[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NUla1-0002Zg-AG@titan.mandriva.com>
Date: Tue, 12 Jan 2010 19:35:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:003 ] sendmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:003
http://www.mandriva.com/security/
_______________________________________________________________________
Package : sendmail
Date : January 11, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A security vulnerability has been identified and fixed in sendmail:
sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-4565).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
This update provides a fix for this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
http://www.sendmail.org/releases/8.14.4
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
59415398189b3fcf81482a0aa548e2f4 2008.0/i586/sendmail-8.14.1-2.1mdv2008.0.i586.rpm
ea981097f72996a76eba3db1ca168c68 2008.0/i586/sendmail-cf-8.14.1-2.1mdv2008.0.i586.rpm
19d0308e739e5d2c1c3f4fa26cc58b83 2008.0/i586/sendmail-devel-8.14.1-2.1mdv2008.0.i586.rpm
ec7b8d7a0ef153e7a6eb892f0e37b5de 2008.0/i586/sendmail-doc-8.14.1-2.1mdv2008.0.i586.rpm
0db8b791cbd6ab9c5acbb4d36dfc2011 2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
27862cd3b57af76bbeaf4022b05f9944 2008.0/x86_64/sendmail-8.14.1-2.1mdv2008.0.x86_64.rpm
4585530d86a21d4f0354cf2458ff4822 2008.0/x86_64/sendmail-cf-8.14.1-2.1mdv2008.0.x86_64.rpm
f241b7f870d0bcbadc64cbd8c8642a4e 2008.0/x86_64/sendmail-devel-8.14.1-2.1mdv2008.0.x86_64.rpm
a92613cbc1eecc47aeff44c8a24ed32e 2008.0/x86_64/sendmail-doc-8.14.1-2.1mdv2008.0.x86_64.rpm
0db8b791cbd6ab9c5acbb4d36dfc2011 2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm
Mandriva Linux 2009.0:
c7dfba4575fb7d2cae408ae4ffc3588f 2009.0/i586/sendmail-8.14.3-2.1mdv2009.0.i586.rpm
7a77a2fd891995e30dc77b843afb55d1 2009.0/i586/sendmail-cf-8.14.3-2.1mdv2009.0.i586.rpm
8c38bb523fe83f1a6936f89cef1d9aff 2009.0/i586/sendmail-devel-8.14.3-2.1mdv2009.0.i586.rpm
5f27bc4b53e33a3e6f543eef078ba603 2009.0/i586/sendmail-doc-8.14.3-2.1mdv2009.0.i586.rpm
1d87f6050c197ac42e6e2d599c6ccb02 2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
367a5fe461786ca07bd26f75d5e83b87 2009.0/x86_64/sendmail-8.14.3-2.1mdv2009.0.x86_64.rpm
74a5d145be5a34309a6b77d86c928221 2009.0/x86_64/sendmail-cf-8.14.3-2.1mdv2009.0.x86_64.rpm
b0880a184b15a235e0af6c977a86deb4 2009.0/x86_64/sendmail-devel-8.14.3-2.1mdv2009.0.x86_64.rpm
57629048e8712e85b4ad2b96b2820b4a 2009.0/x86_64/sendmail-doc-8.14.3-2.1mdv2009.0.x86_64.rpm
1d87f6050c197ac42e6e2d599c6ccb02 2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
b4f3e0bbbcd2a31ac54e97db1e86d3cb 2009.1/i586/sendmail-8.14.3-3.1mdv2009.1.i586.rpm
4e455a03d26ac8db82520033f7c12b53 2009.1/i586/sendmail-cf-8.14.3-3.1mdv2009.1.i586.rpm
83ed44ff797b518f754191a2913fb99b 2009.1/i586/sendmail-devel-8.14.3-3.1mdv2009.1.i586.rpm
a6300984708e7c7e183de4cfeed303d4 2009.1/i586/sendmail-doc-8.14.3-3.1mdv2009.1.i586.rpm
715d4d5f51bb06566cc1cd2007eae13b 2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
cd8b93f0e5131be289a7820c668535d4 2009.1/x86_64/sendmail-8.14.3-3.1mdv2009.1.x86_64.rpm
35901aab57046009e74921a9f8537f5c 2009.1/x86_64/sendmail-cf-8.14.3-3.1mdv2009.1.x86_64.rpm
a6b5f206c58c9ed35417f49b157a245a 2009.1/x86_64/sendmail-devel-8.14.3-3.1mdv2009.1.x86_64.rpm
708d8cf9d104f38bbc5d117048536d44 2009.1/x86_64/sendmail-doc-8.14.3-3.1mdv2009.1.x86_64.rpm
715d4d5f51bb06566cc1cd2007eae13b 2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
cb3ff51261f0a547e79fb2beb26ccd5d 2010.0/i586/sendmail-8.14.3-4.1mdv2010.0.i586.rpm
0e488f7f647c5c4a5aaa6e03aba37099 2010.0/i586/sendmail-cf-8.14.3-4.1mdv2010.0.i586.rpm
575a321bab56d672d8bc2bea109e0230 2010.0/i586/sendmail-devel-8.14.3-4.1mdv2010.0.i586.rpm
54a82cb021316e39766431c9ad6f36e8 2010.0/i586/sendmail-doc-8.14.3-4.1mdv2010.0.i586.rpm
d44550335102aefed7d2cfd94be56c18 2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
06be9e7dbda96eb506b58499a896f515 2010.0/x86_64/sendmail-8.14.3-4.1mdv2010.0.x86_64.rpm
ccad3d58cb1c296fef3cb9fc76b8ba5b 2010.0/x86_64/sendmail-cf-8.14.3-4.1mdv2010.0.x86_64.rpm
30ea827e1029bc2519263a0821611886 2010.0/x86_64/sendmail-devel-8.14.3-4.1mdv2010.0.x86_64.rpm
9dd4779fea3cde54fb211db8733164a0 2010.0/x86_64/sendmail-doc-8.14.3-4.1mdv2010.0.x86_64.rpm
d44550335102aefed7d2cfd94be56c18 2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm
Corporate 4.0:
b4af5f228b216fa419a0490db166e286 corporate/4.0/i586/sendmail-8.13.4-6.5.20060mlcs4.i586.rpm
c8765f369aa52810a67f47118129802c corporate/4.0/i586/sendmail-cf-8.13.4-6.5.20060mlcs4.i586.rpm
9d31c0b2d982582fabd7db9aa0d65270 corporate/4.0/i586/sendmail-devel-8.13.4-6.5.20060mlcs4.i586.rpm
9b0ebbce5cfd974ea19976f14329057e corporate/4.0/i586/sendmail-doc-8.13.4-6.5.20060mlcs4.i586.rpm
e196e43d837e42491f6dfc950af0ebb7 corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
22d62ded1b3d7963740064769a7101bd corporate/4.0/x86_64/sendmail-8.13.4-6.5.20060mlcs4.x86_64.rpm
17ed3192e319890184067239fb3f8c57 corporate/4.0/x86_64/sendmail-cf-8.13.4-6.5.20060mlcs4.x86_64.rpm
d702fb0c90ddc0c910869df484215e91 corporate/4.0/x86_64/sendmail-devel-8.13.4-6.5.20060mlcs4.x86_64.rpm
ed75310c08e8e2c0dc797c84ef71e3e7 corporate/4.0/x86_64/sendmail-doc-8.13.4-6.5.20060mlcs4.x86_64.rpm
e196e43d837e42491f6dfc950af0ebb7 corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
87fa356ac80447bcf7328ff16712e97b mes5/i586/sendmail-8.14.3-2.1mdvmes5.i586.rpm
7204d91f35e0aec24c1dbd12af34f457 mes5/i586/sendmail-cf-8.14.3-2.1mdvmes5.i586.rpm
bdcc3f3bf303f764dd87d52ffc7e4aa1 mes5/i586/sendmail-devel-8.14.3-2.1mdvmes5.i586.rpm
faa0df4c43cddf8dcac3ddffb271211e mes5/i586/sendmail-doc-8.14.3-2.1mdvmes5.i586.rpm
b71ace8a1ee671400e212ed9aa5200eb mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
6899d9dde5ec73adc5071588ae9f5e8a mes5/x86_64/sendmail-8.14.3-2.1mdvmes5.x86_64.rpm
6ff20eb453f84f067eb411b37a745774 mes5/x86_64/sendmail-cf-8.14.3-2.1mdvmes5.x86_64.rpm
12f793bc0f65025dc4b7bbc9b0730b89 mes5/x86_64/sendmail-devel-8.14.3-2.1mdvmes5.x86_64.rpm
08b141b3aeb79b431fcc78de84d86d29 mes5/x86_64/sendmail-doc-8.14.3-2.1mdvmes5.x86_64.rpm
b71ace8a1ee671400e212ed9aa5200eb mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm
Multi Network Firewall 2.0:
60b1e9af1bf3310ebc17da12c51169e8 mnf/2.0/i586/sendmail-8.12.11-1.5.M20mdk.i586.rpm
e36a464dcbde47632af940d79142be2a mnf/2.0/i586/sendmail-cf-8.12.11-1.5.M20mdk.i586.rpm
9ba7304e2b06011ad188af55d59c69f0 mnf/2.0/i586/sendmail-devel-8.12.11-1.5.M20mdk.i586.rpm
168c304c45ff1d3064b795b80e75b19a mnf/2.0/i586/sendmail-doc-8.12.11-1.5.M20mdk.i586.rpm
1bfda6494962b1b71e9127d5753492e6 mnf/2.0/SRPMS/sendmail-8.12.11-1.5.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLTJFPmqjQ0CJFipgRAoKcAJ99aQC/zNJ+rZ9k9UMbTWlldiveLACg0c5X
W7OfxaxmPvfqiwxJE7tjcb8=
=Fkrf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists