LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Low: sendmail security and bug fix update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated sendmail packages that fix a security issue and various bugs are now available for Red Hat Enterprise Linux 4.The configuration of Sendmail on Red Hat Enterprise Linux was found to not reject the "localhost.localdomain" domain name for e-mail messages that came from external hosts. This could have allowed remote attackers to disguise spoofed messages
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: sendmail security and bug fix update
Advisory ID:       RHSA-2007:0252-02
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0252.html
Issue date:        2007-05-01
Updated on:        2007-05-01
Product:           Red Hat Enterprise Linux
Keywords:          localhost.localdomain CipherList
CVE Names:         CVE-2006-7176 
- ---------------------------------------------------------------------

1. Summary:

Updated sendmail packages that fix a security issue and various bugs are now
available for Red Hat Enterprise Linux 4.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver
mail from one machine to another. Sendmail is not a client program, but
rather a behind-the-scenes daemon that moves email over networks or the
Internet to its final destination.

The configuration of Sendmail on Red Hat Enterprise Linux was found to not
reject the "localhost.localdomain" domain name for e-mail messages that
came from external hosts. This could have allowed remote attackers to
disguise spoofed messages (CVE-2006-7176).

This updated package also fixes the following bugs:

* Infinite loop within tls read.

* Incorrect path to selinuxenabled in initscript.

* Build artifacts from sendmail-cf package.

* Missing socketmap support.

* Add support for CipherList configuration directive.

* Path for aliases file.

* Failure of shutting down sm-client.

* Allows to specify persistent queue runners.

* Missing dnl for SMART_HOST define.

* Fixes connections stay in CLOSE_WAIT.

All users of Sendmail should upgrade to these updated packages, which
contains backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

121850 - [PATCH] infinite loop within tls_read
152282 - Incorrect path to selinuxenabled in /etc/init.d/sendmail
152955 - sendmail-cf contains rpm build artifacts
156191 - Changelog says 'Socketmap Supported' but it's not compiled in.
166744 - aliases man page specifies incorrect location of aliases file
171838 - CVE-2006-7176 sendmail allows external mail with from address xxx@localhost.localdomain
172352 - Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't supported so you can't turn it off
200920 - shutting down sm-client fails
200921 - [PATCH] method to specify persistent queue runners?
200923 - sendmail.mc missing dnl on SMART_HOST define

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61  sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4  sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea  sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2  sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460  sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60  sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813  sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706  sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea  sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e  sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41  sendmail-doc-8.13.1-3.2.el4.ia64.rpm

ppc:
b0fb1b772ccc0cccb81819897fb29819  sendmail-8.13.1-3.2.el4.ppc.rpm
e0a1d1a0ffceb5f78e7a7d90a28ad09f  sendmail-cf-8.13.1-3.2.el4.ppc.rpm
24f3e3db714698844a47e4bcc85c7b81  sendmail-debuginfo-8.13.1-3.2.el4.ppc.rpm
90ada0195183a7e519c7a42de602587b  sendmail-devel-8.13.1-3.2.el4.ppc.rpm
ae87913c88ec26fc316019a4fe060c0b  sendmail-doc-8.13.1-3.2.el4.ppc.rpm

s390:
7efcf2a9513d9eb2baf9605a0790519e  sendmail-8.13.1-3.2.el4.s390.rpm
38aa827a7e26e368ad029faaa63373ef  sendmail-cf-8.13.1-3.2.el4.s390.rpm
b3311fd8dd20229fb163dbe3f654969f  sendmail-debuginfo-8.13.1-3.2.el4.s390.rpm
03b6bd2e0a2bdbea93b953b16d988819  sendmail-devel-8.13.1-3.2.el4.s390.rpm
80d93c9d2631655a4bf839d54d1b3e78  sendmail-doc-8.13.1-3.2.el4.s390.rpm

s390x:
0089b24c8077394abc60f2e5fd7fccb1  sendmail-8.13.1-3.2.el4.s390x.rpm
d71011432c7461b8b58d3fe62307c01b  sendmail-cf-8.13.1-3.2.el4.s390x.rpm
a64eb5b8d18d3a38c92d9dc71de36b65  sendmail-debuginfo-8.13.1-3.2.el4.s390x.rpm
bbfe650afd7529e1bc25ea79038a309d  sendmail-devel-8.13.1-3.2.el4.s390x.rpm
2991cd74266e23d7edbc3818719640dc  sendmail-doc-8.13.1-3.2.el4.s390x.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d  sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399  sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953  sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6  sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160  sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61  sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4  sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea  sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2  sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460  sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60  sendmail-doc-8.13.1-3.2.el4.i386.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d  sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399  sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953  sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6  sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160  sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61  sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4  sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea  sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2  sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460  sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60  sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813  sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706  sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea  sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e  sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41  sendmail-doc-8.13.1-3.2.el4.ia64.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d  sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399  sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953  sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6  sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160  sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/sendmail-8.13.1-3.2.el4.src.rpm
e07d0205352eb73b1011021a10522b61  sendmail-8.13.1-3.2.el4.src.rpm

i386:
54e4730bcfcb10b6e865af6886e58bf4  sendmail-8.13.1-3.2.el4.i386.rpm
7db401a5ac49f76abc7812c26652c1ea  sendmail-cf-8.13.1-3.2.el4.i386.rpm
ec1f31a862f58f97338c3caa30a99fe2  sendmail-debuginfo-8.13.1-3.2.el4.i386.rpm
658721b05ad13272736f28f9e2396460  sendmail-devel-8.13.1-3.2.el4.i386.rpm
eaeba078a91bf80ea81be7ced9f14a60  sendmail-doc-8.13.1-3.2.el4.i386.rpm

ia64:
f5b2c9c308e22965dc1d6864d7b98813  sendmail-8.13.1-3.2.el4.ia64.rpm
931c1f98f30189e8a525e9d4be72c706  sendmail-cf-8.13.1-3.2.el4.ia64.rpm
574838066c532817ad7fb392179ea8ea  sendmail-debuginfo-8.13.1-3.2.el4.ia64.rpm
f31db098d7450d6e4121b370d21e583e  sendmail-devel-8.13.1-3.2.el4.ia64.rpm
120f9fb49dde5a1b0c9b026470feed41  sendmail-doc-8.13.1-3.2.el4.ia64.rpm

x86_64:
b32d5cc7710c22895c8709a2fdb6ee6d  sendmail-8.13.1-3.2.el4.x86_64.rpm
7343b19614880e430016319462dc1399  sendmail-cf-8.13.1-3.2.el4.x86_64.rpm
120a1028613725751b99fd32776b4953  sendmail-debuginfo-8.13.1-3.2.el4.x86_64.rpm
0a1ec7e3864548765077d8c0b85f3ea6  sendmail-devel-8.13.1-3.2.el4.x86_64.rpm
5652fa8847d14232c3e3ed21a3bab160  sendmail-doc-8.13.1-3.2.el4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7176
http://www.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.