Red Hat 9062 Published by

Fedora Legacy Update Advisory

Synopsis: Updated sendmail packages fix security issue
Advisory ID: FLSA:186277
Issue date: 2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2006-0058
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated sendmail packages that fix a security issue are now
available.

The sendmail package provides a widely used Mail Transport Agent (MTA).

[Updated 4th April 2006]
Red Hat Linux 7.3, Red Hat Linux 9, and Fedora Core 1 packages have been
updated to correct numerous problems with the previously released
updates.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A flaw in the handling of asynchronous signals was discovered in
Sendmail. A remote attacker may be able to exploit a race condition to
execute arbitrary code as root. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0058 to this issue.

In order to correct this issue for RHL 7.3 users, it was necessary to
upgrade the version of Sendmail from 8.11 as originally shipped to
Sendmail 8.12.11 with the addition of the security patch supplied by
Sendmail Inc. This erratum provides updated packages based on Sendmail
8.12 with a compatibility mode enabled as provided by Red Hat for
RHEL 2.1. After updating to these packages, users should pay close
attention to their sendmail logs to ensure that the upgrade completed
sucessfully.

In order to correct this issue for RHL 9 and FC1 users, it was necessary
to upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively
to 8.12.11 with the addition of the security patch supplied by Sendmail
Inc. After updating to these packages, users should pay close attention
to their sendmail logs to ensure that the upgrade completed sucessfully.

For Fedora Core 3 users, the patch supplied by Sendmail Inc. applies
cleanly to the latest sendmail package previously released for Fedora
Core 3.

Users of Sendmail should upgrade to this updated package, which contains
a backported patch to correct this issue. Users updating to these
packages are urged to review their sendmail.cf file after updating.


4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.1
1-4.22.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11
-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12
.11-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8
.12.11-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.1
2.11-4.22.10.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sendmail-8.12.11-
4.24.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-8.12.11-4
.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-cf-8.12.1
1-4.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-devel-8.1
2.11-4.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-doc-8.12.
11-4.24.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sendmail-8.12.11-
4.25.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-8.12.11-4
.25.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-cf-8.12.1
1-4.25.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-devel-8.1
2.11-4.25.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-doc-8.12.
11-4.25.3.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/sendmail-8.12.11-
4.26.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-8.12.11-4
.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-cf-8.12.1
1-4.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-devel-8.1
2.11-4.26.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-doc-8.12.
11-4.26.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/sendmail-8.13.1-3
.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-8.13.1-3.
legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-cf-8.13.1
-3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-devel-8.1
3.1-3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-doc-8.13.
1-3.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-8.13.1-
3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-cf-8.13
.1-3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-devel-8
.13.1-3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-doc-8.1
3.1-3.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------
950fc853550d93f521d4203b9f78023721fbdecd
redhat/7.3/updates/i386/sendmail-8.12.11-4.22.10.legacy.i386.rpm
d8c06f3f92d7dd526426b86e52bdd244e75c061a
redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm
dde44f59a60481edae75ddf6d854341308e4ce62
redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm
faf27d20eb151227225cc4e2ac5014bb205aa350
redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm
e0b9ece564e8103a254311da19c6bc41a21c8ffc
redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.10.legacy.src.rpm

9f1caeadce45e2922f6bc29ea0f4e7bce4e26d02
redhat/9/updates/i386/sendmail-8.12.11-4.24.3.legacy.i386.rpm
6b7b437bb58ac9f805185ae992da9a157a0d755d
redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm
ae48cf1d3a5d8f5bfc789a408de392fe27e84b73
redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm
4571b20f603bf6f90558aa09107f5b2ae17e8111
redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.3.legacy.i386.rpm
4b4ed7d51e710a447c6a839dcf203bc4636c2f62
redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.3.legacy.src.rpm

3f6edb4bdcd42cca1f01fce9482d3ac10b56f530
fedora/1/updates/i386/sendmail-8.12.11-4.25.3.legacy.i386.rpm
7aaa9743d312b7ebc95baa83e186acaa267f6915
fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.3.legacy.i386.rpm
dfabadaa764d471b2c5963547643ca4bbe5ca0e7
fedora/1/updates/i386/sendmail-devel-8.12.11-4.25.3.legacy.i386.rpm
121433ec0c71a163993cf2a94f33fa67df786b11
fedora/1/updates/i386/sendmail-doc-8.12.11-4.25.3.legacy.i386.rpm
d41f7652ea88a068e21c7f68bb018b8462695754
fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.3.legacy.src.rpm

7e44b02696338832e2dfc0057aeb58c98511d0d2
fedora/2/updates/i386/sendmail-8.12.11-4.26.legacy.i386.rpm
d159f0c92bd530799b75341d18b5b2cbe5aa5a0a
fedora/2/updates/i386/sendmail-cf-8.12.11-4.26.legacy.i386.rpm
8421bfb2eb2f2b3fddb35e905fdcfecd0fb8088c
fedora/2/updates/i386/sendmail-devel-8.12.11-4.26.legacy.i386.rpm
b659d2733afa3d6f4df840a395c6eae3a5c07d50
fedora/2/updates/i386/sendmail-doc-8.12.11-4.26.legacy.i386.rpm
65086d18cb29e02b57ce07b6abf79ba378ae1c3c
fedora/2/updates/SRPMS/sendmail-8.12.11-4.26.legacy.src.rpm

6cc0f44ad32c0eb62801331bf8bfa41625b61031
fedora/3/updates/i386/sendmail-8.13.1-3.legacy.i386.rpm
04bd02d3f731eb985d6e8b9fde7ee3ddc5bdccfe
fedora/3/updates/i386/sendmail-cf-8.13.1-3.legacy.i386.rpm
97f173fa48f847feb5051bc2cb4686f53e3895ac
fedora/3/updates/i386/sendmail-devel-8.13.1-3.legacy.i386.rpm
298c0908052efdbc671dda1f22f025f96a10d770
fedora/3/updates/i386/sendmail-doc-8.13.1-3.legacy.i386.rpm
162a1e21ac33e5a9072f7cb9934d17523d8160f6
fedora/3/updates/x86_64/sendmail-8.13.1-3.legacy.x86_64.rpm
939de41400340905ec0b378b501e5d1b8b41e545
fedora/3/updates/x86_64/sendmail-cf-8.13.1-3.legacy.x86_64.rpm
c09947143c351f575737036599c23c542404d82e
fedora/3/updates/x86_64/sendmail-devel-8.13.1-3.legacy.x86_64.rpm
bd1b9553b49e5c2631a40f68461472b1671f9beb
fedora/3/updates/x86_64/sendmail-doc-8.13.1-3.legacy.x86_64.rpm
fbfba64eac81e57ae098f967b7d3bf4e47e04c87
fedora/3/updates/SRPMS/sendmail-8.13.1-3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://www.kb.cert.org/vuls/id/834865
http://www.sendmail.com/company/advisory/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
http://rhn.redhat.com/errata/RHSA-2006-0265.html
http://rhn.redhat.com/errata/RHSA-2006-0264.html

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org