| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Mar 24 03:57:02 2006
From: jkeating at j2solutions.net (Jesse Keating)
Subject: [FLSA-2006:186277] Updated sendmail packages fix
security issues
---------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated sendmail packages fix security issues
Advisory ID: FLSA:186277
Issue date: 2006-03-23
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0058
---------------------------------------------------------------------
---------------------------------------------------------------------
1. Topic:
Updated sendmail packages that fix a security issue are now
available.
The sendmail package provides A widely used Mail Transport Agent (MTA).
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64
3. Problem description:
A flaw in the handling of asynchronous signals was discovered in Sendmail.
A remote attacker may be able to exploit a race condition to execute
arbitrary code as root. The Common Vulnerabilities and Exposures project
assigned the name CVE-2006-0058 to this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
In order to correct this issue for RHL 7.3 users, it was necessary to upgrade
the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12.11
with the addition of the security patch supplied by Sendmail Inc. This
erratum provides updated packages based on Sendmail 8.12 with a compatibility
mode enabled as provided by Red Hat for RHEL 2.1. After updating to these
packages, users should pay close attention to their sendmail logs to ensure
that the upgrade completed successfully.
In order to correct this issue for RHL 9 and FC1 users, it was necessary to
upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively to
8.12.11 with the addition of the security patch supplied by Sendmail Inc.
After updating to these packages, users should pay close attention to their
sendmail logs to ensure that the upgrade completed successfully.
For Fedora Core 3 users, the patch supplied by Sendmail Inc. applies cleanly
to the latest sendmail package previously released for Fedora Core 3.
Users updating to these packages are urged to review their sendmail.cf
file after updating.
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.9.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.9.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-8.12.11-4.24.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.1.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.1.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-8.12.11-4.25.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-devel-8.12.11-4.25.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-doc-8.12.11-4.25.1.legacy.i386.rpm
Fedora Core 2:
SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/sendmail-8.12.11-4.26.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-8.12.11-4.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-cf-8.12.11-4.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-devel-8.12.11-4.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-doc-8.12.11-4.26.legacy.i386.rpm
Fedora Core 3:
SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/sendmail-8.13.1-3.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-8.13.1-3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-cf-8.13.1-3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-devel-8.13.1-3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-doc-8.13.1-3.legacy.i386.rpm
x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-8.13.1-3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-cf-8.13.1-3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-devel-8.13.1-3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-doc-8.13.1-3.legacy.x86_64.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------
d9c001d8a34f11f528ff6be2a9f8dd15818caf40 redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.9.legacy.src.rpm
80f02c886b020e6d6ef17389c22c8b530fb05a48 redhat/7.3/updates/i386/sendmail-8.12.11-4.22.9.legacy.i386.rpm
285816881a55fe4b8a74fee48205c8ceedaee5e5 redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.9.legacy.i386.rpm
b4154a342e7747d980b7acaf352649ddc1dcc40d redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.9.legacy.i386.rpm
81a36048a12cc5c08a8e93490dde6817c402ae54 redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.9.legacy.i386.rpm
272bbff91a52692991f6f0fd434a27fda1c92057 redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.1.legacy.src.rpm
683d48df1c5aabb1e9768d4bfb37036d0d7ff7c6 redhat/9/updates/i386/sendmail-8.12.11-4.24.1.legacy.i386.rpm
a6e967294f6cbe9f623e5626e20e33fbbc410f68 redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.1.legacy.i386.rpm
da996e582bb27144c7c26050e0ba51ce7cb727d7 redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.1.legacy.i386.rpm
8d03dc1dd178543cb9d9050198774b599967bfcd redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.1.legacy.i386.rpm
c33698f4e499d477d9712de3d6061825348a294f fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.1.legacy.src.rpm
df880ab03eaeb2f82be81bee96c28392984a4b86 fedora/1/updates/i386/sendmail-8.12.11-4.25.1.legacy.i386.rpm
729bcaeb1269b65728f014bbbedb5c1a54a5158e fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.1.legacy.i386.rpm
256ff91b67ecc7680a5f2fb97b3b32142bb80d18 fedora/1/updates/i386/sendmail-devel-8.12.11-4.25.1.legacy.i386.rpm
65725c811c4c7eede9f88c006a13c15e458d353f fedora/1/updates/i386/sendmail-doc-8.12.11-4.25.1.legacy.i386.rpm
65086d18cb29e02b57ce07b6abf79ba378ae1c3c fedora/2/updates/SRPMS/sendmail-8.12.11-4.26.legacy.src.rpm
7e44b02696338832e2dfc0057aeb58c98511d0d2 fedora/2/updates/i386/sendmail-8.12.11-4.26.legacy.i386.rpm
d159f0c92bd530799b75341d18b5b2cbe5aa5a0a fedora/2/updates/i386/sendmail-cf-8.12.11-4.26.legacy.i386.rpm
8421bfb2eb2f2b3fddb35e905fdcfecd0fb8088c fedora/2/updates/i386/sendmail-devel-8.12.11-4.26.legacy.i386.rpm
b659d2733afa3d6f4df840a395c6eae3a5c07d50 fedora/2/updates/i386/sendmail-doc-8.12.11-4.26.legacy.i386.rpm
fbfba64eac81e57ae098f967b7d3bf4e47e04c87 fedora/3/updates/SRPMS/sendmail-8.13.1-3.legacy.src.rpm
6cc0f44ad32c0eb62801331bf8bfa41625b61031 fedora/3/updates/i386/sendmail-8.13.1-3.legacy.i386.rpm
04bd02d3f731eb985d6e8b9fde7ee3ddc5bdccfe fedora/3/updates/i386/sendmail-cf-8.13.1-3.legacy.i386.rpm
97f173fa48f847feb5051bc2cb4686f53e3895ac fedora/3/updates/i386/sendmail-devel-8.13.1-3.legacy.i386.rpm
298c0908052efdbc671dda1f22f025f96a10d770 fedora/3/updates/i386/sendmail-doc-8.13.1-3.legacy.i386.rpm
162a1e21ac33e5a9072f7cb9934d17523d8160f6 fedora/3/updates/x86_64/sendmail-8.13.1-3.legacy.x86_64.rpm
939de41400340905ec0b378b501e5d1b8b41e545 fedora/3/updates/x86_64/sendmail-cf-8.13.1-3.legacy.x86_64.rpm
c09947143c351f575737036599c23c542404d82e fedora/3/updates/x86_64/sendmail-devel-8.13.1-3.legacy.x86_64.rpm
bd1b9553b49e5c2631a40f68461472b1671f9beb fedora/3/updates/x86_64/sendmail-doc-8.13.1-3.legacy.x86_64.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://www.kb.cert.org/vuls/id/834865
http://www.sendmail.com/company/advisory/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
http://rhn.redhat.com/errata/RHSA-2006-0265.html
http://rhn.redhat.com/errata/RHSA-2006-0264.html
9. Contact:
The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060323/79729b99/attachment.bin
Powered by blists - more mailing lists