Sendmail security problem

Raul Aldaz wrote:

> Any comment about this? (see sendmail.org).

All I know, sendmail.org says I can not patch versions below
8.13.5:

If you cannot upgrade to 8.13.6, then you can apply a patch
to 8.13.5, or a patch for 8.12.11. Note: these patches do not
apply cleanly to older versions; moreover, they may not even
work properly due to other changes that have been made in the
latest versions. Hence we strongly suggest all users of
sendmail 8 to upgrade to sendmail 8.13.6.

So fix is currently unknown for 3.8-stable with 8.13.4. Looks
like we need to wait millert@'s work for stable branches...

One way to fix 3.8-stable is to pull in 8.13.6 entirely but
anyway it needs testing as in case with sendmail.org's patch:
it is complex and ~70Kb long.

Alexey E. Suslikov wrote:
> Raul Aldaz wrote:
>
>> Any comment about this? (see sendmail.org).

> So fix is currently unknown for 3.8-stable with 8.13.4. Looks
> like we need to wait millert@'s work for stable branches...
>
> One way to fix 3.8-stable is to pull in 8.13.6 entirely but
> anyway it needs testing as in case with sendmail.org's patch:
> it is complex and ~70Kb long.

I installed 8.13.6 last night from the source tar ball on two machines
(one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging
along happily. Can't speak to the specific security issue though.

--
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561      http://www.snertsoft.com/

On Thu, Mar 23, 2006, Alexey E. Suslikov wrote:

> All I know, sendmail.org says I can not patch versions below
> 8.13.5:

That's wrong. See the 8.13.6 note:

   and 8.12 are availabe at our FTP site. However, note that those
   patches do not (cleanly) apply to versions other than 8.13.5 and
   8.12.11, respectively, at least the patch for sendmail/version.c will
   fail, but that can be ignored. Moreover, these patches may not even
   work with older version as there have been other changes before.

That is, you can apply the patch and if only version.c fails,
then you can give it a try. However, sendmail.org won't provide
support for such a patched version.

Claus Assmann wrote:

what wrong?

can you trust this patched version, if even sendmail.org says "these
patches may not even work with older version"?

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:

 > I installed 8.13.6 last night from the source tar ball on two machines
 > (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging
 > along happily. Can't speak to the specific security issue though.

Replacing OpenBSDs sendmail with sendmail.org's version
is a non-issue (as in "just works") on any OpenBSD version
which ships >= 8.12.

If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc
contains the ENVDEFs to add to site.config.m4.

Alex.

On 2006/03/24 14:12, Alexander Bochmann wrote:
The patch is in 3.8-stable now, and -current has 8.13.6, so
people following either of these just need to update.

On Fri, Mar 24, 2006 at 02:14:50PM +0000, Stuart Henderson wrote:
I am pretty certain a fix was imported for 3.7-stable, too.

                Joachim

On 2006-03-24 17:10:27 +0100, Joachim Schipper wrote:
> On Fri, Mar 24, 2006 at 02:14:50PM +0000, Stuart Henderson wrote:
> > The patch is in 3.8-stable now, and -current has 8.13.6, so
> > people following either of these just need to update.
>
> I am pretty certain a fix was imported for 3.7-stable, too.

Can we have an entry on http://www.openbsd.org/errata37.html,
pretty please?

And AFAIK there is a mailing list for openbsd and security...


Best
    Martin
--
                    http://www.tm.oneiros.de

On Friday, 24 March 2006 at 14:12:44 +0100, Alexander Bochmann wrote:
>
> Replacing OpenBSDs sendmail with sendmail.org's version
> is a non-issue (as in "just works") on any OpenBSD version
> which ships >= 8.12.

Do you  mind to share the instruction of how to replace OpenBSD's
sendmail with sendmail.org's 8.13.6?

TIA,

Zoong PHAM wrote:
> Do you  mind to share the instruction of how to replace OpenBSD's
> sendmail with sendmail.org's 8.13.6?

Just forget about that administration nightmare and go either -stable or
-current. Not sure whether this warrants and errata entry (too much hype
for my taste), but if it does, there'll be a patch there eventually, too.


Moritz

On Fri, 2006-03-24 at 14:14 +0000, Stuart Henderson wrote:

> The patch is in 3.8-stable now, and -current has 8.13.6, so
> people following either of these just need to update.
>

I run sendmail under systrace (OpenBSD 3.8) and a couple of weeks ago
(sometime after the exploit was initially reported) I started getting
this in my logs:

Mar 13 13:29:15 example systrace: deny user: root,
prog: /usr/libexec/sendmail/sendmail, pid: 24218(1)[21120],
policy: /usr/libexec/sendmail/sendmail, filters: 161, syscall:
native-connect(98)

Admittedly, not much to go on.  Normal mail was getting through fine, so
I didn't adjust my systrace policy, but instead decided to wait.  I am
very particular on who and what sendmail can connect, so I wasn't going
to to just 'permit' all native-connect calls.  After upgrading sendmail
to 3.8 STABLE last night, systrace hasn't reported these errors again.

FYI...

Jamie Strandboge

...on Sat, Mar 25, 2006 at 09:22:57PM +1100, Zoong PHAM wrote:

 > Do you  mind to share the instruction of how to replace OpenBSD's
 > sendmail with sendmail.org's 8.13.6?

Warning: Works for me, but may not for you. The
specific version below is untested, and may miss
options you need on your system (say, when using
LDAP maps or SASL, for example). Generally, look
at devtools/README first.

I don't usually set confMBINDIR, and just
overwrite the /usr/sbin/sendmail link, rendering
mailwrapper(8) useless.

In the sendmail source tree, create a file called
devtools/Site/site.config.m4 with about the content
below:

--- cut ---
dnl # whatever it is you like to pass to cc
define(`confOPTIMIZE', `-Os')

dnl # write sendmail binary to /usr/libexec/sendmail/ for mailwrapper
define(`confMBINDIR', `/usr/libexec/sendmail')

define(`confMAPDEF', `-DMAP_REGEX')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
APPENDDEF(`conf_sendmail_ENVDEF', `-DDNSMAP -DNETINET6 -DNEEDSGETIPNODE')

dnl # OpenBSD Makefile has this
APPENDDEF(`conf_sendmail_ENVDEF', `-DFAST_PID_RECYCLE')
APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_USE_SETLOGIN')

dnl # only when milter support is required
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')
APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER_ROOT_UNSAFE -pthread')

dnl # only when using NIS/YP
APPENDDEF(`confENVDEF', `-UNIS')
--- cut ---

In the sendmail toplevel dir, run sh ./Build and sh ./Build install

If your OpenBSD came with sendmail 8.13 (probably
even with 8.12), the new version should work with
your current sendmail.cf, but you'll want to build
a new one nevertheless.

If there are errors in this, I'd like to know.

Alex.

On Fri, 24 Mar 2006, Joachim Schipper wrote:

> On Fri, Mar 24, 2006 at 02:14:50PM +0000, Stuart Henderson wrote:
>> On 2006/03/24 14:12, Alexander Bochmann wrote:
>>> ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:

P gnu/usr.sbin/sendmail/libsm/refill.c
P gnu/usr.sbin/sendmail/sendmail/collect.c
P gnu/usr.sbin/sendmail/sendmail/conf.c
P gnu/usr.sbin/sendmail/sendmail/deliver.c
P gnu/usr.sbin/sendmail/sendmail/headers.c
P gnu/usr.sbin/sendmail/sendmail/mime.c
P gnu/usr.sbin/sendmail/sendmail/parseaddr.c
P gnu/usr.sbin/sendmail/sendmail/savemail.c
P gnu/usr.sbin/sendmail/sendmail/sendmail.h
P gnu/usr.sbin/sendmail/sendmail/sfsasl.c
P gnu/usr.sbin/sendmail/sendmail/sfsasl.h
P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c
P gnu/usr.sbin/sendmail/sendmail/usersmtp.c
P gnu/usr.sbin/sendmail/sendmail/util.c


> I am pretty certain a fix was imported for 3.7-stable, too.
>

Yep.

Why was there no Security Advisory or entry in the Daily Changelog for
this?

There's an errata entry, but no announcement =/

~BAS

> Joachim