RHSA-2007:0252-02 Low: sendmail security and bug fix update
Posted on: 05/01/2007 07:10 PM

A new update is available for Red Hat Enterprise Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Low: sendmail security and bug fix update
Advisory ID: RHSA-2007:0252-02
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0252.html
Issue date: 2007-05-01
Updated on: 2007-05-01
Product: Red Hat Enterprise Linux
Keywords: localhost.localdomain CipherList
CVE Names: CVE-2006-7176
- ---------------------------------------------------------------------

1. Summary:

Updated sendmail packages that fix a security issue and various bugs are now
available for Red Hat Enterprise Linux 4.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver
mail from one machine to another. Sendmail is not a client program, but
rather a behind-the-scenes daemon that moves email over networks or the
Internet to its final destination.

The configuration of Sendmail on Red Hat Enterprise Linux was found to not
reject the "localhost.localdomain" domain name for e-mail messages that
came from external hosts. This could have allowed remote attackers to
disguise spoofed messages (CVE-2006-7176).

This updated package also fixes the following bugs:

* Infinite loop within tls read.

* Incorrect path to selinuxenabled in initscript.

* Build artifacts from sendmail-cf package.

* Missing socketmap support.

* Add support for CipherList configuration directive.

* Path for aliases file.

* Failure of shutting down sm-client.

* Allows to specify persistent queue runners.

* Missing dnl for SMART_HOST define.

* Fixes connections stay in CLOSE_WAIT.

All users of Sendmail should upgrade to these updated packages, which
contains backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

121850 - [PATCH] infinite loop within tls_read
152282 - Incorrect path to selinuxenabled in /etc/init.d/sendmail
152955 - sendmail-cf contains rpm build artifacts
156191 - Changelog says 'Socketmap Supported' but it's not compiled in.
166744 - aliases man page specifies incorrect location of aliases file
171838 - CVE-2006-7176 sendmail allows external mail with from address xxx@localhost.localdomain
172352 - Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't supported so you can't turn it off
200920 - shutting down sm-client fails
200921 - [PATCH] method to specify persistent queue runners?
200923 - sendmail.mc missing dnl on SMART_HOST define

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61 sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4 sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2 sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460 sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60 sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813 sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706 sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41 sendmail-doc-8.13.1-3.2.el4.ia64.rpm

ppc:
b0fb1b772ccc0cccb81819897fb29819 sendmail-8.13.1-3.2.el4.ppc.rpm
e0a1d1a0ffceb5f78e7a7d90a28ad09f sendmail-cf-8.13.1-3.2.el4.ppc.rpm
24f3e3db714698844a47e4bcc85c7b81 sendmail-debuginfo-8.13.1-3.2.el4.ppc.rpm
90ada0195183a7e519c7a42de602587b sendmail-devel-8.13.1-3.2.el4.ppc.rpm
ae87913c88ec26fc316019a4fe060c0b sendmail-doc-8.13.1-3.2.el4.ppc.rpm

s390:
7efcf2a9513d9eb2baf9605a0790519e sendmail-8.13.1-3.2.el4.s390.rpm
38aa827a7e26e368ad029faaa63373ef sendmail-cf-8.13.1-3.2.el4.s390.rpm
b3311fd8dd20229fb163dbe3f654969f sendmail-debuginfo-8.13.1-3.2.el4.s390.rpm
03b6bd2e0a2bdbea93b953b16d988819 sendmail-devel-8.13.1-3.2.el4.s390.rpm
80d93c9d2631655a4bf839d54d1b3e78 sendmail-doc-8.13.1-3.2.el4.s390.rpm

s390x:
0089b24c8077394abc60f2e5fd7fccb1 sendmail-8.13.1-3.2.el4.s390x.rpm
d71011432c7461b8b58d3fe62307c01b sendmail-cf-8.13.1-3.2.el4.s390x.rpm
a64eb5b8d18d3a38c92d9dc71de36b65 sendmail-debuginfo-8.13.1-3.2.el4.s390x.rpm
bbfe650afd7529e1bc25ea79038a309d sendmail-devel-8.13.1-3.2.el4.s390x.rpm
2991cd74266e23d7edbc3818719640dc sendmail-doc-8.13.1-3.2.el4.s390x.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399 sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953 sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6 sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160 sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61 sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4 sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2 sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460 sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60 sendmail-doc-8.13.1-3.2.el4.i386.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399 sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953 sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6 sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160 sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61 sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4 sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2 sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460 sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60 sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813 sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706 sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41 sendmail-doc-8.13.1-3.2.el4.ia64.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399 sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953 sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6 sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160 sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61 sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4 sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2 sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460 sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60 sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813 sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706 sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41 sendmail-doc-8.13.1-3.2.el4.ia64.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399 sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953 sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6 sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160 sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7176
http://www.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is lt;secalert@redhat.comgt;. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFGN36LXlSAg2UNWIIRAjveAKC0ttgu3abJRu/ZICLYyWSzF4vw7wCcC7ny
ffNmqP2G+OjdrmBW0HgeGtA=
=GJbo
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_20070252_02_low_sendmail_security_and_bug_fix_update.html)