Re: dsa-257

To: Gerfried Fuchs <alfie@ist.org>
Cc: debian-www@lists.debian.org, team@security.debian.org
Subject: Re: dsa-257
From: Michael Stone <mstone@debian.org>
Date: Thu, 6 Mar 2003 06:43:22 -0500
Message-id: <[🔎] 20030306114322.GF6547@mathom.us>
In-reply-to: <[🔎] 2003-03-06_10.30.54@alfie.ist.org>
References: <[🔎] 20030304194201.GX1401@mathom.us> <[🔎] 2003-03-05_14.35.22@alfie.ist.org> <[🔎] 20030305140619.GB6547@mathom.us> <[🔎] 20030304194201.GX1401@mathom.us> <[🔎] 2003-03-05_14.35.22@alfie.ist.org> <[🔎] 20030305134737.GW25162@wiggy.net> <[🔎] 2003-03-06_10.30.54@alfie.ist.org>

Affected Packages: sendmail, sendmail-wide

   Mark Dowd of ISS X-Force found a bug in the header parsing routines
of sendmail: it could overflow a buffer overflow when encountering
addresses with very long comments. Since sendmail also parses headers
when forwarding emails this vulnerability can hit mail-servers which do
not deliver the email as well.

   This has been fixed in upstream release 8.12.8. Updated sendmail
packages are available in version 8.12.3-5 for Debian 3.0 (woody) and
version 8.9.3-25 for the Debian 2.2 (potato). Updated sendmail-wide
packages are available in package version 8.9.3+3.2W-24 for
Debian 2.2 (potato) and version 8.12.3+3.5Wbeta-5.2 for Debian 3.0
(woody).

...then just stick all the urls in the appropriate place. See zlib
advisory (dsa 122) for a precedent for a large number of packages
affected by a single security problem.

Mike Stone

Reply to:

References:
- dsa-257
  - From: Michael Stone <mstone@debian.org>
- Re: dsa-257
  - From: Gerfried Fuchs <alfie@ist.org>
- Re: dsa-257
  - From: Michael Stone <mstone@debian.org>
- Re: dsa-257
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: dsa-257
  - From: Gerfried Fuchs <alfie@ist.org>

Prev by Date: Re: package of the week
Next by Date: Re: [SECURITY] [DSA-257-1] sendmail remote exploit
Previous by thread: Re: dsa-257
Next by thread: Re: dsa-257
Index(es):
- Date
- Thread