Sendmail Open Source MTA
Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.14.5. This version fixes a few problems, including:
- SMTP extensions are no longer cached across connections as the cache is based on hostname which may not be a unique identifier for a server, i.e., different machines may have the same hostname but provide different SMTP extensions.
- An out-of-bounds access is avoided in case a resolver reply for a DNS map lookup returns a size larger than 1K.
- The interrupt signal handler has been cleaned up to avoid invoking functions that are not signal-safe.
- At most two AUTH lines are read from a server to avoid a DoS attack against the client (memory exhaustion).
A complete list of changes can be found in the release notes.
Please send bug reports and general feedback to one of the addresses listed at one of the following addresses.
The version can be found at:
MD5 signatures:
f3ebb70a5af37aaa6174bc07fb9cd1ae sendmail.8.14.5.tar.Z
d5c02a48b1c2c75babb9c666f5b3b1a6 sendmail.8.14.5.tar.Z.sig
02ccfc331cc81ed00ec8bb5ecfc69018 sendmail.8.14.5.tar.gz
43b8cb0eac8e4d9fe47013fa78f32752 sendmail.8.14.5.tar.gz.sig
ERRATA:
- (2011-05-26)
If a server offers two AUTH lines, the MTA would not read them after STARTTLS has been used and hence SMTP AUTH for the client side would fail. Problem noted by Lena. A patch (signature) is available.
You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding sig file. The PGP signature was created using the Sendmail Signing Key/2011, available on the web site (http://www.sendmail.com/sm/open_source/download/) or on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE, OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS, OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE, YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU.
THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
Hide Release Notes
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1991 2011/05/15 04:28:16 ca Exp $
This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release.
8.14.5/8.14.5 2011/05/17
Do not cache SMTP extensions across connections as the cache
is based on hostname which may not be a unique identifier
for a server, i.e., different machines may have the
same hostname but provide different SMTP extensions.
Problem noted by Jim Hermann.
Avoid an out-of-bounds access in case a resolver reply for a DNS
map lookup returns a size larger than 1K. Based on a
patch from Dr. Werner Fink of SuSE.
If a job is aborted using the interrupt signal (e.g., control-C from
the keyboard), perform minimal cleanup to avoid invoking
functions that are not signal-safe. Note: in previous
versions the mail might have been queued up already
and would be delivered subsequently, now an interrupt
will always remove the queue files and thus prevent
delivery.
Per RFC 6176, when operating as a TLS client, do not offer SSLv2.
Since TLS session resumption is never used as a client, disable
use of RFC 4507-style session tickets.
Work around gcc4 versions which reverse 25 years of history and
no longer align char buffers on the stack, breaking calls
to resolver functions on strict alignment platforms.
Found by Stuart Henderson of OpenBSD.
Read at most two AUTH lines from a server greeting (up to two
lines are read because servers may use "AUTH mechs" and
"AUTH=mechs"). Otherwise a malicious server may exhaust
the memory of the client. Bug report by Nils of MWR
InfoSecurity.
Avoid triggering an assertion in the OpenLDAP code when the
connection to an LDAP server is lost while making a query.
Problem noted and patch provided by Andy Fiddaman.
If ConnectOnlyTo is set and sendmail is compiled with NETINET6
it would try to use an IPv6 address if an IPv4 (or
unparseable) address is specified.
If SASLv2 is used, make sure that the macro {auth_authen} is
stored in xtext format to avoid problems with parsing
it. Problem noted by Christophe Wolfhugel.
CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing
-T<h;TMPF> that is required, but failed for some cases
that did not use LDAP. This change has been undone
until a better solution can be implemented. Problem
found by Andy Fiddaman.
CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support.
Contributed by Casper Dik of Oracle.
CONTRIB: qtool.pl: Deal with H entries that do not have a
letter between the question marks. Patch from
Stefan Christensen.
DOC: Use a better description for the -i option in sendmail.
Patch from Mitchell Berger.
Portability:
Add support for Darwin 10.x (Mac OS X 10.6).
Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch
from John Marshall.
Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later.
Use new directory "/system/volatile" for PidFile on
Solaris 11. Patch from Casper Dik of Oracle.
Fix compilation on Solaris 11 (and maybe some other
OSs) when using OpenSSL 1.0. Based on patch from
Jan Pechanec of Oracle.
Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t
for Solaris 11. Patch from Roger Faulkner of Oracle.
New Files:
cf/ostype/solaris11.m4
Hide Release Notes