full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [ MDVSA-2010:003 ] sendmai

[Full-disclosure] [ MDVSA-2010:003 ] sendmail

From: <security_at_nospam>
Date: Tue Jan 12 2010 - 18:35:01 GMT
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2010:003  http://www.mandriva.com/security/
Package : sendmail Date : January 11, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in sendmail:  

 sendmail before 8.14.4 does not properly handle a '\0' (NUL)  character in a Common Name (CN) field of an X.509 certificate, which  (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based  SMTP servers via a crafted server certificate issued by a legitimate  Certification Authority, and (2) allows remote attackers to bypass  intended access restrictions via a crafted client certificate issued by  a legitimate Certification Authority, a related issue to CVE-2009-2408  (CVE-2009-4565).    Packages for 2008.0 are provided for Corporate Desktop 2008.0  customers.  

 This update provides a fix for this vulnerability.


 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565  http://www.sendmail.org/releases/8.14.4


 Updated Packages:

 Mandriva Linux 2008.0: 59415398189b3fcf81482a0aa548e2f4 2008.0/i586/sendmail-8.14.1-2.1mdv2008.0.i586.rpm ea981097f72996a76eba3db1ca168c68 2008.0/i586/sendmail-cf-8.14.1-2.1mdv2008.0.i586.rpm 19d0308e739e5d2c1c3f4fa26cc58b83 2008.0/i586/sendmail-devel-8.14.1-2.1mdv2008.0.i586.rpm ec7b8d7a0ef153e7a6eb892f0e37b5de 2008.0/i586/sendmail-doc-8.14.1-2.1mdv2008.0.i586.rpm 0db8b791cbd6ab9c5acbb4d36dfc2011 2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64: 27862cd3b57af76bbeaf4022b05f9944 2008.0/x86_64/sendmail-8.14.1-2.1mdv2008.0.x86_64.rpm 4585530d86a21d4f0354cf2458ff4822 2008.0/x86_64/sendmail-cf-8.14.1-2.1mdv2008.0.x86_64.rpm f241b7f870d0bcbadc64cbd8c8642a4e 2008.0/x86_64/sendmail-devel-8.14.1-2.1mdv2008.0.x86_64.rpm a92613cbc1eecc47aeff44c8a24ed32e 2008.0/x86_64/sendmail-doc-8.14.1-2.1mdv2008.0.x86_64.rpm 0db8b791cbd6ab9c5acbb4d36dfc2011 2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0: c7dfba4575fb7d2cae408ae4ffc3588f 2009.0/i586/sendmail-8.14.3-2.1mdv2009.0.i586.rpm 7a77a2fd891995e30dc77b843afb55d1 2009.0/i586/sendmail-cf-8.14.3-2.1mdv2009.0.i586.rpm 8c38bb523fe83f1a6936f89cef1d9aff 2009.0/i586/sendmail-devel-8.14.3-2.1mdv2009.0.i586.rpm 5f27bc4b53e33a3e6f543eef078ba603 2009.0/i586/sendmail-doc-8.14.3-2.1mdv2009.0.i586.rpm 1d87f6050c197ac42e6e2d599c6ccb02 2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64: 367a5fe461786ca07bd26f75d5e83b87 2009.0/x86_64/sendmail-8.14.3-2.1mdv2009.0.x86_64.rpm 74a5d145be5a34309a6b77d86c928221 2009.0/x86_64/sendmail-cf-8.14.3-2.1mdv2009.0.x86_64.rpm b0880a184b15a235e0af6c977a86deb4 2009.0/x86_64/sendmail-devel-8.14.3-2.1mdv2009.0.x86_64.rpm 57629048e8712e85b4ad2b96b2820b4a 2009.0/x86_64/sendmail-doc-8.14.3-2.1mdv2009.0.x86_64.rpm 1d87f6050c197ac42e6e2d599c6ccb02 2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1: b4f3e0bbbcd2a31ac54e97db1e86d3cb 2009.1/i586/sendmail-8.14.3-3.1mdv2009.1.i586.rpm 4e455a03d26ac8db82520033f7c12b53 2009.1/i586/sendmail-cf-8.14.3-3.1mdv2009.1.i586.rpm 83ed44ff797b518f754191a2913fb99b 2009.1/i586/sendmail-devel-8.14.3-3.1mdv2009.1.i586.rpm a6300984708e7c7e183de4cfeed303d4 2009.1/i586/sendmail-doc-8.14.3-3.1mdv2009.1.i586.rpm 715d4d5f51bb06566cc1cd2007eae13b 2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64: cd8b93f0e5131be289a7820c668535d4 2009.1/x86_64/sendmail-8.14.3-3.1mdv2009.1.x86_64.rpm 35901aab57046009e74921a9f8537f5c 2009.1/x86_64/sendmail-cf-8.14.3-3.1mdv2009.1.x86_64.rpm a6b5f206c58c9ed35417f49b157a245a 2009.1/x86_64/sendmail-devel-8.14.3-3.1mdv2009.1.x86_64.rpm 708d8cf9d104f38bbc5d117048536d44 2009.1/x86_64/sendmail-doc-8.14.3-3.1mdv2009.1.x86_64.rpm 715d4d5f51bb06566cc1cd2007eae13b 2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0: cb3ff51261f0a547e79fb2beb26ccd5d 2010.0/i586/sendmail-8.14.3-4.1mdv2010.0.i586.rpm 0e488f7f647c5c4a5aaa6e03aba37099 2010.0/i586/sendmail-cf-8.14.3-4.1mdv2010.0.i586.rpm 575a321bab56d672d8bc2bea109e0230 2010.0/i586/sendmail-devel-8.14.3-4.1mdv2010.0.i586.rpm 54a82cb021316e39766431c9ad6f36e8 2010.0/i586/sendmail-doc-8.14.3-4.1mdv2010.0.i586.rpm d44550335102aefed7d2cfd94be56c18 2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64: 06be9e7dbda96eb506b58499a896f515 2010.0/x86_64/sendmail-8.14.3-4.1mdv2010.0.x86_64.rpm ccad3d58cb1c296fef3cb9fc76b8ba5b 2010.0/x86_64/sendmail-cf-8.14.3-4.1mdv2010.0.x86_64.rpm 30ea827e1029bc2519263a0821611886 2010.0/x86_64/sendmail-devel-8.14.3-4.1mdv2010.0.x86_64.rpm 9dd4779fea3cde54fb211db8733164a0 2010.0/x86_64/sendmail-doc-8.14.3-4.1mdv2010.0.x86_64.rpm d44550335102aefed7d2cfd94be56c18 2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

 Corporate 4.0: b4af5f228b216fa419a0490db166e286 corporate/4.0/i586/sendmail-8.13.4-6.5.20060mlcs4.i586.rpm c8765f369aa52810a67f47118129802c corporate/4.0/i586/sendmail-cf-8.13.4-6.5.20060mlcs4.i586.rpm 9d31c0b2d982582fabd7db9aa0d65270 corporate/4.0/i586/sendmail-devel-8.13.4-6.5.20060mlcs4.i586.rpm 9b0ebbce5cfd974ea19976f14329057e corporate/4.0/i586/sendmail-doc-8.13.4-6.5.20060mlcs4.i586.rpm e196e43d837e42491f6dfc950af0ebb7 corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64: 22d62ded1b3d7963740064769a7101bd corporate/4.0/x86_64/sendmail-8.13.4-6.5.20060mlcs4.x86_64.rpm 17ed3192e319890184067239fb3f8c57 corporate/4.0/x86_64/sendmail-cf-8.13.4-6.5.20060mlcs4.x86_64.rpm d702fb0c90ddc0c910869df484215e91 corporate/4.0/x86_64/sendmail-devel-8.13.4-6.5.20060mlcs4.x86_64.rpm ed75310c08e8e2c0dc797c84ef71e3e7 corporate/4.0/x86_64/sendmail-doc-8.13.4-6.5.20060mlcs4.x86_64.rpm e196e43d837e42491f6dfc950af0ebb7 corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5: 87fa356ac80447bcf7328ff16712e97b mes5/i586/sendmail-8.14.3-2.1mdvmes5.i586.rpm 7204d91f35e0aec24c1dbd12af34f457 mes5/i586/sendmail-cf-8.14.3-2.1mdvmes5.i586.rpm bdcc3f3bf303f764dd87d52ffc7e4aa1 mes5/i586/sendmail-devel-8.14.3-2.1mdvmes5.i586.rpm faa0df4c43cddf8dcac3ddffb271211e mes5/i586/sendmail-doc-8.14.3-2.1mdvmes5.i586.rpm b71ace8a1ee671400e212ed9aa5200eb mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64: 6899d9dde5ec73adc5071588ae9f5e8a mes5/x86_64/sendmail-8.14.3-2.1mdvmes5.x86_64.rpm 6ff20eb453f84f067eb411b37a745774 mes5/x86_64/sendmail-cf-8.14.3-2.1mdvmes5.x86_64.rpm 12f793bc0f65025dc4b7bbc9b0730b89 mes5/x86_64/sendmail-devel-8.14.3-2.1mdvmes5.x86_64.rpm 08b141b3aeb79b431fcc78de84d86d29 mes5/x86_64/sendmail-doc-8.14.3-2.1mdvmes5.x86_64.rpm b71ace8a1ee671400e212ed9aa5200eb mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

 Multi Network Firewall 2.0: 60b1e9af1bf3310ebc17da12c51169e8 mnf/2.0/i586/sendmail-8.12.11-1.5.M20mdk.i586.rpm e36a464dcbde47632af940d79142be2a mnf/2.0/i586/sendmail-cf-8.12.11-1.5.M20mdk.i586.rpm 9ba7304e2b06011ad188af55d59c69f0 mnf/2.0/i586/sendmail-devel-8.12.11-1.5.M20mdk.i586.rpm 168c304c45ff1d3064b795b80e75b19a mnf/2.0/i586/sendmail-doc-8.12.11-1.5.M20mdk.i586.rpm 1bfda6494962b1b71e9127d5753492e6 mnf/2.0/SRPMS/sendmail-8.12.11-1.5.M20mdk.src.rpm
_______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi. The verification  of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security. You can obtain the  GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com


 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Mandriva Security Team   <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLTJFPmqjQ0CJFipgRAoKcAJ99aQC/zNJ+rZ9k9UMbTWlldiveLACg0c5X W7OfxaxmPvfqiwxJE7tjcb8=
=Fkrf
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/