|| ||Claus Assmann <donotreply-AT-sendmail.org>|
|| ||sendmail 8.13.6 available|
|| ||Wed, 22 Mar 2006 08:02:11 -0800 (PST)|
-----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.13.6. It contains a fix for a security problem
discovered by Mark Dowd of ISS X-Force. Sendmail thanks ISS for
bringing this problem to our attention and reviewing the patch for
it. sendmail 8.13.6 also includes fixes for other potential problems,
see the release notes below for more details. Sendmail urges all
users to upgrade to sendmail 8.13.6. If this is not possible,
patches for 8.13 and 8.12 are availabe at our FTP site. However,
note that those patches may not (cleanly) apply to versions other
than 8.13.5 and 8.12.11, respectively. There are no patches for
versions before 8.12 because those outdated versions use a different
I/O layer and hence it would require a major effort to rewrite that
layer. For those not running the open source version, check with
your vendor for a patch.
For a complete list of changes see the release notes down below.
Remember to check the PGP signatures releases obtained via FTP or
Please send bug reports and general feedback to one of the addresses
listed at: http://www.sendmail.org/email-addresses.html
The version can be found at:
You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
sig file. The PGP signature was created using the Sendmail Signing
Key/2006, available on the web site (http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1765 2006/03/08 02:15:03 ca Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
and client side of sendmail with timeouts in the libsm I/O
layer and fix problems in that code. Also fix handling of
a buffer in sm_syslog() which could have been used as an
attack vector to exploit the unsafe handling of
setjmp(3)/longjmp(3) in combination with signals.
Problem detected by Mark Dowd of ISS X-Force.
Handle theoretical integer overflows that could triggered if
the server accepted headers larger than the maximum
(signed) integer value. This is prevented in the default
configuration by restricting the size of a header, and on
most machines memory allocations would fail before reaching
those values. Problems found by Phil Brass of ISS.
If a server returns 421 for an RSET command when trying to start
another transaction in a session while sending mail, do
not trigger an internal consistency check. Problem found
by Allan E Johannesen of Worcester Polytechnic Institute.
If a server returns a 5xy error code (other than 501) in response
to a STARTTLS command despite the fact that it advertised
STARTTLS and that the code is not valid according to RFC
2487 treat it nevertheless as a permanent failure instead
of a protocol error (which has been changed to a
temporary error in 8.13.5). Problem reported by Jeff
A. Earickson of Colby College.
Clear SMTP state after a HELO/EHLO command. Patch from John
Myers of Proofpoint.
Observe MinQueueAge option when gathering entries from the queue
for sorting etc instead of waiting until the entries are
processed. Patch from Brian Fundakowski Feldman.
Set up TLS session cache to properly handle clients that try to
resume a stored TLS session.
Properly count the number of (direct) child processes such that
a configured value (MaxDaemonChildren) is not exceeded.
Based on patch from Attila Bruncsak.
LIBMILTER: Remove superfluous backslash in macro definition
(libmilter.h). Based on patch from Mike Kupfer of
LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets.
This generates an error message from libmilter on
Solaris, though other systems appear to just discard the
LIBMILTER: Deal with sigwait(2) implementations that return
-1 and set errno instead of returning an error code
directly. Patch from Chris Adams of HiWAAY Informations
Fix compilation checks for closefrom(3) and statvfs(2)
in NetBSD. Problem noted by S. Moonesamy, patch from
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v188.8.131.52 (OpenBSD)
-----END PGP SIGNATURE-----
to post comments)