Re: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail (fwd)
(See also the bugs from the CC).
I believe that Debian should be somehow put on the CERT vendor list:
they give the vendors more advance warning on the security issues before
they issue an advisory, allowing to issue an emergency patch.
Does anybody on this list (debian-security) have any ties with CERT
to do it?
----- Original Message -----
From: "Ramon Kagan" <rkagan@yorku.ca>
To: <debian-security@lists.debian.org>
Sent: Monday, March 03, 2003 4:00 PM
Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail (fwd)
> HI,
>
> I don't see Debian listed in the notification list at the bottom of the
> CERT Advisory. Is there any estimate on the release of patched sendmail
> packages?
>
> Ramon Kagan
[snip]
>
> ---------- Forwarded message ----------
> Date: Mon, 3 Mar 2003 13:06:09 -0500
> From: CERT Advisory <cert-advisory@cert.org>
> To: cert-advisory@cert.org
> Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
>
> Original release date: March 3, 2003
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Sendmail Pro (all versions)
> * Sendmail Switch 2.1 prior to 2.1.5
> * Sendmail Switch 2.2 prior to 2.2.5
> * Sendmail Switch 3.0 prior to 3.0.3
> * Sendmail for NT 2.X prior to 2.6.2
> * Sendmail for NT 3.0 prior to 3.0.3
> * Systems running open-source sendmail versions prior to 8.12.8,
> including UNIX and Linux systems
>
[snip]
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. As vendors report new information to the CERT/CC, we will
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Apple Computer, Inc.
>
> Security Update 2003-03-03 is available to fix this issue. Packages
> are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be
> noted that sendmail is not enabled by default on Mac OS X, so only
> those systems which have explicitly enabled it are susceptible to the
> vulnerability. All customers of Mac OS X, however, are encouraged to
> apply this update to their systems.
>
> Avaya, Inc.
>
> Avaya is aware of the vulnerability and is investigating impact. As
> new information is available this statement will be updated.
>
> BSD/OS
>
> Wind River Systems has created patches for this problem which are
> available from the normal locations for each release. The relevant
> patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform
> for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for
> BSD/OS 4.2 systems.
>
> Cisco Systems
>
> Cisco is investigating this issue. If we determine any of our products
> are vulnerable that information will be available at:
> http://www.cisco.com/go/psirt
>
> Cray Inc.
>
> The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp
> may be vulnerable. Cray has opened SPRs 724749 and 724750 to
> investigate.
>
> Cray, Inc. is not vulnerable for the MTA systems.
>
> Hewlett-Packard Company
>
> SOURCE:
> Hewlett-Packard Company
> HP Services
> Software Security Response Team
>
> x-ref: SSRT3469 sendmail
>
> HP will provide notice of the availability of patches through standard
> security bulletin announcements and be available from your normal HP
> Services support channel.
>
> IBM Corporation
>
> The AIX operating system is vulnerable to the sendmail issues
> discussed in releases 4.3.3, 5.1.0 and 5.2.0.
>
> A temporary patch is available through an efix package which can be
> found at
> ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z
>
> IBM will provide the following official fixes:
>
> APAR number for AIX 4.3.3: IY40500 (available approx.
> 03/12/2003)
> APAR number for AIX 5.1.0: IY40501 (available approx.
> 04/28/2003)
> APAR number for AIX 5.2.0: IY40502 (available approx.
> 04/28/2003)
>
> Openwall GNU/*/Linux
>
> Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not
> sendmail.
>
> Red Hat Inc.
>
> Updated sendmail packages that are not vulnerable to this issue are
> available for Red Hat Linux, Red Hat Advanced Server, and Red Hat
> Advanced Workstation. Red Hat Network users can update their systems
> using the 'up2date' tool.
>
> Red Hat Linux:
>
> http://rhn.redhat.com/errata/RHSA-2003-073.html
>
> Red Hat Linux Advanced Server, Advanced Workstation:
>
> http://rhn.redhat.com/errata/RHSA-2003-074.html
>
> SGI
>
> SGI acknowledges VU#398025 reported by CERT and has released an
> advisory to address the vulnerability on IRIX.
>
> Refer to SGI Security Advisory 20030301-01-P available from
> ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P
> or http://www.sgi.com/support/security/.
>
> The Sendmail Consortium
>
> The Sendmail Consortium suggests that sites upgrade to 8.12.8 if
> possible. Alternatively, patches are available for 8.9, 8.10, 8.11,
> and 8.12 on http://www.sendmail.org/
>
> Sendmail, Inc.
>
> All commercial releases including Sendmail Switch, Sendmail Advanced
> Message Server (which includes the Sendmail Switch MTA), Sendmail for
> NT, and Sendmail Pro are affected by this issue. Patch information is
> available at http://www.sendmail.com/security.
[snip]
Reply to: