Updated Sendmail packages fix vulnerability.

Advisory:	RHSA-2003:265-05
Type:	Security Advisory
Severity:	N/A
Issued on:	2003-08-28
Last updated on:	2003-08-28
Affected Products:	Red Hat Linux 8.0 Red Hat Linux 9
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2003-0688

Details

Updated Sendmail packages are available to fix a vulnerability in the
handling of DNS maps.

Sendmail is a widely used Mail Transport Agent (MTA) which is included
in all Red Hat Linux distributions.

A bug has been discovered in the handling of DNS maps in Sendmail 8.12
versions before 8.12.9. A remote attacker can exploit this issue to
crash the instance of Sendmail dealing with the request. We believe
that the nature of the bug would make remote exploitation of this issue
difficult, if at all possible. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2003-0688 to this issue.

Red Hat Linux 8.0 and 9 include versions of Sendmail vulnerable to this
issue, however it only affects sites that use DNS maps through the
"enhdnsbl" feature.

Sendmail users that have enabled DNS maps are advised to update to the
packages contained within this erratum which include a backported patch to
correct this vulnerability.

Red Hat would like to thank the Sendmail security team for notifying us of
this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 8.0

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-6.80.src.rpm Missing file	`ac5560196623e14a9b13c6762ca5ca16`

IA-32:
sendmail-8.12.8-6.80.i386.rpm File outdated by: RHSA-2003:283	`44a2c0236d7ddab1e78f516a77e0ada7`
sendmail-cf-8.12.8-6.80.i386.rpm File outdated by: RHSA-2003:283	`e747860a6f3be7656b8825e2347fb630`
sendmail-devel-8.12.8-6.80.i386.rpm File outdated by: RHSA-2003:283	`2468060ef217ed6744ada284f71e43f9`
sendmail-doc-8.12.8-6.80.i386.rpm File outdated by: RHSA-2003:283	`e47b1bb2393e310e70d0ea1a6aa825a5`

Red Hat Linux 9

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/sendmail-8.12.8-6.90.src.rpm Missing file	`2e798f9d4b87a136fd4e2b0800635551`

IA-32:
sendmail-8.12.8-6.90.i386.rpm File outdated by: RHSA-2003:283	`b449795ddf270ad3e7f5e0b1d3cdd7e4`
sendmail-cf-8.12.8-6.90.i386.rpm File outdated by: RHSA-2003:283	`bc273f94312c562f4ed4eeac32282208`
sendmail-devel-8.12.8-6.90.i386.rpm File outdated by: RHSA-2003:283	`95ee5dff8fb357dab99a5d30d6e5704e`
sendmail-doc-8.12.8-6.90.i386.rpm File outdated by: RHSA-2003:283	`ee6a858f44090dfd8aadb797a0135ace`

Bugs fixed (see bugzilla for more information)

103068 - CAN-2003-0688 sendmail remote random free()

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0688
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/