--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package sendmail/8.14.4-4+deb7u1
- From: Andreas Beckmann <anbe@debian.org>
- Date: Mon, 03 Nov 2014 21:12:43 +0100
- Message-id: <20141103201243.19074.28248.reportbug@zam581.zam.kfa-juelich.de>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
there is one security bug open against sendmail that should be solved
via stable-updates, no security update needed (#750562).
I'd like to use this opportunity to cherry-pick some more bugfixes from
jessie/sid that are useful on stable, too:
sendmail (8.14.4-4+deb7u1) wheezy; urgency=medium
* QA upload.
* Set maintainer to Debian QA Group. (See: #740070)
* Merge some bugfixes from sid.
* close_on_exec.patch: Properly set the close-on-exec flag for file
descriptors before executing mailers, cherry-picked from sendmail 8.14.9.
CVE-2014-3956 (Closes: #750562)
* libmilter-assert.patch: Fix an incorrect assertion in libmilter,
cherry-picked from sendmail 8.14.7. (LP: #1299571)
* Add support for OpenSSL options SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
(backported from 8.14.8), thanks to David F. Skoll. (Closes: #747910)
* conf.c-ipv6.patch: Fix A-only MX CNAME interface binding issues when using
IPv6, thanks to David F. Skoll. (Closes: #737164) (LP: #1223633)
(backported from 8.14.6)
* raise-max-daemons.patch: Raise MAXDAEMONS from 10 to 64, thanks to
Kees Cook. (Closes: #720435)
* Switch from deprecated 'find -perm +xxx' to 'find -perm /xxx'.
(Closes: #724772)
* Start sendmail after bind9 (or any other named) if it is installed.
(Closes: #714184)
* sendmailconfig: Add missing quoting, thanks to Stuart Sheldon.
(Closes: #692047)
* Fix infinite loop in update_db, thanks to Flo. (Closes: #717951)
* Do not ship duplicate sendmail.8 manpage. (Closes: #709895, #597781)
Andreas
diff -u sendmail-8.14.4/debian/rules sendmail-8.14.4/debian/rules
--- sendmail-8.14.4/debian/rules
+++ sendmail-8.14.4/debian/rules
@@ -525,6 +525,7 @@
mv ${DEB_SRCDIR}/sendmail/sendmail.8.new \
${PKG_DIR}${mandir}/man8/sendmail.sendmail.8;
$(RM) ${DEB_SRCDIR}/sendmail/sendmail.8;
+ $(RM) ${PKG_DIR}${mandir}/man8/sendmail.8
# Debian stuff
(cd debian/sensible_mda && \
$(MAKE) -f Makefile install-arch \
diff -u sendmail-8.14.4/debian/changelog sendmail-8.14.4/debian/changelog
--- sendmail-8.14.4/debian/changelog
+++ sendmail-8.14.4/debian/changelog
@@ -1,3 +1,31 @@
+sendmail (8.14.4-4+deb7u1) wheezy; urgency=medium
+
+ * QA upload.
+ * Set maintainer to Debian QA Group. (See: #740070)
+ * Merge some bugfixes from sid.
+ * close_on_exec.patch: Properly set the close-on-exec flag for file
+ descriptors before executing mailers, cherry-picked from sendmail 8.14.9.
+ CVE-2014-3956 (Closes: #750562)
+ * libmilter-assert.patch: Fix an incorrect assertion in libmilter,
+ cherry-picked from sendmail 8.14.7. (LP: #1299571)
+ * Add support for OpenSSL options SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
+ (backported from 8.14.8), thanks to David F. Skoll. (Closes: #747910)
+ * conf.c-ipv6.patch: Fix A-only MX CNAME interface binding issues when using
+ IPv6, thanks to David F. Skoll. (Closes: #737164) (LP: #1223633)
+ (backported from 8.14.6)
+ * raise-max-daemons.patch: Raise MAXDAEMONS from 10 to 64, thanks to
+ Kees Cook. (Closes: #720435)
+ * Switch from deprecated 'find -perm +xxx' to 'find -perm /xxx'.
+ (Closes: #724772)
+ * Start sendmail after bind9 (or any other named) if it is installed.
+ (Closes: #714184)
+ * sendmailconfig: Add missing quoting, thanks to Stuart Sheldon.
+ (Closes: #692047)
+ * Fix infinite loop in update_db, thanks to Flo. (Closes: #717951)
+ * Do not ship duplicate sendmail.8 manpage. (Closes: #709895, #597781)
+
+ -- Andreas Beckmann <anbe@debian.org> Sun, 05 Oct 2014 17:09:20 +0200
+
sendmail (8.14.4-4) unstable; urgency=low
* New maintainer. (Closes: #699117)
diff -u sendmail-8.14.4/debian/control sendmail-8.14.4/debian/control
--- sendmail-8.14.4/debian/control
+++ sendmail-8.14.4/debian/control
@@ -1,7 +1,7 @@
Source: sendmail
Priority: extra
Section: mail
-Maintainer: Jakub Safarik <jsafarik@ymail.com>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Standards-Version: 3.8.3
Build-Depends-Indep: groff, bsdmainutils
Build-Depends: make (>> 3.79.1-14), m4, cdbs, quilt, patchutils, dh-buildinfo, debhelper (>= 5), linux-libc-dev (>= 2.6.21-3) [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], groff, bsdmainutils, libdb-dev , libldap2-dev, libwrap0-dev, liblockfile-dev, libsasl2-dev, libssl-dev
diff -u sendmail-8.14.4/debian/patches/8.14/8.14.4/series sendmail-8.14.4/debian/patches/8.14/8.14.4/series
--- sendmail-8.14.4/debian/patches/8.14/8.14.4/series
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/series
@@ -12,0 +13,5 @@
+raise-max-daemons.patch
+conf.c-ipv6.patch
+ssl_op_no_tlsv1_x.patch
+libmilter-assert.patch
+close_on_exec.patch
diff -u sendmail-8.14.4/debian/build/debian/sendmail.init.d.in sendmail-8.14.4/debian/build/debian/sendmail.init.d.in
--- sendmail-8.14.4/debian/build/debian/sendmail.init.d.in
+++ sendmail-8.14.4/debian/build/debian/sendmail.init.d.in
@@ -3,8 +3,10 @@
# Provides: sendmail
# Required-Start: $remote_fs $network $syslog
# Required-Stop: $remote_fs $network $syslog
+# Should-Start: $named
+# Should-Stop: $named
# Default-Start: 2 3 4 5
-# Default-Stop: 1
+# Default-Stop: 0 1 6
# Short-Description: powerful, efficient, and scalable Mail Transport Agent
# Description: Sendmail is an alternative Mail Transport Agent (MTA)
# for Debian. It is suitable for handling sophisticated
diff -u sendmail-8.14.4/debian/build/debian/control.m4.in sendmail-8.14.4/debian/build/debian/control.m4.in
--- sendmail-8.14.4/debian/build/debian/control.m4.in
+++ sendmail-8.14.4/debian/build/debian/control.m4.in
@@ -21,7 +21,7 @@
[[Source: sendmail
Priority: extra
Section: mail
-Maintainer: Jakub Safarik <jsafarik@ymail.com>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Standards-Version: 3.8.3
]]dnl # Sigh... build daemons ignore B-D-I, so replicate in B-D :(
[[Build-Depends-Indep: groff, bsdmainutils
diff -u sendmail-8.14.4/debian/local/update_db.in sendmail-8.14.4/debian/local/update_db.in
--- sendmail-8.14.4/debian/local/update_db.in
+++ sendmail-8.14.4/debian/local/update_db.in
@@ -476,10 +476,8 @@
line=$(grep -Ee "^[[:space:]]*$file" \
@sysconfdir@/mail/databases || true);
while ([ "$line" != "" ]); do
- str=$(echo "$line" | cut -d "
-" -f 1);
- line=$(echo "$line" | cut -d "
-" -f 2-);
+ str=$(echo "$line" | head -n 1)
+ line=$(echo "$line" | tail -n +2)
# Strip line back into four pieces: feature, type, opts, name
dbfeat=$(echo "$str" | cut -d ":" -f 1);
diff -u sendmail-8.14.4/debian/local/sendmailconfig.in sendmail-8.14.4/debian/local/sendmailconfig.in
--- sendmail-8.14.4/debian/local/sendmailconfig.in
+++ sendmail-8.14.4/debian/local/sendmailconfig.in
@@ -90,7 +90,7 @@
};
input() {
- local q="$1" def=$(eval "echo -n \$$2");
+ local q="$1" def="$(eval "echo -n \$$2")";
echo -n "$q? [$def] ";
read REPLY
diff -u sendmail-8.14.4/debian/local/update_sys.in sendmail-8.14.4/debian/local/update_sys.in
--- sendmail-8.14.4/debian/local/update_sys.in
+++ sendmail-8.14.4/debian/local/update_sys.in
@@ -117,7 +117,7 @@
#
# With the MSP/MTA split, we don't want any g=w files or directories
# to save us from potential sgid attacks
-find @sysconfdir@/mail -perm +g=w \( -type f -o -type d \) -print \
+find @sysconfdir@/mail -perm /g=w \( -type f -o -type d \) -print \
| xargs -r chmod g-w,o-w;
#------------------------------------------------------------------------------
@@ -242,7 +242,7 @@
fi;
chown smmsp:smmsp @localstatedir@/spool/mqueue-client;
chmod 02770 @localstatedir@/spool/mqueue-client;
-find @localstatedir@/spool/mqueue-client -perm +o=r -print \
+find @localstatedir@/spool/mqueue-client -perm /o=r -print \
| xargs -r chmod o-rwx;
#-----------------------------------------------------------------------------
diff -u sendmail-8.14.4/debian/local/bug/sendmail/script.in sendmail-8.14.4/debian/local/bug/sendmail/script.in
--- sendmail-8.14.4/debian/local/bug/sendmail/script.in
+++ sendmail-8.14.4/debian/local/bug/sendmail/script.in
@@ -19,7 +19,7 @@
DEBUG=0;
# Announce
-printf "Ouput of $0:\n" >&3;
+printf "Output of $0:\n" >&3;
# Show files in /etc/mail
printf "\nls -alR /etc/mail:\n" >&3;
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/gbp.conf
+++ sendmail-8.14.4/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+upstream-branch = upstream-tar-in-tar
+debian-branch = wheezy
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/patches/8.14/8.14.4/ssl_op_no_tlsv1_x.patch
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/ssl_op_no_tlsv1_x.patch
@@ -0,0 +1,31 @@
+Date: Mon, 12 May 2014 15:52:30 -0400
+From: "David F. Skoll" <dfs@roaringpenguin.com>
+Subject: Please add support for additional OpenSSL options SSL_OP_NO_TLSv1_2
+ and SSL_OP_NO_TLSv1_1
+
+Sendmail on Wheezy sometimes has interoperability problems with other
+SSL implementations. Some of these can be fixed by disabling TLS 1.1
+and TLS 1.2. Sendmail 8.14.8 supports SSL options to do this, but
+Sendmail 8.14.4-4 does not. Could we backport this patch from 8.14.8 to
+8.14.4-4 so that we can use SSL_OP_NO_TLSv1_2 and SSL_OP_NO_TLSv1_1 ?
+
+Regards,
+
+David.
+
+
+--- a/sendmail/readcf.c
++++ b/sendmail/readcf.c
+@@ -2335,6 +2335,12 @@ static struct ssl_options
+ #ifdef SSL_OP_NO_TLSv1
+ { "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 },
+ #endif /* SSL_OP_NO_TLSv1 */
++#ifdef SSL_OP_NO_TLSv1_2
++ { "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 },
++#endif
++#ifdef SSL_OP_NO_TLSv1_1
++ { "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 },
++#endif
+ #ifdef SSL_OP_PKCS1_CHECK_1
+ { "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 },
+ #endif /* SSL_OP_PKCS1_CHECK_1 */
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/patches/8.14/8.14.4/raise-max-daemons.patch
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/raise-max-daemons.patch
@@ -0,0 +1,17 @@
+Description: hard-coded "10" is not enough to listen on both IPv4 and IPv6
+ with a minimal configuration of MTA, MSA, and MSASSL on both localhost
+ and primary interface (12 daemons). Raise limit to 64.
+Author: Kees Cook <kees@debian.org>
+
+diff -uNrp sendmail-8.14.4~/sendmail/conf.h sendmail-8.14.4/sendmail/conf.h
+--- sendmail-8.14.4~/sendmail/conf.h 2009-03-25 13:04:00.000000000 -0700
++++ sendmail-8.14.4/sendmail/conf.h 2013-08-21 12:00:19.385335378 -0700
+@@ -112,7 +112,7 @@ struct rusage; /* forward declaration to
+ #ifndef MAXHDRSLEN
+ # define MAXHDRSLEN (32 * 1024) /* max size of message headers */
+ #endif /* ! MAXHDRSLEN */
+-#define MAXDAEMONS 10 /* max number of ports to listen to */
++#define MAXDAEMONS 64 /* max number of ports to listen to */
+ #ifndef MAXINTERFACES
+ # define MAXINTERFACES 512 /* number of interfaces to probe */
+ #endif /* MAXINTERFACES */
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/patches/8.14/8.14.4/libmilter-assert.patch
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/libmilter-assert.patch
@@ -0,0 +1,15 @@
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sendmail/+bug/1299571
+
+--- sendmail-8.14.4/libmilter/worker.c 2009-06-15 17:34:54.000000000 +0200
++++ sendmail-8.14.8/libmilter/worker.c 2013-11-22 21:51:37.000000000 +0100
+@@ -165,7 +166,9 @@
+ {
+ static long id = 0;
+
+- SM_ASSERT(Tskmgr.tm_signature == TM_SIGNATURE);
++ /* this can happen if the milter is shutting down */
++ if (Tskmgr.tm_signature != TM_SIGNATURE)
++ return MI_FAILURE;
+ SM_ASSERT(ctx != NULL);
+ POOL_LEV_DPRINTF(4, ("PIPE r=[%d] w=[%d]", RD_PIPE, WR_PIPE));
+ TASKMGR_LOCK();
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/patches/8.14/8.14.4/conf.c-ipv6.patch
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/conf.c-ipv6.patch
@@ -0,0 +1,91 @@
+Description: correctly limit lookups to the same address family
+Author: Claus Assmann
+
+--- sendmail-8.14.4~/sendmail/conf.c.8144 Tue Sep 10 09:46:16 2013
++++ sendmail-8.14.4/sendmail/conf.c Tue Sep 10 09:46:53 2013
+@@ -4231,7 +4231,18 @@
+ h = gethostbyname(name);
+ if (!resv6)
+ _res.options &= ~RES_USE_INET6;
+- *err = h_errno;
++
++ /* the function is supposed to return only the requested family */
++ if (h != NULL && h->h_addrtype != family)
++ {
++# if NETINET6
++ freehostent(h);
++# endif /* NETINET6 */
++ h = NULL;
++ *err = NO_DATA;
++ }
++ else
++ *err = h_errno;
+ return h;
+ }
+
+@@ -4355,6 +4366,17 @@
+ }
+ }
+ #endif /* (SOLARIS > 10000 && SOLARIS < 20400) || (defined(SOLARIS) && SOLARIS < 204) || (defined(sony_news) && defined(__svr4)) */
++
++ /* the function is supposed to return only the requested family */
++ if (h != NULL && h->h_addrtype != family)
++ {
++# if NETINET6
++ freehostent(h);
++# endif /* NETINET6 */
++ h = NULL;
++ SM_SET_H_ERRNO(NO_DATA);
++ }
++
+ if (tTd(61, 10))
+ {
+ if (h == NULL)
+@@ -4364,13 +4386,12 @@
+ sm_dprintf("%s\n", h->h_name);
+ if (tTd(61, 11))
+ {
++ struct in_addr ia;
++ size_t i;
+ #if NETINET6
+ struct in6_addr ia6;
+ char buf6[INET6_ADDRSTRLEN];
+-#else /* NETINET6 */
+- struct in_addr ia;
+ #endif /* NETINET6 */
+- size_t i;
+
+ if (h->h_aliases != NULL)
+ for (i = 0; h->h_aliases[i] != NULL;
+@@ -4381,16 +4402,23 @@
+ {
+ char *addr;
+
++ addr = NULL;
+ #if NETINET6
+- memmove(&ia6, h->h_addr_list[i],
+- IN6ADDRSZ);
+- addr = anynet_ntop(&ia6,
+- buf6, sizeof(buf6));
+-#else /* NETINET6 */
+- memmove(&ia, h->h_addr_list[i],
+- INADDRSZ);
+- addr = (char *) inet_ntoa(ia);
++ if (h->h_addrtype == AF_INET6)
++ {
++ memmove(&ia6, h->h_addr_list[i],
++ IN6ADDRSZ);
++ addr = anynet_ntop(&ia6,
++ buf6, sizeof(buf6));
++ }
++ else
+ #endif /* NETINET6 */
++ /* "else" in #if code above */
++ {
++ memmove(&ia, h->h_addr_list[i],
++ INADDRSZ);
++ addr = (char *) inet_ntoa(ia);
++ }
+ if (addr != NULL)
+ sm_dprintf("\taddr: %s\n", addr);
+ }
only in patch2:
unchanged:
--- sendmail-8.14.4.orig/debian/patches/8.14/8.14.4/close_on_exec.patch
+++ sendmail-8.14.4/debian/patches/8.14/8.14.4/close_on_exec.patch
@@ -0,0 +1,13 @@
+--- sendmail-8.14.8/sendmail/conf.c 2014-01-08 18:03:14.000000000 +0100
++++ sendmail-8.14.9/sendmail/conf.c 2014-05-20 19:24:39.000000000 +0200
+@@ -5309,8 +5309,8 @@
+ */
+
+ void
+-sm_close_on_exec(highest, lowest)
+- int highest, lowest;
++sm_close_on_exec(lowest, highest)
++ int lowest, highest;
+ {
+ #if HASFDWALK
+ (void) fdwalk(closefd_walk, &lowest);
--- End Message ---