Last Update 1997-05-12

Content-Type: text/plain; charset=us-ascii

MD5(sendmail.8.8.6.Beta3.tar.gz) = 1dda14acda58b1cd952f6fcd1c267f1e

A Beta release of sendmail 8.8.6 is available for public FTP.  Although
you cannot read the /pub/sendmail/.beta directory, you should be able
to get the file.  There is also a sendmail.8.8.6.Beta3.tar.sig file in
that directory; that PGP signature uses a new Sendmail distribution key
that will be used for releases in the future.  The key is named
"Sendmail Signing Key/1997 <sendmail@Sendmail.ORG>" and has fingerprint
CA AE F2 94 3B 1D 41 3C  94 7B 72 5F AE 0B 6A 11.  It is signed by me
and by several other members of the sendmail community.

Although the RELEASE_NOTES file lists several "security" fixes, note
that most of these are to handle pretty obscure cases (e.g., sites that
have alias databases in world writable directories).  There is one
nasty DoS attack if you use long term host status, and a problem if
you use the RunAsUser option with numeric values.

I'm going to be unavailable for a while, so any critical patches will
be released (and signed using the Sendmail Signing Key) by Gregory Neil
Shapiro, who has graciously offered to keep an eye on things in my
absence.  If you have any problems, please send mail to
sendmail-bugs@Sendmail.ORG (not to me).  The intent is to release
sendmail 8.8.6 in early June.

The relevant section of RELEASE_NOTES is included.


8.8.6/8.8.6	97/05/XXX
	    * The extensive assistance of Gregory Neil Shapiro of WPI	*
	    * in preparing this release is gratefully appreciated.	*
	    * Sun Microsystems has also provided resources toward	*
	    * continued sendmail development.				*
	SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
		mode bits set to create a file that is a symbolic link that
		points nowhere.  This makes it possible to create a root
		owned file in an arbitrary directory by inserting the symlink
		into a writable directory after the initial lstat(2) check
		determined that the file did not exist.  The only verified
		example of a system having these odd semantics for O_EXCL
		and symbolic links was HP-UX prior to version 9.07.  Most
		systems do not have the problem, since a exclusive create
		of a file disallows symbolic links.  Systems that have been
		verified to NOT have the problem include AIX 3.x, *BSD,
		DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
		and Ultrix.  This is a potential exposure on systems that
		have this bug and which do not have a MAILER-DAEMON alias
		pointing at a legitimate account, since this will cause old
		mail to be dropped in /var/tmp/dead.letter.
	SECURITY: Problems can occur on poorly managed systems, specifically,
		if maps or alias files are in world writable directories.
		If your system has alias maps in writable directories, it
		is potentially possible for an attacker to replace the .db
		(or .dir and .pag) files by symbolic links pointing at
		another database; this can be used either to expose
		information (e.g., by pointing an alias file at /etc/spwd.db
		and probing for accounts), or as a denial-of-service attack
		(by trashing the password database).  The fix disallows
		symbolic links entirely when rebuilding alias files or on
		maps that are in writable directories, and always warns on
		writable directories; 8.9 will probably consider writable
		directories to be fatal errors.  This does not represent an
		exposure on systems that have alias files in unwritable
		system directories.
	SECURITY: disallow .forward or :include: files that are links (hard
		or soft) if the parent directory (or any directory in the
		path) is writable by anyone other than the owner.  This is
		similar to the previous case for user files.  This change
		should not affect most systems, but is necessary to prevent
		an attacker who can write the directory from pointing such
		files at other files that are readable only by the owner.
	SECURITY: Tighten safechown rules: many systems will say that they
		have a safe (restricted to root) chown even on files that
		are mounted from another system that allows owners to give
		away files.  The new rules are very strict, trusting file
		ownership only in those few cases where the system has
		been verified to be at least as paranoid as necessary.
		However, it is possible to relax the rules to partially
		trust the ownership if the directory path is not world or
		group writable.  This might allow someone who has a legitimate
		:include: file (referenced directly from /etc/aliases) to
		become another non-root user if the :include: file is in a
		non-writable directory on an NFS-mounted filesystem where
		the local system says that giveaway is denied but it is
		actually permitted.  I believe this to be a very small set
		of cases.  If in doubt, do not point :include: aliases at
		NFS-mounted filesystems.
	SECURITY: When setting a numeric group id using the RunAsUser option
		(e.g., "O RunAsUser=10:20", the group id would not be set.
		Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
		group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
		The user id was still set properly.  Problem noted by Uli
		Pralle of the Technical University of Berlin.
	Save the initial gid set for use when checking for if the
		PrivacyOptions=restrictmailq option is set.  Problem reported
		by Wolfgang Ley of DFN-CERT.
	Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a
		failure on one message won't affect future messages to the
		same host).
	IP source route printing had an "off by one" error that would
		affect any options that came after the route option.  Patch
		from Theo de Raadt.
	The "Message is too large" error didn't successfully bounce the error
		back to the sender.  Problem reported by Stephen More of
		PSI; patch from Gregory Neil Shapiro of WPI.
	Change SMTP status code 553 to map into Extended code 5.1.0 (instead
		of 5.1.3); it apparently gets used in multiple ways.
		Suggested by John Myers of Portola Communications.
	Fix possible extra null byte generated during collection if errors
		occur at the beginning of the stream.  Patch contributed by
		Andrey A. Chernov and Gregory Neil Shapiro.
	Code changes to avoid possible reentrant call of malloc/free within
		a signal handler.  Problem noted by John Beck of Sun
	Move map initialization to be earlier so that check_relay ruleset
		will have the latest version of the map data.  Problem noted
		by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro.
	If there are fatal errors during the collection phase (e.g., message
		too large) don't send the bogus message.
	Avoid "cannot open xfAAA00000" messages when sending to aliases that
		have errors and have owner- aliases.  Problem noted by Michael
		Barber of MTU; fix from Gregory Neil Shapiro of WPI.
	Avoid null pointer dereference on illegal Boundary= parameters in
		multipart/mixed Content-Type: header.  Problem noted by
		Richard Muirden of RMIT University.
	Always print error messages during newaliases (-bi) even if the
		ErrorMode is not set to "print".  Fix from Gregory Neil
	Test mode could core dump if you did a /map lookup in an optional map
		that could not be opened.  Based on a fix from John Beck of
		Sun Microsystems.
	If DNS is misconfigured so that the last MX record tried points to
		a host that does not have an A record, but other MX records
		pointed to something reasonable, don't bounce the message
		with a "host unknown" error.  Note that this should really
		be fixed in the zone file for the domain.  Problem noted by
		Joe Rhett of Navigist, Inc.
	If a map fails (e.g., DNS times out) on all recipient addresses, mark
		the message as having been tried; otherwise the next queue
		run will not realize that this is a second attempt and will
		retry immediately.  Problem noted by Bryan Costales of
		Mercury Mail.
	If the clock is set backwards, and a MinQueueAge is set, no jobs
		will be run until the later setting of the clock is reached.
		"Problem" (I use the term loosely) noted by Eric Hagberg of
		Morgan Stanley.
	If the load average rises above the cutoff threshold (above which
		sendmail will not process the queue at all) during a queue
		run, abort the queue run immediately.  Problem noted by
		Bryan Costales of Mercury Mail.
	The variable queue processing algorithm (based on the message size,
		number of recipients, message precedence, and job age) was
		non-functional -- either the entire queue was processed or
		none of the queue was processed.  The updated algorithm
		does no queue run if a single recipient zero size job will
		not be run.
	If there is a fatal ("panic") message that will cause sendmail to
		die immediately, never hold the error message for future
	Force ErrorMode=print in -bt mode so that all errors are printed
		regardless of the setting of the ErrorMode option in the
		configuration file.  Patch from Gregory Neil Shapiro.
	New compile flag HASSTRERROR says that this OS has the strerror(3)
		routine available in one of the libraries.  Use it in conf.h.
	The -m (match only) flag now works on host class maps.
	If class hash or btree maps are rebuilt, sendmail will now detect
		this and reopen the map.  Previously, they could give
		erroneous results during a single message processing
		(but would recover when the next message was received).
	Don't delete zero length queue files when doing queue runs until the
		files are at least ten minutes old.  This avoids a potential
		race condition: the creator creates the qf file, getting back
		a file descriptor.  The queue runner locks it and deletes it
		because it is zero length.  The creator then writes the
		descriptor that is now for a disconnected file, and the
		job goes away.  Based on a suggestion by Bryan Costales.
	When determining the "validated" host name ($_ macro), do a forward
		(A) DNS lookup on the result of the PTR lookup and compare
		results.  If they differ or if the PTR lookup fails, tag the
		address as "may be forged".
	Log null connections (i.e., hosts that connect but do not do any
		substantive activity on the connection before disconnecting;
		"substantive" is defined to be MAIL, EXPN, VRFY, or ETRN.
	Always permit "writes" to /dev/null regardless of the link count.
		This is safe because /dev/null is special cased, and no open
		or write is ever actually attempted.  Patch from Villy Kruse
		of TwinCom.
	If a message cannot be sent because of a 552 (exceeded storage
		allocation) response to the MAIL FROM:<>, and a SIZE= parameter
		was given, don't return the body in the bounce, since there
		is a very good chance that the message will double-bounce.
	Fix possible line truncation if a quoted-printable had an =00 escape
		in the body.  Problem noted by Charles Karney of the Princeton
		Plasma Physics Laboratory.
	Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses.
		Problem noted by Kari Hurtta of the Finnish Meteorological
	The MaxDaemonChildren option wasn't applying to queue runs as
		documented.  Note that this increases the potential denial
		of service problems with this option: an attacker can
		connect many times, and thereby lock out queue runs as well
		as incoming connections.  If you use this option, you should
		run the "sendmail -bd" and "sendmail -q30m" jobs separately
		to avoid this attack.  Failure to limit noted by Matthew
		Dillon of BEST Internet Communications.
	Always give a message in newaliases if alias files cannot be
		opened instead of failing silently.  Suggested by Gregory
		Neil Shapiro.  This change makes the code match the O'Reilly
		book (2nd edition).
		A/UX: from Jim Jagielski of NASA/GSFC.
		glibc: SOCK_STREAM was changed from a #define to an enum,
			thus breaking #ifdef SOCK_STREAM.  Only option seems
			to be to assume SOCK_STREAM if __GNU_LIBRARY__ is
			defined.  Problem reported by A Sun of the University
			of Washington.
		Solaris: use SIOCGIFNUM to get the number of interfaces on
			the system rather than guessing at compile time.
			Patch contributed by John Beck of Sun Microsystems.
		Intel Paragon: from Wendy Lin of Purdue University.
		GNU Hurd: from Miles Bader of the GNU project.
		RISC/os 4.50 from Harlan Stenn of PFCS Corporation.
		ISC Unix: wait never returns if SIGCLD signals are blocked.
			Unfortunately releasing them opens a race condition,
			but there appears to be no fix for this.  Patch from
			Gregory Neil Shapiro.
		BIND 8.1 for IPv6 compatibility from John Kennedy.
		Solaris: a bug in strcasecmp caused characters with the
			high order bit set to apparently randomly match
			letters -- for example, $| (0233) matches "i" and "I".
			Problem noted by John Gregson of the University of
		IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x.  From
			Kari Hurtta.
	CONFIG: Some canonification was still done for UUCP-like addresses
		even if FEATURE(nocanonify) was set.  Problem pointed out by
		Brian Candler.
	CONFIG: In some cases UUCP mailers wouldn't properly recognize all
		local names as local.  Problem noted by Jeff Polk of BSDI;
		fix provided by Gregory Neil Shapiro.
	CONFIG: The "local:user" syntax entries in mailertables and other
		"mailer:user" syntax locations returned an incorrect value
		for the $h macro.  Problem noted by Gregory Neil Shapiro.
	CONFIG: Retain "+detail" information when forwarding mail to a
		MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY.  Patch from Philip
		Guenther of Gustavus Adolphus College.
	CONFIG: Make sure user+detail works for FEATURE(virtusertable);
		rules are the same as for aliasing.  Based on a patch from
		Gregory Neil Shapiro.
	CONFIG: Break up parsing rules into several pieces; this should
		have no functional change in this release, but makes it
		possible to have better anti-spam rulesets in the future.
	CONFIG: Disallow double dots in host names to avoid having the
		HostStatusDirectory store status under the wrong name.
		In some cases this can be used as a denial-of-service attack.
		Problem noted by Ron Jarrell of Virginia Tech, patch from
		Gregory Neil Shapiro.
	CONFIG: Don't use F=m (multiple recipients per invocation) for
		MAILER(procmail), but do pass F=Pn9 (include Return-Path:,
		don't include From_, and convert to 8-bit).  Suggestions
		from Kimmo Suominen and Roderick Schertler.
	CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where
		being masqueraded as though FEATURE(masquerade_entire_domain)
		was specified, even when it wasn't.
	MAIL.LOCAL: Solaris 2.6 has snprintf.  From John Beck of SunSoft.
	MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
		"slip in" a symbolic link between the lstat(2) call and the
		exclusive open.  This is only a problem on System V derived
		systems that allow an exclusive create on files that are
		symbolic links pointing nowhere.
	MAIL.LOCAL: If the final mailbox close() failed, the user id was
		not reset back to root, which on some systems would cause
		later mailboxes to fail.  Also, any partial message would
		not be truncated, which could result in repeated deliveries.
		Problem noted by Bruce Evans via Peter Wemm (FreeBSD
	MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0.  A similar
		change to the sendmail map code was made in 8.8.3.  Problem
		noted by Gregory Neil Shapiro.
	MAKEMAP: Give warnings on file problems such as map files that are
		symbolic links; although makemap is not setuid root, it is
		often run as root and hence has the potential for the same
		sorts of problems as alias rebuilds.
	CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf.
		Accept an optional list of arguments following the server
		name for the ETRN arguments to use (instead of $=w).  Other
		miscellaneous bug fixes.  From Christian von Roques via
		John Beck of Sun Microsystems.
	CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta.  This
		Perl script converts GECOS information in the /etc/passwd
		file into aliases, allowing for faster access to full name
		lookups; it is also clever about adding aliases (to root)
		for system accounts.
		src/Makefiles/Makefile.IRIX.6.2 =>	Makefile.IRIX.6.x

Version: 2.6.2


Claus Aßmann Please send comments to: <ca@sendmail.org>