Bug 195282 - Sendmail 8.13.7 is released
Summary: Sendmail 8.13.7 is released
Alias: None
Product: Fedora
Classification: Fedora
Component: sendmail
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: David Lawrence
URL: http://www.sendmail.org/releases/8.13...
Depends On: 192850 195006
TreeView+ depends on / blocked
Reported: 2006-06-14 17:43 UTC by Robert Scheck
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-06-19 16:30:03 UTC

Attachments (Terms of Use)
Patch7: sendmail-8.13.7-pid.patch (822 bytes, patch)
2006-06-14 17:44 UTC, Robert Scheck
no flags Details | Diff
Updated Patch7: sendmail-8.13.7-pid.patch (as partial fix of bug #176679) (820 bytes, patch)
2006-06-14 17:49 UTC, Robert Scheck
no flags Details | Diff

Description Robert Scheck 2006-06-14 17:43:05 UTC
Description of problem:
Sendmail, Inc., and the Sendmail Consortium announce the availability of 
sendmail 8.13.7. It fixes a potential denial of service problem caused by 
excessive recursion which leads to stack exhaustion when attempting delivery
of a malformed MIME message. Therefore, the function mime8to7() has been 
modified to limit the recursion level at (the compile time constant) 
MAXMIMENESTING. Note: This denial of service attack only affects delivery of 
mail from the queue and delivery of a malformed message. Other incoming mail
is still accepted and delivered. However, mail messages in the queue may not
be reattempted if a malformed MIME message exists.

Version-Release number of selected component (if applicable):

Actual/expected results:
Upgrade to 8.13.7, updated Patch7 is attached.

Additional info:
Bug #195006 and #192850 should be also fixed before building the new version.

Comment 1 Robert Scheck 2006-06-14 17:44:24 UTC
Created attachment 130888 [details]
Patch7: sendmail-8.13.7-pid.patch

Comment 2 Robert Scheck 2006-06-14 17:49:42 UTC
Created attachment 130893 [details]
Updated Patch7: sendmail-8.13.7-pid.patch (as partial fix of bug #176679)

Comment 3 Gilbert Sebenste 2006-06-17 03:37:10 UTC
We need to bump this to priority high. This is a security issue, for a
denial of service....and a general rule of thumb is if you can DOS it, you can 
eventually hack it. 

Comment 4 Robert Scheck 2006-06-17 11:19:55 UTC
No, we don't really need. This bug was filed against Fedora Core devel (that 
means Rawhide) which shouldn't be used on production machines anyway. For RHEL 
this issue is already resolved by RHSA-2006:0515-01. But to make you happy...

Comment 5 Thomas Woerner 2006-06-19 16:30:03 UTC
Fixed in rawhide in rpm sendmail-8.13.7-1 or newer.

Note You need to log in before you can comment on or make changes to this bug.