-----BEGIN PGP SIGNED MESSAGE-----

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.11.6 and 8.12.0.Beta19.

These new versions fix a security problem reported by SecurityFocus
regarding command line processing. This vulnerability is present in
sendmail open source versions between 8.10.0 and 8.11.5 as well as all
8.12.0.Beta versions. Therefore, sendmail 8.12.0.Beta users should upgrade
to 8.12.0.Beta19.

The problem was not present in 8.10 or earlier versions. However, as
always, we recommend using the latest version. Note that this problem is
not remotely exploitable.

Please send bug reports to sendmail-bugssendmail.org and general
feedback to sendmailsendmail.org.

The versions can be found at:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.sig

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.sig

MD5 signatures:

a57e7681d810d9d6400cbe6bbcf06aa0 sendmail.8.11.6.tar.gz
db74e6149b3b47294dbceded31357ac5 sendmail.8.11.6.tar.Z
a32edd9515e5d9d3bf54d1224909c93a sendmail.8.11.6.tar.sig

a087ee967fcaf3359ba43f4861101cab sendmail.8.12.0.Beta19.tar.gz
07a31e48907838a7aded70616f5845c3 sendmail.8.12.0.Beta19.tar.Z
0f7abe1de6c1363385b6b8dd3634f5bd sendmail.8.12.0.Beta19.tar.sig

You need either the gzip'ed version (.gz) or the compressed version
(.Z). The .sig files contain the PGP signature of the tar files
(after uncompressing). The PGP signatures were created using the
Sendmail Signing Key/2001, available on the web site
(http://www.sendmail.org/) or on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

   PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
   SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
   TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
   PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
   COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
   SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
   YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
   AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
   ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

8.11.6/8.11.6 2001/08/20
        SECURITY: Fix a possible memory access violation when specifying
                out-of-bounds debug parameters. Problem detected by
                Cade Cairns of SecurityFocus.
        Avoid leaking recipient information in unrelated DSNs. This could
                happen if a connection is aborted, several mails had been
                scheduled for delivery via that connection, and the timeout
                is reached such that several DSNs are sent next. Problem
                noted by Dileepan Moorkanat of Hewlett-Packard.
        Fix a possible segmentation violation when specifying too many
                wildcard operators in a rule. Problem detected by
                Werner Wiethege.
        Avoid a segmentation fault on non-matching Hesiod lookups. Problem
                noted by Russell McOrmond of flora.ca

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface
Charset: noconv

iQCVAwUBO4F6zHxLZ22gDhVjAQGBKAQAhY8z92yfe7WTR+N6tSKbZXiCm23lODo6
3hmLZb0ly3m3F5S8PVMC+AgyPvGCJuYzqXhu+NKNp9p62KUAcFjH0gq/Shh5Ftbb
TA6EDijVaOlVIukkquCftwwY7CyOyWVuL8uwZ3WTqCkLnu8utdcJUp0w4eZkeVOE
fs3eCFxILb0=
=cVGH
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]