Säkerhetsbulletin från Debian
DSA-384-1 sendmail -- buffertspill
- Rapporterat den:
- 2003-09-17
- Berörda paket:
- sendmail
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 8641, BugTraq-id 8649.
I Mitres CVE-förteckning: CVE-2003-0681, CVE-2003-0694.
CERTs information om sårbarheter, bulletiner och incidenter: CA-2003-25. - Ytterligare information:
-
Två sårbarheter rapporterades i sendmail.
- CAN-2003-0681:
Ett ”potentiellt buffertspill i tolkningen av regeluppsättningar” för Sendmail 8.12.9, när icke-standardregeluppsättningar för (1) ”recipient” (2) ”final”, eller (3) ”mailer-specific envelope recipients” används kan okända konsekvenser uppstå.
- CAN-2003-0694:
Föravläsningsfunktionen i Sendmail 8.12.9 tillåter angrepp utifrån att exekvera godtycklig kod via buffertspillsangrepp, vilket demonstreras genom att använda funktionen parseaddr i parseaddr.c.
För den stabila utgåvan (Woody) har dessa problem rättats i sendmail version 8.12.3-6.6 samt sendmail-wide version 8.12.3+3.5Wbeta-5.5.
För den instabila utgåvan (Sid) har dessa problem rättats i sendmail version 8.12.10-1.
Vi rekommenderar att ni uppgraderar ert sendmail-paket.
- CAN-2003-0681:
- Rättat i:
-
Debian GNU/Linux 3.0 (woody)
- Källkod:
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6.dsc
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6.diff.gz
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5.dsc
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5.diff.gz
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.12.3-6.6_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_alpha.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_alpha.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_alpha.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_arm.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_arm.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_arm.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_i386.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_i386.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_i386.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_ia64.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_ia64.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_ia64.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_hppa.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_hppa.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_hppa.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_m68k.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_m68k.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_m68k.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_mips.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mips.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_mips.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_mipsel.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mipsel.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_mipsel.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_powerpc.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_powerpc.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_powerpc.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_s390.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_s390.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_s390.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_sparc.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_sparc.deb
- http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_sparc.deb
- http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.