Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2010:003 ] sendmail
From: security () mandriva com
Date: Tue, 12 Jan 2010 19:35:01 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:003
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : sendmail
 Date    : January 11, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in sendmail:
 
 sendmail before 8.14.4 does not properly handle a '\0' (NUL)
 character in a Common Name (CN) field of an X.509 certificate, which
 (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
 SMTP servers via a crafted server certificate issued by a legitimate
 Certification Authority, and (2) allows remote attackers to bypass
 intended access restrictions via a crafted client certificate issued by
 a legitimate Certification Authority, a related issue to CVE-2009-2408
 (CVE-2009-4565).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 This update provides a fix for this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
 http://www.sendmail.org/releases/8.14.4
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 59415398189b3fcf81482a0aa548e2f4  2008.0/i586/sendmail-8.14.1-2.1mdv2008.0.i586.rpm
 ea981097f72996a76eba3db1ca168c68  2008.0/i586/sendmail-cf-8.14.1-2.1mdv2008.0.i586.rpm
 19d0308e739e5d2c1c3f4fa26cc58b83  2008.0/i586/sendmail-devel-8.14.1-2.1mdv2008.0.i586.rpm
 ec7b8d7a0ef153e7a6eb892f0e37b5de  2008.0/i586/sendmail-doc-8.14.1-2.1mdv2008.0.i586.rpm 
 0db8b791cbd6ab9c5acbb4d36dfc2011  2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 27862cd3b57af76bbeaf4022b05f9944  2008.0/x86_64/sendmail-8.14.1-2.1mdv2008.0.x86_64.rpm
 4585530d86a21d4f0354cf2458ff4822  2008.0/x86_64/sendmail-cf-8.14.1-2.1mdv2008.0.x86_64.rpm
 f241b7f870d0bcbadc64cbd8c8642a4e  2008.0/x86_64/sendmail-devel-8.14.1-2.1mdv2008.0.x86_64.rpm
 a92613cbc1eecc47aeff44c8a24ed32e  2008.0/x86_64/sendmail-doc-8.14.1-2.1mdv2008.0.x86_64.rpm 
 0db8b791cbd6ab9c5acbb4d36dfc2011  2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 c7dfba4575fb7d2cae408ae4ffc3588f  2009.0/i586/sendmail-8.14.3-2.1mdv2009.0.i586.rpm
 7a77a2fd891995e30dc77b843afb55d1  2009.0/i586/sendmail-cf-8.14.3-2.1mdv2009.0.i586.rpm
 8c38bb523fe83f1a6936f89cef1d9aff  2009.0/i586/sendmail-devel-8.14.3-2.1mdv2009.0.i586.rpm
 5f27bc4b53e33a3e6f543eef078ba603  2009.0/i586/sendmail-doc-8.14.3-2.1mdv2009.0.i586.rpm 
 1d87f6050c197ac42e6e2d599c6ccb02  2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 367a5fe461786ca07bd26f75d5e83b87  2009.0/x86_64/sendmail-8.14.3-2.1mdv2009.0.x86_64.rpm
 74a5d145be5a34309a6b77d86c928221  2009.0/x86_64/sendmail-cf-8.14.3-2.1mdv2009.0.x86_64.rpm
 b0880a184b15a235e0af6c977a86deb4  2009.0/x86_64/sendmail-devel-8.14.3-2.1mdv2009.0.x86_64.rpm
 57629048e8712e85b4ad2b96b2820b4a  2009.0/x86_64/sendmail-doc-8.14.3-2.1mdv2009.0.x86_64.rpm 
 1d87f6050c197ac42e6e2d599c6ccb02  2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 b4f3e0bbbcd2a31ac54e97db1e86d3cb  2009.1/i586/sendmail-8.14.3-3.1mdv2009.1.i586.rpm
 4e455a03d26ac8db82520033f7c12b53  2009.1/i586/sendmail-cf-8.14.3-3.1mdv2009.1.i586.rpm
 83ed44ff797b518f754191a2913fb99b  2009.1/i586/sendmail-devel-8.14.3-3.1mdv2009.1.i586.rpm
 a6300984708e7c7e183de4cfeed303d4  2009.1/i586/sendmail-doc-8.14.3-3.1mdv2009.1.i586.rpm 
 715d4d5f51bb06566cc1cd2007eae13b  2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 cd8b93f0e5131be289a7820c668535d4  2009.1/x86_64/sendmail-8.14.3-3.1mdv2009.1.x86_64.rpm
 35901aab57046009e74921a9f8537f5c  2009.1/x86_64/sendmail-cf-8.14.3-3.1mdv2009.1.x86_64.rpm
 a6b5f206c58c9ed35417f49b157a245a  2009.1/x86_64/sendmail-devel-8.14.3-3.1mdv2009.1.x86_64.rpm
 708d8cf9d104f38bbc5d117048536d44  2009.1/x86_64/sendmail-doc-8.14.3-3.1mdv2009.1.x86_64.rpm 
 715d4d5f51bb06566cc1cd2007eae13b  2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 cb3ff51261f0a547e79fb2beb26ccd5d  2010.0/i586/sendmail-8.14.3-4.1mdv2010.0.i586.rpm
 0e488f7f647c5c4a5aaa6e03aba37099  2010.0/i586/sendmail-cf-8.14.3-4.1mdv2010.0.i586.rpm
 575a321bab56d672d8bc2bea109e0230  2010.0/i586/sendmail-devel-8.14.3-4.1mdv2010.0.i586.rpm
 54a82cb021316e39766431c9ad6f36e8  2010.0/i586/sendmail-doc-8.14.3-4.1mdv2010.0.i586.rpm 
 d44550335102aefed7d2cfd94be56c18  2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 06be9e7dbda96eb506b58499a896f515  2010.0/x86_64/sendmail-8.14.3-4.1mdv2010.0.x86_64.rpm
 ccad3d58cb1c296fef3cb9fc76b8ba5b  2010.0/x86_64/sendmail-cf-8.14.3-4.1mdv2010.0.x86_64.rpm
 30ea827e1029bc2519263a0821611886  2010.0/x86_64/sendmail-devel-8.14.3-4.1mdv2010.0.x86_64.rpm
 9dd4779fea3cde54fb211db8733164a0  2010.0/x86_64/sendmail-doc-8.14.3-4.1mdv2010.0.x86_64.rpm 
 d44550335102aefed7d2cfd94be56c18  2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

 Corporate 4.0:
 b4af5f228b216fa419a0490db166e286  corporate/4.0/i586/sendmail-8.13.4-6.5.20060mlcs4.i586.rpm
 c8765f369aa52810a67f47118129802c  corporate/4.0/i586/sendmail-cf-8.13.4-6.5.20060mlcs4.i586.rpm
 9d31c0b2d982582fabd7db9aa0d65270  corporate/4.0/i586/sendmail-devel-8.13.4-6.5.20060mlcs4.i586.rpm
 9b0ebbce5cfd974ea19976f14329057e  corporate/4.0/i586/sendmail-doc-8.13.4-6.5.20060mlcs4.i586.rpm 
 e196e43d837e42491f6dfc950af0ebb7  corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 22d62ded1b3d7963740064769a7101bd  corporate/4.0/x86_64/sendmail-8.13.4-6.5.20060mlcs4.x86_64.rpm
 17ed3192e319890184067239fb3f8c57  corporate/4.0/x86_64/sendmail-cf-8.13.4-6.5.20060mlcs4.x86_64.rpm
 d702fb0c90ddc0c910869df484215e91  corporate/4.0/x86_64/sendmail-devel-8.13.4-6.5.20060mlcs4.x86_64.rpm
 ed75310c08e8e2c0dc797c84ef71e3e7  corporate/4.0/x86_64/sendmail-doc-8.13.4-6.5.20060mlcs4.x86_64.rpm 
 e196e43d837e42491f6dfc950af0ebb7  corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 87fa356ac80447bcf7328ff16712e97b  mes5/i586/sendmail-8.14.3-2.1mdvmes5.i586.rpm
 7204d91f35e0aec24c1dbd12af34f457  mes5/i586/sendmail-cf-8.14.3-2.1mdvmes5.i586.rpm
 bdcc3f3bf303f764dd87d52ffc7e4aa1  mes5/i586/sendmail-devel-8.14.3-2.1mdvmes5.i586.rpm
 faa0df4c43cddf8dcac3ddffb271211e  mes5/i586/sendmail-doc-8.14.3-2.1mdvmes5.i586.rpm 
 b71ace8a1ee671400e212ed9aa5200eb  mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 6899d9dde5ec73adc5071588ae9f5e8a  mes5/x86_64/sendmail-8.14.3-2.1mdvmes5.x86_64.rpm
 6ff20eb453f84f067eb411b37a745774  mes5/x86_64/sendmail-cf-8.14.3-2.1mdvmes5.x86_64.rpm
 12f793bc0f65025dc4b7bbc9b0730b89  mes5/x86_64/sendmail-devel-8.14.3-2.1mdvmes5.x86_64.rpm
 08b141b3aeb79b431fcc78de84d86d29  mes5/x86_64/sendmail-doc-8.14.3-2.1mdvmes5.x86_64.rpm 
 b71ace8a1ee671400e212ed9aa5200eb  mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

 Multi Network Firewall 2.0:
 60b1e9af1bf3310ebc17da12c51169e8  mnf/2.0/i586/sendmail-8.12.11-1.5.M20mdk.i586.rpm
 e36a464dcbde47632af940d79142be2a  mnf/2.0/i586/sendmail-cf-8.12.11-1.5.M20mdk.i586.rpm
 9ba7304e2b06011ad188af55d59c69f0  mnf/2.0/i586/sendmail-devel-8.12.11-1.5.M20mdk.i586.rpm
 168c304c45ff1d3064b795b80e75b19a  mnf/2.0/i586/sendmail-doc-8.12.11-1.5.M20mdk.i586.rpm 
 1bfda6494962b1b71e9127d5753492e6  mnf/2.0/SRPMS/sendmail-8.12.11-1.5.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLTJFPmqjQ0CJFipgRAoKcAJ99aQC/zNJ+rZ9k9UMbTWlldiveLACg0c5X
W7OfxaxmPvfqiwxJE7tjcb8=
=Fkrf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2010:003 ] sendmail security (Jan 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault