Bugtraq mailing list archives

Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd)

From: dcs () proton chem yale edu (Dave Schweisguth)
Date: Thu, 23 Feb 1995 07:12:28 -0500 (EST)


Paul Walmsley asks:

Does anyone have any further information on this?


Here's the SGI advisory. I logged a call to the TAC at 20:45 yesterday and
received this before midnight, from an engineer in Europe. I'm
impressed. (Caveat lector: I just got in and haven't actually gotten the
patches.) In fact, I'm impressed at the way in which being immediately
followed by announcements of vendor patches makes the CERT modus operandi
look pretty good. Not that I can tell if they're faking a fix ...

---snip---
________________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

             Title: Sendmail Vulnerabilities CERT 95:05
                Number:         19950201-01-P332
                Date:           February 22, 1995
________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible.

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


Several sendmail vulnerabilities have been discovered in the IRIX 3.x, 4.x,
5.x and 6.x operating systems.  These have detailed in CERT Advisory 95:05.

SGI Engineering has investigated this issue and recommends the following
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these
measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x .
The issue will be permanently corrected in a future release of IRIX.

- ----------------
- --- Solution ---
- ----------------


**** IRIX 3.x ****

Unfortunately, Silicon Graphics Inc, no longer supports the IRIX 3.x
operating system and therefore has no patches or binaries to provide.

However, two possible actions still remain: 1) upgrade the system to a
supported version of IRIX (see below) and then install the binary/patch
or 2) obtain the sendmail source code from anonymous FTP at
ftp.cs.berkeley.edu and compile the program manually.

**** IRIX 4.x ****

For the IRIX operating system version 4.x, a manually installable
binary replacement has been generated and made available via anonymous
ftp and/or your service/support  provider.  The binary is sendmail.new.Z
and is installable on all 4.x platforms.

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   The
binary maybe be found in the following directories on the ftp server:

        ~ftp/Security

                or

        ~ftp/Patches/4.x

                        ##### Checksums ####

Filename:                 sendmail.new.Z
Algorithm #1 (sum -r):    27178 422 sendmail.new.Z
Algorithm #2 (sum):       46012 422 sendmail.new.Z
MD5 checksum:             146DD1019673D7C2C89A78D7ACF85CF6


After obtaining the binary, it may be installed with the instructions
below:


        1) Become the root user on the system.

                % /bin/su -
                Password:
                #

        2) Stop the current mail processes.

                # /etc/init.d/mail stop

        3) Rename the current sendmail binary to a temporary
           name.

                # mv /usr/lib/sendmail /usr/lib/sendmail.stock

        4) Change permissions on the old sendmail binary so it can not
           be used anymore.

                # chmod 0400 /usr/lib/sendmail.stock

        5) Uncompress the binary.

                # uncompress /tmp/sendmail.new.Z

        6) Put the new sendmail binary into place (in the example
           here the binary was retrieved via anonymous ftp and put
           in /tmp)

                # mv /tmp/sendmail.new /usr/lib/sendmail

        7) Insure the correct permissions and ownership on the new
           sendmail.

                # chown root.sys /usr/lib/sendmail
                # chmod 4755 /usr/lib/sendmail

        8) Restart the mail system with the new sendmail binary in place.

                # /etc/init.d/mail start

        9) Return to normal user level.

                # exit



**** IRIX 5.0.x, 5.1.x ****

For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first.  When the upgrade is completed,
then the patch described in the next section "**** IRIX 5.2, 5.3, 6.0,
6.0.1 ***"  can be applied.


**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****

For the IRIX operating system versions 5.2, 5.3, 6.0 and 6.0.1, an
inst-able patch has been generated and made available via anonymous
ftp and/or your service/support provider.  The patch is number 332
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   Patch
332 can be found in the following directories on the ftp server:

        ~ftp/Security

                or

        ~ftp/Patches/5.2
        ~ftp/Patches/5.3
        ~ftp/Patches/6.0
        ~ftp/Patches/6.0.1

                        ##### Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 patchSG0000332
Algorithm #1 (sum -r):    21182 1 patchSG0000332
Algorithm #2 (sum):       23521 1 patchSG0000332
MD5 checksum:             73EC7CCD69D45C7704025543D3C3EE9E

Filename:                 patchSG0000332.eoe1_man
Algorithm #1 (sum -r):    28090 32 patchSG0000332.eoe1_man
Algorithm #2 (sum):       64391 32 patchSG0000332.eoe1_man
MD5 checksum:             1D0090FEBED2A87050CEE4F9B70F6996

Filename:                 patchSG0000332.eoe1_sw
Algorithm #1 (sum -r):    59645 326 patchSG0000332.eoe1_sw
Algorithm #2 (sum):       11387 326 patchSG0000332.eoe1_sw
MD5 checksum:             F4C24005A712621CADD64F409D7DD5CE

Filename:                 patchSG0000332.idb
Algorithm #1 (sum -r):    18850 2 patchSG0000332.idb
Algorithm #2 (sum):       42701 2 patchSG0000332.idb
MD5 checksum:             86AF417E2DF5B09A537B8ABD6ED049FA



- ------------------------------------
- --- Further Information/Contacts ---
- ------------------------------------

For obtaining security information, patches or assistance, please
contact your SGI support provider.

For reporting new SGI security issues, email can be sent to
security-alert () sgi com .
---snip---

Cheers,

-- 
| Dave Schweisguth    Internet: dcs () proton chem yale edu   MIME spoken here |
| Yale Depts. of MB&B & Chemistry   Phone: 203-432-5208   Fax: 203-432-6144 |
| For complying with the NJ Right To Know Act:  Contents partially unknown. |

Current thread:

HP-UX Problem..., (continued)
- HP-UX Problem... Mr Martin J Hargreaves (Feb 19)
  - Re: HP-UX Problem... Aaron Sherman (Feb 20)
    - Re: HP-UX Problem... Andrew Hughes (Feb 20)
    - Bugtraq mailing list William B. Chmura (Feb 21)
    - fcntl() file locking under Solaris 2.4 Jas (Feb 21)
    - Re: fcntl() file locking under Solaris 2.4 Jas (Feb 22)
    - snooper watchers Ben Taylor (Feb 22)
    - Re: snooper watchers Eric Conrad (Feb 22)
    - Re: snooper watchers Ben Taylor (Feb 22)
    - CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd) Paul 'Shag' Walmsley (Feb 22)
    - Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd) Dave Schweisguth (Feb 23)
    - Sendmail 8.6.9 security hole Igor V. Semenyuk (Feb 22)
    - Re: Sendmail 8.6.9 security hole Christopher Samuel (Feb 23)
    - Sun Security Bulletin #129 (sendmail) Mark Graff (Feb 22)
    - new sendmail bug? James W. Abendschan (Feb 22)
    - Re: new sendmail bug? joel (Feb 22)
    - Re: new sendmail bug? Dave Horsfall (Feb 22)
    - Sendmail 8.6.10: what's different? der Mouse (Feb 23)
    - X keyboard sniffing Paul Howell (Feb 23)
    - Re: Sendmail 8.6.10: what's different? Igor V. Semenyuk (Feb 23)
    - Re: Sendmail 8.6.10: what's different? Peter Wemm (Feb 24)

(Thread continues...)