sendmail 8.13.7 available

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.13.7.  It fixes a potential denial of service problem
caused by excessive recursion which leads to stack exhaustion when
attempting delivery of a malformed MIME message.  Therefore, the
function mime8to7() has been modified to limit the recursion level
at (the compile time constant) MAXMIMENESTING.  Note: This denial
of service attack only affects delivery of mail from the queue and
delivery of the malformed message.  Other incoming mail is still
accepted and delivered.  However, mail messages in the queue may
not be reattempted if a malformed MIME message exists.

For a complete list of changes see the release notes down below.

Remember to check the PGP signatures releases obtained via FTP or
HTTP.

Please send bug reports and general feedback to one of the addresses
listed at: http://www.sendmail.org/email-addresses.html

The version can be found at:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.7.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.7.tar.g...
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.7.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.7.tar.Z...

MD5 signatures:

5327e065cb0c1919122c8cecbeddbc28 sendmail.8.13.7.tar.gz
0d5d94da71e1023b7987f1bd309a3520 sendmail.8.13.7.tar.gz.sig
fff614180192995ff5b2c8660aa86594 sendmail.8.13.7.tar.Z
d53507962af44b6c2858e5b6bf469d84 sendmail.8.13.7.tar.Z.sig

You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
sig file.  The PGP signature was created using the Sendmail Signing
Key/2006, available on the web site (http://www.sendmail.org/) or
on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.

   PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
   SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
   TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
   PARTS OF THE WORLD.  SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
   COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
   SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
   YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
   AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
   ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.


			SENDMAIL RELEASE NOTES
      $Id: RELEASE_NOTES,v 8.1777.2.6 2006/06/05 22:32:41 ca Exp $


This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.

8.13.7/8.13.7	2006/06/14
	A malformed MIME structure with many parts can cause sendmail to
		crash while trying to send a mail due to a stack overflow,
		e.g., if the stack size is limited (ulimit -s).  This
		happens because the recursion of the function mime8to7()
		was not restricted.  The function is called for MIME 8 to
		7 bit conversion and also to enforce MaxMimeHeaderLength.
		To work around this problem, recursive calls are limited to
		a depth of MAXMIMENESTING (20); message content after this
		limit is treated as opaque and is not checked further.
		Problem noted by Frank Sheiness.
	The changes to the I/O layer in 8.13.6 caused a regression for
		SASL mechanisms that use the security layer, e.g.,
		DIGEST-MD5.  Problem noted by Robert Stampfli.
	If a timeout occurs while reading a message (during the DATA phase)
		a df file might have been left behind in the queue.
		This was another side effect of the changes to the I/O
		layer made in 8.13.6.
	Several minor problems have been fixed that were found by a
		Coverity scan of sendmail 8 as part of the NetBSD
		distribution. See http://scan.coverity.com/
		Note: the scan generated also a lot of "false positives",
		e.g., "error" reports about situations that cannot happen.
		Most of those code places are marked with lint(1) comments
		like NOTREACHED, but Coverity does not understand those.
		Hence an explicit assertion has been added in some cases
		to avoid those false positives.
	If the start of the sendmail daemon fails due to a configuration
		error then in some cases shared memory segments or pid
		files were not removed.
	If DSN support is disabled via access_db, then related ESMTP
		parameters for MAIL and RCPT should be rejected.  Problem
		reported by Akihiro Sagawa.
	Enabling zlib compression in OpenSSL 0.9.8[ab] breaks the padding
		bug work-around.  Hence if sendmail is linked against
		either of these versions and compression is available,
		the padding bug work-around is turned off.  Based on
		patch from Victor Duchovni of Morgan Stanley.
	CONFIG: FEATURE(`dnsbl') and FEATURE(`enhdnsbl') used
		blackholes.mail-abuse.org as default domain for lookups,
		however, that list is no longer available.  To avoid
		further problems, no default value is available anymore,
		but an argument must be specified.
	Portability:
		Fix compilation on OSF/1 for sfsasl.c.  Patch from
		Pieter Bowman of the University of Utah.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)

iQCVAwUBRI7QoR57s8ivlZYlAQJloAP+Kpr2y6M1auuRGeWQErYViepR5UaKShtr
mdK+yUB4dlN710AegelVUlwrBHq5PHxgtyr6kHzpPhOxnbYFq47w2kHtU5b1GUkH
If3w+mD4Z7lzdc+GqzJrShb1mPCKmdixSzxzBbfD4JMpXdvSCmUFtaVudfwmaMYi
mc8VbqhWm5A=
=D+16
-----END PGP SIGNATURE-----