Debianin tietoturvatiedote

DSA-257-1 sendmail -- hyväksikäyttö etäkoneelta

Ilmoitettu:
4. 3.2003
Vaikutuksen alaiset paketit:
sendmail, sendmail-wide
Altis:
Kyllä
Viittaukset tietoturvatietokantoihin:
Mitren CVE-sanakirjassa: CVE-2002-1337.
CERT:n alttiudet, tiedotteet ja ongelmahuomiot: CA-2003-07, VU#398025.
Lisätietoa:

Mark Dowd (ISS X-Force) löysi sendmailin otsakkeenjäsentelyrutiineista vian: kun käsiteltäväksi tulee erittäin pitkillä kommenteilla varustettuja osoitteita, puskurin ylivuoto on mahdollista. Koska sendmail jäsentelee otsakkeet myös lähettäessään sähköpostit edelleen, tämä haavoittuvuus voi ilmetä myöskin postipalvelimissa jotka eivät lähetä postia.

Ongelma on korjattu tulevassa 8.12.8-julkaisussa, Debian GNU/Linux 3.0/woody-paketin versiossa 8.12.3-5 ja Debian GNU/Linux 2.2/potato-paketin versiossa 8.9.3-25 .

DSA-257-2: Päivitetyt sendmail-wide-paketit ovat saatavilla Debian 2.2/potato-paketin versiossa 8.9.3+3.2W-24 ja Debian 3.0/woody-paketin versiossa 8.12.3+3.5Wbeta-5.2.

Korjattu:

Debian GNU/Linux 2.2 (potato)

Lähde:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25.diff.gz
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25.dsc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3.orig.tar.gz
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24.dsc
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24.tar.gz
alpha (DEC Alpha):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25_alpha.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24_alpha.deb
arm (ARM):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25_arm.deb
--
i386 (Intel IA-32):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25_i386.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24_i386.deb
m68k (Motorola 680x0):
--
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24_m68k.deb
powerpc (PowerPC):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25_powerpc.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24_powerpc.deb
sparc (Sun SPARC/UltraSPARC):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.9.3-25_sparc.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.9.3+3.2W-24_sparc.deb

Debian GNU/Linux 3.0 (woody)

Lähde:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5.diff.gz
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5.dsc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3.orig.tar.gz
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2.dsc
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta.orig.tar.gz
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2.diff.gz
Arkkitehtuuririippumaton komponentti:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.12.3-5_all.deb
alpha (DEC Alpha):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_alpha.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_alpha.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_alpha.deb
arm (ARM):
--
--
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_arm.deb
hppa (HP PA RISC):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_hppa.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_hppa.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_hppa.deb
i386 (Intel IA-32):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_i386.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_i386.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_i386.deb
ia64 (Intel IA-64):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_ia64.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_ia64.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_ia64.deb
m68k (Motorola 680x0):
--
--
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_m68k.deb
mips (MIPS (Big Endian)):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_mips.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_mips.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_mips.deb
mipsel (MIPS (Little Endian)):
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_mipsel.deb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_mipsel.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_mipsel.deb
powerpc (PowerPC):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_powerpc.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_powerpc.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_powerpc.deb
s390 (IBM S/390):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_s390.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_s390.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_s390.deb
sparc (Sun SPARC/UltraSPARC):
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-5_sparc.deb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-5_sparc.deb
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.2_sparc.deb

Listattujen tiedostojen MD5-tarkistussummat ovat luettavissa alkuperäisestä tiedotteesta. (DSA-257-2)