Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.13.6.
It contains a fix for a security problem
discovered by Mark Dowd of ISS X-Force.
Sendmail thanks ISS for bringing this problem to our attention
and reviewing the patch for it.
sendmail 8.13.6 also includes fixes for other potential problems,
see the release notes below for more details.
Sendmail urges all users to upgrade to sendmail 8.13.6.
If this is not possible,
are availabe at our
note that those patches do not (cleanly) apply to versions other
than 8.13.5 and 8.12.11, respectively,
because the patch for sendmail/version.c will fail,
but that can be ignored.
Moreover, these patches
may not even work with older version
as there have been other changes before.
Nevertheless, the patches can be used as a stop-gap measure
before eventually upgrading to 8.13.6.
There are no patches for versions before 8.12
because those outdated versions use a different I/O layer
and hence it would require a major effort to rewrite that layer.
For those not running the open source version,
check with your vendor for a patch.
If you use the commercial version from
then please see
For a full list of changes see the release notes down below.
SMTP AUTH encryption does not work properly due to the changes
in the I/O layer (non-blocking I/O).
Note: this does not affect simple mechanisms like PLAIN or LOGIN,
but only mechanisms that provide a security layer, e.g.,
As a workaround, disable the security layer temporarily by
setting AuthMaxBits to 0: add
to your mc file.
A security layer can be provided by STARTTLS.
If there is still a problem after applying this patch, please
send a bug report.
If a timeout occurs a df file can be left in the mail queue
if buffered files are used.
This is a regression in 8.13.6 caused by the new I/O error handling.
A fix will be available in the next release,
in the mean time simply remove old
df files (i.e., if they are older than the maximum queue timeout
and if they have no corresponding
qf, Qf, or hf files).
We received at least one report that the 8.12.11 patch fails even
for 8.12.10, and after manually applying it,
the resulting sendmail binary does not behave as expected.
Hence the best way to deal with this problem is to upgrade to 8.13.6
(or later when available).
Remember to check the PGP signatures of releases obtained via FTP or HTTP.
Please send bug reports and general feedback to the
appropriate e-mail address.
The version can be found at
or on a mirror
near to you.
You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
The PGP signature was created using the
Sendmail Signing Key/2006,
also available on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1765 2006/03/08 02:15:03 ca Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
and client side of sendmail with timeouts in the libsm I/O
layer and fix problems in that code. Also fix handling of
a buffer in sm_syslog() which could have been used as an
attack vector to exploit the unsafe handling of
setjmp(3)/longjmp(3) in combination with signals.
Problem detected by Mark Dowd of ISS X-Force.
Handle theoretical integer overflows that could triggered if
the server accepted headers larger than the maximum
(signed) integer value. This is prevented in the default
configuration by restricting the size of a header, and on
most machines memory allocations would fail before reaching
those values. Problems found by Phil Brass of ISS.
If a server returns 421 for an RSET command when trying to start
another transaction in a session while sending mail, do
not trigger an internal consistency check. Problem found
by Allan E Johannesen of Worcester Polytechnic Institute.
If a server returns a 5xy error code (other than 501) in response
to a STARTTLS command despite the fact that it advertised
STARTTLS and that the code is not valid according to RFC
2487 treat it nevertheless as a permanent failure instead
of a protocol error (which has been changed to a
temporary error in 8.13.5). Problem reported by Jeff
A. Earickson of Colby College.
Clear SMTP state after a HELO/EHLO command. Patch from John
Myers of Proofpoint.
Observe MinQueueAge option when gathering entries from the queue
for sorting etc instead of waiting until the entries are
processed. Patch from Brian Fundakowski Feldman.
Set up TLS session cache to properly handle clients that try to
resume a stored TLS session.
Properly count the number of (direct) child processes such that
a configured value (MaxDaemonChildren) is not exceeded.
Based on patch from Attila Bruncsak.
LIBMILTER: Remove superfluous backslash in macro definition
(libmilter.h). Based on patch from Mike Kupfer of
LIBMILTER: Don't try to set SO_REUSEADDR on UNIX domain sockets.
This generates an error message from libmilter on
Solaris, though other systems appear to just discard the
LIBMILTER: Deal with sigwait(2) implementations that return
-1 and set errno instead of returning an error code
directly. Patch from Chris Adams of HiWAAY Informations
Fix compilation checks for closefrom(3) and statvfs(2)
in NetBSD. Problem noted by S. Moonesamy, patch from