From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1985-1
[email protected] http://www.debian.org/security/ Giuseppe Iuculano January 31, 2010
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : sendmail
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-4565
Debian bug : 564581
It was discovered that sendmail, a Mail Transport Agent, does not properly handle
a '\0' character in a Common Name (CN) field of an X.509 certificate.
This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server
certificate issued by a legitimate Certification Authority, and to bypass intended
access restrictions via a crafted client certificate issued by a legitimate Certification Authority.
For the oldstable distribution (etch), this problem has been fixed in
version 8.13.8-3+etch1
For the stable distribution (lenny), this problem has been fixed in
version 8.14.3-5+lenny1
For the unstable distribution (sid), this problem has been fixed in
version 8.14.3-9.1, and will migrate to the testing distribution (squeeze) shortly.
We recommend that you upgrade your sendmail package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.8-3+etch1.diff.gz
Size/MD5 checksum: 369120 db03c2498a360f4da02be0e44facca57
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.8-3+etch1.dsc
Size/MD5 checksum: 949 5252fa5d6c477d90f9474f999035f959
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.8.orig.tar.gz
Size/MD5 checksum: 1995868 bcdd005ae02fdb0ecef2d6b21ac44e5d
Architecture independent packages:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.8-3+etch1_all.deb
Size/MD5 checksum: 284068 65ef6467d6c85ef90f8e1bb9a0ce3eef
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.8-3+etch1_all.deb
Size/MD5 checksum: 698342 466aaa8a9cf452943549a3403f869df9
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.8-3+etch1_all.deb
Size/MD5 checksum: 196848 2557652c4c66c3db1f1467272b1c0dfc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.8-3+etch1_all.deb
Size/MD5 checksum: 345118 8636e42323c07d63fd145cd5329d09b1
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 202704 bba5c73b5da9971f8aee68b000e9b748
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 262668 26794af48fbdbaf3daac51f7b3478cad
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0-dbg_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 196278 5cbc296b501b2575d47f1a6201580c28
http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 231818 53e7d4f9ba38f266457b1d3d37c9f8eb
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 322192 bee24998a6e6db033f0753fe3fd26314
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.8-3+etch1_alpha.deb
Size/MD5 checksum: 925162 47924bb85a2dbf791b86e1d7e6368b11
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 202258 b13b1a088cb21da832f9125011f051db
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 866764 a0006766d2db53fc31e5326730c4d243
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 300978 8d407fdf40114121dfc16dc8c6416d54
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0-dbg_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 196254 2e550571bf2441c2fc1271323a4619d6
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 261332 a8394f8f93c23ec655bab75376b7bb07
http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.8-3+etch1_amd64.deb
Size/MD5 checksum: 229794 faefb63a062f5328b450a8de7e740132
arm architecture (ARM)
http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 201918 1798418509ce66dcd7b62e06373357fd
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0-dbg_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 196266 66a8e56ebdb6fbcb4c7db7af17d6678d
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 857542 437edd61ab05ab2913cdb403dca51b51
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 288470 c28bad3e1c9ad1e7ae5dcb2e64d72393
http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 229324 e0d3bde1c7f8fed9dba3c8d0d0ef8c56
http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.8-3+etch1_arm.deb
Size/MD5 checksum: 256846 29b4c31fcaf597be305e480c2df8df43
hppa architecture (HP PA RISC)
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)