Bug 1313508

Summary: Security fix for sendmail 8.15.2 available: SMTP session reuse bugfix
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: sendmailAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 23CC: jskarvad
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: sendmail-8.15.2-3.fc23 sendmail-8.15.2-2.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-17 20:55:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Edgar Hoch 2016-03-01 17:45:24 UTC 
Description of problem:

Claus Assmann from sendmail.org send a mail to sendmail-announce today containing the following message (the patch is not included, because it contains a link to it).

It would be helpful if the maintainers would release an updated package of sendmail which has the patch applied.

The bug is reported against Fedora 23, because I can only select one version. But I think it should be applied to all current version (22, 23, 24, rawhide).
sendmail-8.15.2-2.fc23.x86_64

Thanks in advance.

========

If sendmail tried to reuse an SMTP session which had already been
closed by the server, then the connection cache could have invalid
information about the session.  One possible consequence was that
STARTTLS was not used even if offered.
The problem can be fixed by either:
- applying the attached patch (for 8.15.2), also available at
  ftp://ftp.sendmail.org/pub/sendmail/8.15.2.mci.p0
  ftp://ftp.sendmail.org/pub/sendmail/8.15.2.mci.p0.sig
- or disabling the connection cache:
define(`confMCI_CACHE_SIZE', `0')

The problem can be mitigated by setting at least one of these options:
- using a very short timeout:
define(`confMCI_CACHE_TIMEOUT', `5s')
- sorting the queue by hosts:
define(`confQUEUE_SORT_ORDER', `Host')

To apply this patch, cd to the source code directory, then rebuild
and reinstall sendmail.

cd sendmail-8.15.2
patch  < 8.15.2.mci.p0

Note: This issue is fixed in sendmail snapshot 8.16.0.16 (or newer)
for those who would like to test upcoming releases.
Comment 1 Jaroslav Škarvada 2016-03-01 17:57:28 UTC 
I have already fixed this issue in rawhide, the update for other versions will be created soon.
Comment 2 Fedora Update System 2016-03-01 18:54:06 UTC 
sendmail-8.15.2-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5fb0d8ce68
Comment 3 Fedora Update System 2016-03-01 18:56:55 UTC 
sendmail-8.15.2-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a4155fbf34
Comment 4 Fedora Update System 2016-03-02 03:31:52 UTC 
sendmail-8.15.2-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a4155fbf34
Comment 5 Fedora Update System 2016-03-02 12:52:19 UTC 
sendmail-8.15.2-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5fb0d8ce68
Comment 6 Fedora Update System 2016-03-17 20:55:10 UTC 
sendmail-8.15.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-03-17 21:21:33 UTC 
sendmail-8.15.2-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.