Bug 195418
Summary: | CVE-2006-1173 Sendmail - Deeply nested malformed MIME denial of service attack | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | David Eisenstein <deisenst> |
Component: | sendmail | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jkeating, marc.deslauriers, sheltren, tmeader |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.kb.cert.org/vuls/id/146718 | ||
Whiteboard: | LEGACY, rh73, rh90, 1, 2, 3 | ||
Fixed In Version: | FLSA-2006:195418 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-10-29 09:38:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Eisenstein
2006-06-15 04:37:55 UTC
Am building packages for RHL 7.3, RHL 9, FC1, FC2, FC3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are some .src.rpm for PUBLISH (Source) QA for sendmail, fixing CVE-2006-1173. Patches were obtained from RHEL 3 (for all sendmail- 8.12.11-*-legacy) and RHEL 4 (for sendmail-8.13.1-3.fc3.1.legacy). http://fedoralegacy.org/contrib/sendmail/ ===========SHA1SUMS=====================__========Packages=============== 0c11bdb206636c3dfefab41b93a2be0515a73a28__RH73/sendmail-8.12.11-4.22.11.legacy.src.rpm 9d078a6cf4d539894bd3d6c5dde06d38fa3f35cf__RH9/sendmail-8.12.11-4.24.4.legacy.src.rpm 6e8d25242fb6fd1d58cf8214997a128089058156__FC1/sendmail-8.12.11-4.25.4.legacy.src.rpm b5f8f517939a769b89f99af59408bae53849f0d7__FC2/sendmail-8.12.11-4.26.1.legacy.src.rpm aadb524e6ea8536471aa6f6f93521df31ff01fc1__FC3/sendmail-8.13.1-3.fc3.1.legacy.src.rpm Typical RH73, RH9, FC1, FC2 changelogs: * Wed Jun 14 2006 David Eisenstein <deisenst@...> 8.12.11-(release).legacy - - Fold in patch for CVE-2006-1173 from RHEL 3. (Next two changelog items). - - Bug #195418 * Fri Jun 9 2006 Thomas Woerner <twoerner@...> 8.12.11-4.RHEL3.6 - - second incarnation of patch for CVE-2006-1173 (VU#146718) * Wed May 23 2006 Thomas Woerner <twoerner@...> 8.12.11-4.RHEL3.5 - - fixed CVE-2006-1173 (VU#146718): possible denial of service issue caused by malformed multipart messages (#191203) FC3 changelog: * Wed Jun 14 2006 David Eisenstein <deisenst> 8.13.1-3.fc3.1.legacy - - Fold in patch for CVE-2006-1173 from RHEL 4. (Next two changelog items). - - Bug #195418 * Fri Jun 9 2006 Thomas Woerner <twoerner> 8.13.1-3.RHEL4.5 - - second incarnation of patch for CVE-2006-1173 (VU#146718) * Wed May 23 2006 Thomas Woerner <twoerner> 8.13.1-3.RHEL4.4 - - fixed CVE-2006-1173 (VU#146718): possible denial of service issue caused by malformed multipart messages (#191203) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEkgvixou1V/j9XZwRAsCSAJ0Ti/u0nhDrZ7noyO6v7PC0y3/09wCglF+N t0zp4/3BDOogw1210GT1haA= =Fpox -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've done QA on the proposed packages: 0c11bdb206636c3dfefab41b93a2be0515a73a28 rh73/sendmail-8.12.11-4.22.11.legacy.src.rpm 9d078a6cf4d539894bd3d6c5dde06d38fa3f35cf rh9/sendmail-8.12.11-4.24.4.legacy.src.rpm 6e8d25242fb6fd1d58cf8214997a128089058156 fc1/sendmail-8.12.11-4.25.4.legacy.src.rpm b5f8f517939a769b89f99af59408bae53849f0d7 fc2/sendmail-8.12.11-4.26.1.legacy.src.rpm aadb524e6ea8536471aa6f6f93521df31ff01fc1 fc3/sendmail-8.13.1-3.fc3.1.legacy.src.rpm All files match those from previous releases except for new patch: sendmail-8.12-VU#146718.patch That patch is identical to the one from the EL3 sendmail package, or in the case of FC3, the patch is identical to the one from EL4. Only spec file changes are to add the new patch, bump release and modify the changelog. I do have a problem with the release tag change for the FC3 package. The old package used: Release: 3.legacy The new one is: Release: 3.fc3.1.legacy If I recall correctly, RPM will see the old release as being newer than the new release because a) 3 == 3 b) l > f I see that the current FC4 sendmail package is sendmail-8.13.6. Since FC3 uses sendmail-8.13.1, we don't really have to worry about bumping the release too high and screwing up the upgrade path because the version in FC4 will always be higher. I'd suggest simply changing '3.legacy' to '4.legacy'. Aside from that, everything looks good with all the packages. RH73 PUBLISH++ RH9 PUBLISH++ FC1 PUBLISH++ FC2 PUBLISH++ FC3 PUBLISH++ (pending a fix to the release tag) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFEm8vuKe7MLJjUbNMRAuuyAJ953nKldnDUcVf7M9z/WrCkRGIKBwCcCwqu hnbqIdB2hvQPfcBcbOx8tS0= =KQDT -----END PGP SIGNATURE----- Thanks for the QA! Good catch, Jeff. The release tag will be fixed during build. Thanks. Hate to bugspam, but is there any ETA on either a release or even testing build of the patched RPMS? Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 31695348a11ac9b47d5470249072f2175131bdab sendmail-8.12.11-4.24.4.legacy.i386.rpm 05c883b5a6b218f69a08c711ca71e4d14d958141 sendmail-cf-8.12.11-4.24.4.legacy.i386.rpm 7bc9aef8a1a8794eb6ad6c8496ede743bc61fd76 sendmail-devel-8.12.11-4.24.4.legacy.i386.rpm 470d3a9ada94a6d1735176050cfa94c8eefc8c70 sendmail-doc-8.12.11-4.24.4.legacy.i386.rpm installs OK, mc file recreates fine with m4 (no major difference from previous). email comes and goes fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEy0CFePtvKV31zw4RAjyzAJ46ahinbaAMclQTqM3IvyIfzYpd5ACgpydt MuXyqoHNGIjIJ+zwOMMFgc0= =x2IL -----END PGP SIGNATURE----- Thank you for the QA on this, Tom Yates. I think according to Fedora Legacy policy, if a verify happens on at least one of the distros/releases, then a timeout of one week is supposed to be created after which packages should be released unless there is objection? ... and if no one does a verify vote on any of the packages, they get released anyway after a timeout of 2 weeks or 3 weeks? (Sorry, have been away for awhile). Pekka used to help track these and stay on top of them. So bottom line -- but aren't these due for release to updates? yep...these should be released... I can't release these. Would you please do so, Marc or Jesse? Thanks! -David Released to updates. Announcement: <http://www.redhat.com/archives/fedora-legacy-announce/2006-October/msg00000.html> The repo metadata still needs to be updated before users will be able to update via yum. The announcement probably should have been held until this was done, to avoid confusion. |