Sentrion Overview Sentrion Platform Sentrion REAC Sentrion Mimecast Hard Appliances Virtual Appliances
Overview Policy Compliance Secure Content Filtering Cloud Partner Enterprise Community
Overview Download Security Support News Documentation Tips & Tricks DKIM FAQ Misc Milters
Overview Directory Synchronization Messaging Architecture Review High Volume Mail HIPAA Policy QUICKStart Implementation Performance Tuning Training Services Overview Message Routing and
Configuration Message Policy
Management Connection Control /
Attack Prevention Directory Configuration
and Management
Overview Sendmail Partners Milter Community Industry Organizations System Integrators & Distributors
Overview Silver Support Gold Support Platinum Support Open Source Support Security Advisories Contact Support
Overview Customers Events Press Room Board & Investors Management Careers Contact Us
Overview Ask the Experts Security Chalk Talks Collateral Product Reviews & Awards IP Reputation Check Real-time Outbreak Monitor
Sendmail Inc.

HOME | CUSTOMER LOGIN
Follow Sendmail on Twitter
The Sendmail Blog
Sentrion Message Processors
Sentrion Application Store
Services
Partners
Support
Company
Resources
Open Source
 
    Open Source
  • Overview
  • Download
  • Security
  • Support
  • News
  • Documentation
  • Tips and Tricks
  • DKIM
  • FAQ
  • Misc
  • Milters
  • Licensing
  • List of Mirrors
  • How to Mirror
  • Past Releases

Sendmail 8.13.6

Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.13.6. It contains a fix for a security problem discovered by Mark Dowd of ISS X-Force. Sendmail thanks ISS for bringing this problem to our attention and reviewing the patch for it. sendmail 8.13.6 also includes fixes for other potential problems, see the release notes below for more details. Sendmail urges all users to upgrade to sendmail 8.13.6. If this is not possible, patches for 8.13 (PGP signature) and 8.12 (PGP signature) are availabe at our FTP site. However, note that those patches do not (cleanly) apply to versions other than 8.13.5 and 8.12.11, respectively, because the patch for sendmail/version.c will fail, but that can be ignored. Moreover, these patches may not even work with older version as there have been other changes before. Nevertheless, the patches can be used as a stop-gap measure before eventually upgrading to 8.13.6.

There are no patches for versions before 8.12 because those outdated versions use a different I/O layer and hence it would require a major effort to rewrite that layer.

For those not running the open source version, check with your vendor for a patch. If you use the commercial version from Sendmail, Inc. then please see their advisory.

For a full list of changes see the release notes down below.

Errata

  • (2006-03-26) SMTP AUTH encryption does not work properly due to the changes in the I/O layer (non-blocking I/O). Note: this does not affect simple mechanisms like PLAIN or LOGIN, but only mechanisms that provide a security layer, e.g., DIGEST-MD5. As a workaround, disable the security layer temporarily by setting AuthMaxBits to 0: add
    define(`confAUTH_MAX_BITS', `0')
    to your mc file. A security layer can be provided by STARTTLS. (2006-03-28) A preliminary patch is available. If there is still a problem after applying this patch, please send a bug report.
  • (2006-04-11) If a timeout occurs a df file can be left in the mail queue if buffered files are used. This is a regression in 8.13.6 caused by the new I/O error handling. A fix will be available in the next release, in the mean time simply remove old df files (i.e., if they are older than the maximum queue timeout and if they have no corresponding qf, Qf, or hf files).
  • (2006-04-17) We received at least one report that the 8.12.11 patch fails even for 8.12.10, and after manually applying it, the resulting sendmail binary does not behave as expected. Hence the best way to deal with this problem is to upgrade to 8.13.6 (or later when available).

Remember to check the PGP signatures of releases obtained via FTP or HTTP.

Please send bug reports and general feedback to the appropriate e-mail address.

The version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.Z.sig

or on a mirror near to you.

You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding sig file. The PGP signature was created using the Sendmail Signing Key/2006, also available on the public key servers.

MD5 signatures: 

51a1dc709664cb886785c340dc87faed sendmail.8.13.6.tar.Z
89788590cb07beaa7383a24249d3e1f2 sendmail.8.13.6.tar.Z.sig
484cca51f74b5e562b3cf119ceb2f900 sendmail.8.13.6.tar.gz
40f60410cf246d04c2a7265ee608e1e8 sendmail.8.13.6.tar.gz.sig

Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well.

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. 

			SENDMAIL RELEASE NOTES
      $Id: RELEASE_NOTES,v 8.1765 2006/03/08 02:15:03 ca Exp $

This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 

8.13.6/8.13.6	2006/03/22
	SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
		and client side of sendmail with timeouts in the libsm I/O
		layer and fix problems in that code.  Also fix handling of
		a buffer in sm_syslog() which could have been used as an
		attack vector to exploit the unsafe handling of
		setjmp(3)/longjmp(3) in combination with signals.
		Problem detected by Mark Dowd of ISS X-Force.
	Handle theoretical integer overflows that could triggered if
		the server accepted headers larger than the maximum
		(signed) integer value.  This is prevented in the default
		configuration by restricting the size of a header, and on
		most machines memory allocations would fail before reaching
		those values.  Problems found by Phil Brass of ISS.
	If a server returns 421 for an RSET command when trying to start
		another transaction in a session while sending mail, do
		not trigger an internal consistency check.  Problem found
		by Allan E Johannesen of Worcester Polytechnic Institute.
	If a server returns a 5xy error code (other than 501) in response
		to a STARTTLS command despite the fact that it advertised
		STARTTLS and that the code is not valid according to RFC
		2487 treat it nevertheless as a permanent failure instead
		of a protocol error (which has been changed to a
		temporary error in 8.13.5).  Problem reported by Jeff
		A. Earickson of Colby College.
	Clear SMTP state after a HELO/EHLO command.  Patch from John
		Myers of Proofpoint.
	Observe MinQueueAge option when gathering entries from the queue
		for sorting etc instead of waiting until the entries are
		processed.  Patch from Brian Fundakowski Feldman.
	Set up TLS session cache to properly handle clients that try to
		resume a stored TLS session.
	Properly count the number of (direct) child processes such that
		a configured value (MaxDaemonChildren) is not exceeded.
		Based on patch from Attila Bruncsak.
	LIBMILTER: Remove superfluous backslash in macro definition
		(libmilter.h).  Based on patch from Mike Kupfer of
		Sun Microsystems.
	LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets.
		This generates an error message from libmilter on
		Solaris, though other systems appear to just discard the
		request silently.
	LIBMILTER: Deal with sigwait(2) implementations that return
		-1 and set errno instead of returning an error code
		directly.  Patch from Chris Adams of HiWAAY Informations
		Services.
	Portability:
		Fix compilation checks for closefrom(3) and statvfs(2)
		in NetBSD.  Problem noted by S. Moonesamy, patch from
		Andrew Brown.


Site Map | Privacy Policy | Terms & Conditions | Copyright © 1998-2013 Sendmail, Inc. All Rights Reserved.