--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated sendmail packages fix critical security issues Advisory ID: RHSA-2003:073-06 Issue date: 2003-02-07 Updated on: 2003-03-03 Product: Red Hat Linux Keywords: sendmail smrsh security bug Cross references: Obsoletes: RHSA-2002:106 CVE Names: CAN-2002-1337 --------------------------------------------------------------------- 1. Topic: Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message. These packages also fix a security bug if sendmail is configured to use smrsh. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 Red Hat Linux 7.0 - i386 Red Hat Linux 7.1 - i386 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions. During a code audit of Sendmail by ISS, a critical vulnerability was uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root. We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild. Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly. In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary binaries as themselves by utilizing their .forward file. All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities. Red Hat would like to thank Eric Allman for his assistance with this vulnerability. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 35d83351ea84fdae048b3e6f556bfc4a 6.2/en/os/SRPMS/sendmail-8.11.6-1.62.2.src.rpm 71ddff0b307887232ad2b57c6f828dbd 6.2/en/os/i386/sendmail-8.11.6-1.62.2.i386.rpm 3b398feb4f97b05873a864be5d914ee8 6.2/en/os/i386/sendmail-cf-8.11.6-1.62.2.i386.rpm ba2e0d80e5efc7fe3ba2d55f9caa9cb1 6.2/en/os/i386/sendmail-doc-8.11.6-1.62.2.i386.rpm e3a9eb220d844e1e3a1bd84ada63c853 7.0/en/os/SRPMS/sendmail-8.11.6-23.70.src.rpm f3bdb70c4b1d95d10a827db33bf77a46 7.0/en/os/i386/sendmail-8.11.6-23.70.i386.rpm e7a8c264257e207d18257dfe075a5fd1 7.0/en/os/i386/sendmail-cf-8.11.6-23.70.i386.rpm c6cf8af32a436d42d0982b99260ce811 7.0/en/os/i386/sendmail-devel-8.11.6-23.70.i386.rpm ba9251c4ed7fc2916e27c8bc406d7f58 7.0/en/os/i386/sendmail-doc-8.11.6-23.70.i386.rpm c2eb6d0135dc60e83506f0c20148822c 7.1/en/os/SRPMS/sendmail-8.11.6-23.71.src.rpm c3a518db2157a56edc5a94f42c32f8db 7.1/en/os/i386/sendmail-8.11.6-23.71.i386.rpm 6cb3a88c447b56f37d0ebba1df4adb23 7.1/en/os/i386/sendmail-cf-8.11.6-23.71.i386.rpm f2fa0e42d15c723c33c876ea075b4508 7.1/en/os/i386/sendmail-devel-8.11.6-23.71.i386.rpm 2cee572aa2fe1eddb3d22f7ab4d43a20 7.1/en/os/i386/sendmail-doc-8.11.6-23.71.i386.rpm 854ee4390631bdcb818fe6cdc132f7da 7.2/en/os/SRPMS/sendmail-8.11.6-23.72.src.rpm dbce6be563a5642400d0a8a9e97f88fc 7.2/en/os/i386/sendmail-8.11.6-23.72.i386.rpm 92b8773b155b2cce446645dd55842e87 7.2/en/os/i386/sendmail-cf-8.11.6-23.72.i386.rpm d810fe7d6a61550e3b0ac3a509d00fed 7.2/en/os/i386/sendmail-devel-8.11.6-23.72.i386.rpm 722780636eb24b8168f8464817e21de4 7.2/en/os/i386/sendmail-doc-8.11.6-23.72.i386.rpm e83825fb7552ad321cb09ecf86df4a29 7.2/en/os/ia64/sendmail-8.11.6-23.72.ia64.rpm 70e2f72dffad5ec8565dc957f5c0b111 7.2/en/os/ia64/sendmail-cf-8.11.6-23.72.ia64.rpm 8d86d83586e75cbd03f7bccdfb5b97f2 7.2/en/os/ia64/sendmail-devel-8.11.6-23.72.ia64.rpm 16eac17677891e77e8eb70bf76dac135 7.2/en/os/ia64/sendmail-doc-8.11.6-23.72.ia64.rpm 2049d17db0e321ba6028ee4a7ca2ae93 7.3/en/os/SRPMS/sendmail-8.11.6-23.73.src.rpm ce6852e4c389405bed1f498514b5fa0f 7.3/en/os/i386/sendmail-8.11.6-23.73.i386.rpm f994f26ab50b8141ec27a6b04e819d37 7.3/en/os/i386/sendmail-cf-8.11.6-23.73.i386.rpm d6da03d08cdd8e9933616c0e66841302 7.3/en/os/i386/sendmail-devel-8.11.6-23.73.i386.rpm 5fb65ba4b8e91d9d87451e2d1400411f 7.3/en/os/i386/sendmail-doc-8.11.6-23.73.i386.rpm 29d277537beb532d6b5f48ad30d81d45 8.0/en/os/SRPMS/sendmail-8.12.8-1.80.src.rpm 8bba0d1400ab2e96e3d3c78ce5015597 8.0/en/os/i386/sendmail-8.12.8-1.80.i386.rpm 55ef5ca9c777278eddd48e365ba471c2 8.0/en/os/i386/sendmail-cf-8.12.8-1.80.i386.rpm 87aecce2ae343a69fe1df716b5e89685 8.0/en/os/i386/sendmail-devel-8.12.8-1.80.i386.rpm d945b47a44597e5da06f79658e38b9d8 8.0/en/os/i386/sendmail-doc-8.12.8-1.80.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 7. References: http://www.cert.org/advisories/CA-2003-07.html http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337 8. Contact: The Red Hat security contact is <security@redhat.com>. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list