|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: sendmail 8.11.0.Beta3 available for testing
From: Gregory Neil Shapiro (sendmail+gshapiro
Sendmail.ORG)Date: Wed Jun 07 2000 - 22:47:26 CDT
- Previous message: Sendmail Security: "Sendmail Workaround for Linux Capabilities Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
A new beta version of sendmail 8.11.0 has been released which includes the
fix to detect the Linux kernel security problem (from 8.10.2). The release
also contains bug fixes to problems reported with the last beta release.
The release is available from:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.0.Beta3.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.0.Beta3.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.0.Beta3.tar.sig
with MD5 signatures:
1f90e21335052c49b0b6d716db7281de sendmail.8.11.0.Beta3.tar.Z
5a1ae23ca0e05dfe83d89a9dd1bad802 sendmail.8.11.0.Beta3.tar.gz
2b4e164c8df76e318f41cce5119af9eb sendmail.8.11.0.Beta3.tar.sig
You only need one of the first two files (either the gzip'ed version or the
compressed version). The .sig file is a PGP signatures of the tar file
(after uncompressing it). It is signed with the Sendmail Signing Key/2000,
available on the web site (http://www.sendmail.org/) or on the public key
servers.
Since sendmail 8.11 and later releases include hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
For your convenience, the current release notes for 8.11.0 are included
below.
8.11.0/8.11.0 2000/06/??
Support SMTP Service Extension for Secure SMTP (RFC 2487) (STARTTLS).
Implementation influenced by the example programs of
OpenSSL and the work of Lutz Jaenicke of TU Cottbus.
New DontBlameSendmail option InsufficientEntropy for systems which
don't properly seed the PRNG for OpenSSL but want to
try to use STARTTLS despite the security problems.
Support the security layer in SMTP AUTH for mechanisms which
support encryption. Based on code contributed by Tim
Martin of CMU.
LDAP's -1 (single match only) flag was not honored if the -z
(delimiter) flag was not given. Problem noted by ST Wong of
the Chinese University of Honk Kong. Fix from Mark Adamson
of CMU.
Add more protection from accidentally tripping OpenLDAP 1.X's
ld_errno == LDAP_DECODING_ERROR hack on ldap_next_attribute().
Suggested by Kurt Zeilenga of OpenLDAP.
Fix the default family selection for DaemonPortOptions. As
documented, unless a family is specified in a
DaemonPortOptions option, "inet" is the default. It is
also the default if no DaemonPortOptions value is set.
Therefore, IPv6 users should configure additional sockets
by adding DaemonPortOptions settings with Family=inet6 if
they wish to also listen on IPv6 interfaces. Problem noted
by Jun-ichiro itojun Hagino of the KAME Project.
Set ${if_family} when setting ${if_addr} and ${if_name} to reflect
the interface information for an outgoing connection.
Not doing so was creating a mismatch between the socket
family and address used in subsequent connections if the
M=b modifier was set in DaemonPortOptions. Problem noted
by John Beck of Sun Microsystems.
If DaemonPortOptions modifier M=b is used, determine the socket
family based on the IP address. ${if_family} is no longer
persistent (i.e., saved in qf files). Patch from John Beck
of Sun Microsystems.
sendmail 8.10 and 8.11 reused the ${if_addr} and ${if_family}
macros for both the incoming interface address/family and
the outgoing interface address/family. In order for M=b
modifier in DaemonPortOptions to work properly, preserve
the incoming information in the queue file for later
delivery attempts.
Use SMTP error code and enhanced status code from check_relay in
responses to commands. Problem noted by Jeff Wasilko of
smoe.org.
Add more vigilance in checking for putc() errors on output streams
to protect from a bug in Solaris 2.6's putc(). Problem
noted by Graeme Hewson of Oracle.
The LDAP map -n option (return attribute names only) wasn't working.
Problem noted by Ajay Matia.
Under certain circumstances, an address could be listed as deferred
but would be bounced back to the sender as failed to be
delivered when it really should have been queued. Problem
noted by Allan E Johannesen of Worcester Polytechnic Institute.
Prevent a segmentation fault in a child SMTP process from getting
the SMTP transaction out of sync. Problem noted by Per
Hedeland of Ericsson.
Turn off RES_DEBUG if SFIO is defined unless SFIO_STDIO_COMPAT
is defined to avoid a core dump due to incompatibilites
between sfio and stdio. Problem noted by Neil Rickert
of Northern Illinois University.
Don't log useless envelope ID on initial connection log. Problem
noted by Kari Hurtta of the Finnish Meteorological Institute.
Portability:
Replace code for finding the number of CPUs on HPUX.
NetBSD uses a .0 extension of formatted man pages. From
Andrew Brown of Graffiti World Wide, Inc.
Return to using the IPv6 AI_DEFAULT flag instead of AI_V4MAPPED
for calls to getipnodebyname(). The Linux
implementation is broken so AI_ADDRCONFIG is stripped
under Linux. From John Beck of Sun Microsystems and
John Kennedy of Cal State University, Chico.
CONFIG: Catch invalid addresses containing a ',' at the wrong place.
Patch from Neil Rickert of Northern Illinois University.
CONFIG: New variables for the new sendmail options:
confCACERT_PATH CACERTPath
confCACERT CACERTFile
confCLIENT_CERT ClientCertFile
confCLIENT_KEY ClientKeyFile
confRAND_FILE RandFile
confSERVER_CERT ServerCertFile
confSERVER_KEY ServerKeyFile
CONFIG: Provide basic rulesets for TLS policy control and add new
tags to the access database to support these policies. See
cf/README for more information.
CONFIG: Add TLS information to the Received: header.
CONFIG: Call tls_client ruleset from check_mail in case it wasn't
called due to a STARTTLS command.
CONFIG: If TLS_PERM_ERR is defined, TLS related errors are permanent
instead of temporary.
CONFIG: FEATURE(`relay_hosts_only') didn't work in combination with
the access map and relaying to a domain without using a To:
tag. Problem noted by Mark G. Thomas of Mark G. Thomas
Consulting.
CONFIG: Set confEBINDIR to /usr/sbin to match the devtools entry in
OSTYPE(`linux') and OSTYPE(`mklinux'). From Tim Pierce of
RootsWeb.com.
CONFIG: Make sure FEATURE(`nullclient') doesn't use aliasing and
forwarding to make it as close to the old behavior as
possible. Problem noted by George W. Baltz of the
University of Maryland.
CONTRIB: Add link_hash.sh to create symbolic links to the hash
of X.509 certificates.
CONTRIB: qtool.pl: Add missing last_modified_time method and fix a
typo. Patch from Graeme Hewson of Oracle.
CONTRIB: re-mqueue.pl: improve handling of a race between re-mqueue
and sendmail. Patch from Graeme Hewson of Oracle.
DEVTOOLS: INSTALL_RAWMAN installation option mistakenly applied any
extension modifications (e.g., MAN8EXT) to the installation
target. Patch from James Ralston of Carnegie Mellon
University.
LIBSMDB: Berkeley DB 2.X and 3.X errors might be lost and not
reported.
MAIL.LOCAL: DG/UX portability. Problem noted by Tim Boyer of
Denman Tire Corporation.
MAIL.LOCAL: Prevent a possible DoS attack when compiled with
-DCONTENTLENGTH. Based on patch from 3APA3ASECURITY.NNOV.RU.
MAKEMAP: Change man page layout as workaround for problem with nroff
and -man on Solaris 7. Patch from Larry Williamson.
RMAIL: AIX 4.3 has snprintf(). Problem noted by David Hayes of
Black Diamond Equipment, Limited.
VACATION: Read all of the headers before deciding whether or not
to respond instead of stopping after finding recipient.
Added Files:
contrib/link_hash.sh
devtools/M4/UNIX/sharedlib.m4
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface
Charset: noconv
iQCVAwUBOT7+fXxLZ22gDhVjAQEnXgP9GhZSUJDSV50rV3UC8xsjFRbLXYg6hIFq
AtmUkrazJ/Yh6fH5jT9QATUjg0rjIOC/HAX9N10ygJ2WdVs98kplq/LmyjB65XeA
PUb3buMIfMkJ2xAnwHc1MOKuPkJ2D5mrbQf++BFDO+5HP4RHH1szaPxOdNgypahb
rUbfVWMAs/c=
=sTA+
-----END PGP SIGNATURE-----
- Previous message: Sendmail Security: "Sendmail Workaround for Linux Capabilities Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]