Debians sikkerhedsbulletin

DSA-305-1 sendmail -- usikre midlertidige filer

Rapporteret den:
15. maj 2003
Berørte pakker:
sendmail
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7614.
I Mitres CVE-ordbog: CVE-2003-0308.
Yderligere oplysninger:

Paul Szabo har opdaget fejl skripterne, der følger med pakken sendmail, hvor midlertidige filer blev oprettet på en usikker måde (expn, checksendmail og doublebounce.pl). Disse fejl gav en angriber de rettigheder, som hører til brugeren, der udfører skriptet (deriblandt root).

I den stabile distribution (woody) er disse problemer rettet i version 8.12.3-6.4.

I den gamle stabile distribution (potato) er disse problemer rettet i version 8.9.3-26.1.

I den ustabile distribution (sid) er disse problemer rettet i version 8.12.9-2.

Vi anbefaler at du opdaterer din sendmail-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4.dsc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4.diff.gz
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.12.3-6.4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_alpha.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_arm.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_i386.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_ia64.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_hppa.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_m68k.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_mips.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_mipsel.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_powerpc.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_s390.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.4_sparc.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.4_sparc.deb

Debian GNU/Linux 2.2 (potato)

Kildekode:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1.dsc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1.diff.gz
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-26.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.