Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability

Solution:
The vendor has released Sendmail 8.12.10 to address this issue. Administrators are advised to upgrade if possible. A patch is also available which can be applied to other versions.

Sun have released fixes to address this vulnerability in Sun Linux 5.0.7. Users who are affected by this issue are advised to apply relevant fixes as soon as possible. Please see Sun reference (Sun Linux Support - Sun Linux Patches (Sun)) for further details regarding obtaining and applying appropriate fixes.

HP has released an advisory HPSBUX0309-281 to address this issue. Please see the referenced advisory for more information.

HP has issued an early release patch (t64kit0020132-v40gb22-es-20031001.tar) and a related readme (t64kit0020132-v40gb22-es-20031001.README) to address this issue in Tru64 4.0G systems. On October 22 of 2003, HP released t64v51ab-ix-553-sendmail-ssrt3631.README for Tru64, which contains updated fixes for Tru64 UNIX 5.1B PK2 (BL22), and t64v51ab-ix-586-sendmail-ssrt3631 and t64v51ab-ix-594-sendmail-ssrt3631 for Tru64 UNIX 5.0A. See referenced readmes for further details.

HP has released a revised advisory HPSBUX0309-281 to address this issue. HP has also released an advisory (SSRT3631) for Tru64 UNIX. An advisory corresponding to DUXKIT0020136-V40FB22-ES-20031001 for Tru64 UNIX has also been released. Please see the referenced advisories for further details.

New Tru64 advisories were released October 9, 2003 with new download links for patches. An additional Tru64 advisory (corresponding to T64V51AB21-C0112900-17770-ES-20030402) was also released October 10, 2003 that provides new download links for 5.1A fixes. Another Tru64 advisory (corresponding to T64V40GB17-C0029200-17810-ES-20030403) was released October 13, 2003 that provides new download links for updated 4.0G fixes. HP has released an updated advisory (t64kit0020139-v51b20-es-20031001) for HP Tru64 UNIX 5.1 PK6. Please see the referenced advisories for further information regarding updating and applying fixes.

SGI has released an advisory (20030903-01-P), to address this issue. Users are advised to download and apply a relevant patch as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory. Fixes are linked below.

Conectiva has released an advisory (CLA-2003:742), to address this issue. Users are advised to download and apply a relevant fixes as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory.

Turbolinux has released an advisory (TLSA-2003-52), to address this issue. Users are advised to download and apply a relevant fix as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory.

Yellow Dog Linux has released an advisory (YDU-20030917-2), to address this issue. Users are advised to download and apply a relevant fix as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory. Fixes are linked below.

Gentoo Linux has released an advisory (200309-13) to address this issue for Gentoo Linux users. Users who are running net-mail/sendmail are advised to upgrade to sendmail-8.2.10 by issuing the following commands as root:

emerge sync
emerge sendmail
emerge clean

Immunix has released an advisory (IMNX-2003-7+-021-01), to address this issue. Users are advised to download and apply a relevant fix as soon as possible. Further information relating to obtaining and applying appropriate fixes is available in the referenced advisory. Fixes are linked below.

FreeBSD has released an advisory (FreeBSD-SA-03:13.sendmail), to address this issue. Users are advised to download and apply the relevant patch as soon as possible. Further information relating to obtaining and applying appropriate patches is available in the referenced advisory.

Debian has issued fixes for this vulnerability that are listed in advisory [DSA-384-1] (see reference section).

Red Hat has issued fixes, listed in [RHSA-2003:283-01] (see reference section).

OpenPKG has released an advisory (OpenPKG-SA-2003.041) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva has released an advisory (CLA-2003:746), to address this issue for CLEE 1.0. Users are advised to download and apply a relevant fixes as soon as possible. Please see the referenced advisory for more information.

SuSE has released an advisory SuSE-SA:2003:040 to address this issue. Please see the referenced advisory for more information.

Sun has released an alert for Solaris to address this issue. Affected users are advised to apply an available patch. Sun has also released an alert for
Sun Linux advising disabling sendmail on affected systems. See referenced advisories for additional details.

Apple has released security advisory APPLE-SA-2003-09-22 to address this issue. See referenced advisory for additional details.

IBM has issued an advisory. APARs to address this issue are available.

See the advisory, MSS-OAR-E01-2003:1235.1, in the reference section for complete installation details.

NetBSD has stated versions 1.5 through 1.6.1 are affected by this issue if sendmail is enabled, which is not the default configuration. See referenced advisory for additional details.

HP advisory SSRT3631 revision 2 has been released to address this issue. See referenced advisory for further details regarding obtaining and applying fixes. Additional fixes are available for HP Tru64 UNIX (IX) Internet Express systems that are running sendmail versions 8.9.3 through 8.12.9.

SCO has released a seucrity advisory for OpenLinux (CSSA-2003-036.0) which contains fixes to address this issue. Further information on how to obtain and apply fixes can be found in the referenced advisory.

Revised HP advisory SSRT3631 has released to address this issue.

Sun has released an update to address this in Sun RaQ550. Please see the referenced web page for more information.

IBM is said to have released APARs to address this issue. Further information can be obtained by contacting the vendor.

Revised HP advisory has been released to address this issue.

Sun has released an update to address this in Sun RaQXTR. Please see the referenced web page for more information.

Sun has released an update to address this in Sun Qube3. Please see the referenced web page for more information.

Sun has released an updated RaQ4 fix.

Revised HP advisory HPSBUX0309-281: SSRT3631 Rev.7 has been released to address this issue.

Revised HP advisory HPSBUX0309-281: SSRT3631 Rev.8 has been released to address this issue.

SCO has released a security advisory for OpenServer (SCOSA-2004.11) along with fixes to address this issue. Further information on how to obtain and apply fixes can be found in the referenced advisory.


Sun Solaris 8_sparc

IBM AIX 5.1

Sun Solaris 7.0

HP HP-UX 11.0 4

HP HP-UX 11.22

Compaq Tru64 4.0 g

FreeBSD FreeBSD 4.7 -RELENG

Sun Linux 5.0.7

FreeBSD FreeBSD 5.1 -RELENG

FreeBSD FreeBSD 5.1 -RELEASE-p5

SGI IRIX 6.5.16

SGI IRIX 6.5.17 m

SGI IRIX 6.5.19 f

SGI IRIX 6.5.20 f

SGI IRIX 6.5.20 m

SGI IRIX 6.5.21 m

Sendmail Consortium Sendmail 8.10

Sendmail Consortium Sendmail 8.10.1

Sendmail Consortium Sendmail 8.11

Sendmail Consortium Sendmail 8.11.2

Sendmail Consortium Sendmail 8.11.3

Sendmail Consortium Sendmail 8.11.4

Sendmail Consortium Sendmail 8.11.5

Sendmail Consortium Sendmail 8.11.6

Sendmail Consortium Sendmail 8.12 beta12

Sendmail Consortium Sendmail 8.12 beta5

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.3

Sendmail Consortium Sendmail 8.12.7

Sendmail Consortium Sendmail 8.12.8

Sendmail Consortium Sendmail 8.9 .0

Sendmail Consortium Sendmail 8.9.2

Sendmail Consortium Sendmail 8.9.3


 

Privacy Statement
Copyright 2010, SecurityFocus