Home page logo
/

bugtraq logo Bugtraq mailing list archives

sendmail 8.11.4 and 8.12.0.Beta10 available (fwd)
From: Jonas Eriksson <je () sekure net>
Date: Tue, 29 May 2001 00:10:03 +0200 (CEST)


---------- Forwarded message ----------
Date: Mon, 28 May 2001 09:11:15 -0700
From: Gregory Neil Shapiro <sendmail+gshapiro () sendmail org>
To: sendmail-announce () sendmail org
Subject: sendmail 8.11.4 and 8.12.0.Beta10 available


-----BEGIN PGP SIGNED MESSAGE-----

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.11.4 and 8.12.0.Beta10.

8.11.4 revamps signal handling within the MTA in order to reduce the
likelihood of a race condition that can lead to heap corruption as
described in Michal Zalewski's advisory.  The problems discussed in the
advisory are not currently known to be exploitable but we recommend
upgrading to 8.11.4 in case a method is found to exploit the signal
handling race condition.  8.11.4 also fixes other bugs found since the
release of 8.11.3.

8.12.0.Beta10 includes the changes in signal handling from 8.11.4.
Moreover, there is a significant change compared to earlier beta
versions: by default sendmail is installed as a set-group-id binary;
a set-user-id root binary will be only installed if the proper
target is selected (see sendmail/SECURITY).  Beta10 fixes also a
few bugs, especially possible core dumps during queue runs and in a
milter application (using smfi_chgheader), possible rejection of
messages due to an uninitialized variable, and omitting queue runs
if queue groups are used and the total number of queue runners is
restricted to less than the sum of the individual queue runners.

Please send bug reports to sendmail-bugs () sendmail org and general
feedback to sendmail () sendmail org 

The versions can be found at:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.4.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.4.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.4.tar.sig

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta10.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta10.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta10.tar.sig

MD5 signatures:

5e224eeb0aab63b7c178728ae42f26a5 sendmail.8.11.4.tar.gz
45b2d3694a4fa952739aba82a2df3522 sendmail.8.11.4.tar.Z
d2cd6011a6b395ea07091414be869152 sendmail.8.11.4.tar.sig

6f8e398b04da5ccfca6bd6f9f52de28e sendmail.8.12.0.Beta10.tar.gz
85d73a1ab711b23f4afb3cb6048c0624 sendmail.8.12.0.Beta10.tar.Z
d2631e7b3275a9fba3c3666bad62afa5 sendmail.8.12.0.Beta10.tar.sig

You need either the gzip'ed version (.gz) or the compressed version
(.Z).  The .sig files contain the PGP signature of the tar files
(after uncompressing).  The PGP signatures were created using the
Sendmail Signing Key/2001, available on the web site
(http://www.sendmail.org/) or on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

   PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
   SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
   TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
   PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
   COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
   SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
   YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
   AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
   ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

8.11.4/8.11.4   2001/05/28
        Clean up signal handling routines to reduce the chances of heap
                corruption and other potential race conditions.
                Terminating and restarting the daemon may not be
                instantaneous due to this change.  Also, non-root users can
                no longer send out-of-band signals.  Problem reported by
                Michal Zalewski of BindView.
        If LogLevel is greater than 9 and SASL fails to negotiate an
                encryption layer, avoid core dump logging the encryption
                strength.  Problem noted by Miroslav Zubcic of Crol.
        If a server offers "AUTH=" and "AUTH " and the list of mechanisms is
                different in those two lines, sendmail might not have
                recognized (and used) all of the offered mechanisms.
        Fix an IP address lookup problem on Solaris 2.0 - 2.3.  Patch
                from Kenji Miyake.
        This time, really don't use the .. directory when expanding
                QueueDirectory wildcards.
        If a process is interrupted while closing a map, don't try to close
                the same map again while exiting.
        Allow local mailers (F=l) to contact remote hosts (e.g., via
                LMTP).  Problem noted by Norbert Klasen of the University
                of Tuebingen.
        If Timeout.QueueReturn was set to a value less the time it took
                to write a new queue file (e.g., 0 seconds), the bounce
                message would be lost.  Problem noted by Lorraine L Goff of
                Oklahoma State University.
        Pass map argument vector into map rewriting engine for the regex
                and prog map types.  Problem noted by Stephen Gildea of
                InTouch Systems, Inc.
        When closing an LDAP map due to a temporary error, close all of the
                other LDAP maps which share the original map's connection
                to the LDAP server.  Patch from Victor Duchovni of
                Morgan Stanley.
        To detect changes of NDBM aliases files check the timestamp of the
                .pag file instead of the .dir file.  Problem noted by Neil
                Rickert of Northern Illinois University.
        Don't treat temporary hesiod lookup failures as permanent.  Patch
                from Werner Wiethege.
        If ClientPortOptions is set, make sure to create the outgoing socket
                with the family set in that option.  Patch from Sean Farley.
        Avoid a segmentation fault trying to dereference a NULL pointer
                when logging a MaxHopCount exceeded error with an empty
                recipient list.  Problem noted by Chris Adams of HiWAAY
                Internet Services.
        Fix DSN for "Too many hops" bounces.  Problem noticed by Ulrich
                Windl of the Universitaet Regensburg.
        Fix DSN for "mail loops back to me" bounces.  Problem noticed by
                Kari Hurtta of the Finnish Meteorological Institute.
        Portability:
                OpenBSD has a broken setreuid() implementation.
        CONFIG: Undo change from 8.11.1: change 501 SMTP reply code back
                to 553 since it is allowed by DRUMS.
        CONFIG: Add OSTYPE(freebsd4) for FreeBSD 4.X.
        DEVTOOLS: install.sh did not properly handle paths in the source
                file name argument.  Noted by Kari Hurtta of the Finnish
                Meteorological Institute.
        DEVTOOLS: Add FAST_PID_RECYCLE to compile time options for OpenBSD
                since it generates random process ids.
        PRALIASES: Add back adaptive algorithm to deal with different endings
                of entries in the database (with/without trailing '\0').
                Patch from John Beck of Sun Microsystems.
        New Files:
                cf/ostype/freebsd4.m4

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface
Charset: noconv

iQCVAwUBOxJ4WnxLZ22gDhVjAQEIEQP+JItPxBNK++A3csI0GQG9i63fhaOSc4d0
1ivTU7Xx9JB7rC2LFIChsrDmCVPYrT6c9TKTpM8SdPjN2D8IVBzMkfTcyzJ7DQQF
HNvqwl+aZ7h6lw06mu8X0+msNlWEov3Wa/1vGoh2bHL5YR4gsnVz6tQGpf1iCBi3
eI1vXU/vtCs=
=DHLv
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • sendmail 8.11.4 and 8.12.0.Beta10 available (fwd) Jonas Eriksson (May 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault