0b8f707fd0f6187990dbd
ppc/9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.ppc.rpm
10c1cb226d1e991eed8f974d1b62dc33
ppc/9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.ppc.rpm
1d575885387c5130d993d15cdfec56e5
ppc/9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm

Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):

To upgrade automatically, use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:

gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98

Please be aware that sometimes it takes the mirrors a few hours
to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security
linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.