Sendmail 8.12.8
Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.8. It contains a fix for a critical security problem in header parsing discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.8 or apply a patch for 8.12. Patches for older versions are available.
For a complete list of changes see the release notes down below.
Please send bug reports to sendmail-bugs@sendmail.org as usual.
Note: We have changed the way we digitally sign the source code distributions to simplify verification: in contrast to earlier versions two .sig files are provided, one each for the gzip'ed version and the compressed version. That is, instead of signing the tar file, we sign the compressed/gzip'ed files, so you do not need to uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz 2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig
You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding .sig file. The PGP signature was created using the Sendmail Signing Key/2003, available on the web site or on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: 8.12.8.html,v 1.2 2006/04/12 21:51:46 eric Exp $
This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release.
8.12.8/8.12.8 2003/02/11 SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. Fix a potential non-exploitable buffer overflow in parsing the .cf queue settings and potential buffer underflow in parsing ident responses. Problem noted by Yichen Xie of Stanford University Compilation Group. Fix ETRN #queuegroup command: actually start a queue run for the selected queue group. Problem noted by Jos Vos. If MaxMimeHeaderLength is set and a malformed MIME header is fixed, log the fixup as "Fixed MIME header" instead of "Truncated MIME header". Problem noted by Ian J Hart. CONFIG: Fix regression bug in proto.m4 that caused a bogus error message: "FEATURE() should be before MAILER()". MAIL.LOCAL: Be more explicit in some error cases, i.e., whether a mailbox has more than one link or whether it is not a regular file. Patch from John Beck of Sun Microsystems.
