(See also the bugs from the CC). I believe that Debian should be somehow put on the CERT vendor list: they give the vendors more advance warning on the security issues before they issue an advisory, allowing to issue an emergency patch.
Does anybody on this list (debian-security) have any ties with CERT to do it? ----- Original Message ----- From: "Ramon Kagan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 03, 2003 4:00 PM Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail (fwd) > HI, > > I don't see Debian listed in the notification list at the bottom of the > CERT Advisory. Is there any estimate on the release of patched sendmail > packages? > > Ramon Kagan [snip] > > ---------- Forwarded message ---------- > Date: Mon, 3 Mar 2003 13:06:09 -0500 > From: CERT Advisory <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail > > Original release date: March 3, 2003 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Sendmail Pro (all versions) > * Sendmail Switch 2.1 prior to 2.1.5 > * Sendmail Switch 2.2 prior to 2.2.5 > * Sendmail Switch 3.0 prior to 3.0.3 > * Sendmail for NT 2.X prior to 2.6.2 > * Sendmail for NT 3.0 prior to 3.0.3 > * Systems running open-source sendmail versions prior to 8.12.8, > including UNIX and Linux systems > [snip] > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apple Computer, Inc. > > Security Update 2003-03-03 is available to fix this issue. Packages > are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be > noted that sendmail is not enabled by default on Mac OS X, so only > those systems which have explicitly enabled it are susceptible to the > vulnerability. All customers of Mac OS X, however, are encouraged to > apply this update to their systems. > > Avaya, Inc. > > Avaya is aware of the vulnerability and is investigating impact. As > new information is available this statement will be updated. > > BSD/OS > > Wind River Systems has created patches for this problem which are > available from the normal locations for each release. The relevant > patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform > for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for > BSD/OS 4.2 systems. > > Cisco Systems > > Cisco is investigating this issue. If we determine any of our products > are vulnerable that information will be available at: > http://www.cisco.com/go/psirt > > Cray Inc. > > The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp > may be vulnerable. Cray has opened SPRs 724749 and 724750 to > investigate. > > Cray, Inc. is not vulnerable for the MTA systems. > > Hewlett-Packard Company > > SOURCE: > Hewlett-Packard Company > HP Services > Software Security Response Team > > x-ref: SSRT3469 sendmail > > HP will provide notice of the availability of patches through standard > security bulletin announcements and be available from your normal HP > Services support channel. > > IBM Corporation > > The AIX operating system is vulnerable to the sendmail issues > discussed in releases 4.3.3, 5.1.0 and 5.2.0. > > A temporary patch is available through an efix package which can be > found at > ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z > > IBM will provide the following official fixes: > > APAR number for AIX 4.3.3: IY40500 (available approx. > 03/12/2003) > APAR number for AIX 5.1.0: IY40501 (available approx. > 04/28/2003) > APAR number for AIX 5.2.0: IY40502 (available approx. > 04/28/2003) > > Openwall GNU/*/Linux > > Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not > sendmail. > > Red Hat Inc. > > Updated sendmail packages that are not vulnerable to this issue are > available for Red Hat Linux, Red Hat Advanced Server, and Red Hat > Advanced Workstation. Red Hat Network users can update their systems > using the 'up2date' tool. > > Red Hat Linux: > > http://rhn.redhat.com/errata/RHSA-2003-073.html > > Red Hat Linux Advanced Server, Advanced Workstation: > > http://rhn.redhat.com/errata/RHSA-2003-074.html > > SGI > > SGI acknowledges VU#398025 reported by CERT and has released an > advisory to address the vulnerability on IRIX. > > Refer to SGI Security Advisory 20030301-01-P available from > ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P > or http://www.sgi.com/support/security/. > > The Sendmail Consortium > > The Sendmail Consortium suggests that sites upgrade to 8.12.8 if > possible. Alternatively, patches are available for 8.9, 8.10, 8.11, > and 8.12 on http://www.sendmail.org/ > > Sendmail, Inc. > > All commercial releases including Sendmail Switch, Sendmail Advanced > Message Server (which includes the Sendmail Switch MTA), Sendmail for > NT, and Sendmail Pro are affected by this issue. Patch information is > available at http://www.sendmail.com/security. [snip] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
