-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.10: Security updates to sendmail Caldera Security Advisory SA-1997.10 Original report date: 14-Jun-1997 RPM build date: 16-Jun-1997 Original issue date: 22-Jul-1997 Last revised: 22-Jul-1997 Topic: Security updates to sendmail I. Problem Description Sendmail 8.8.6 has been released. This version contains many bug fixes (and no new features). A few of these fixes are security related, although most of these are specific to unusual circumstances (e.g., obsolete versions of HP-UX that didn't implement the O_EXCL open bit properly, or problems resulting from systems that put database maps into world writable directories). Complete RELEASE_NOTES for this release are included in the source RPM. II. Impact The list of changes in this release is long. As mentioned above, most are not security related. But those that are security related are documented in the lengthy RELEASE_NOTES file that can be found in the source RPM. III. Solution Install the new sendmail 8.8.6 packages, as described below. These packages are located on Caldera's FTP server (ftp.caldera.com): ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/ The MD5 checksum (from the "md5sum" command) for these package are: 0360c84a4e69ac78f8512659c2012441 RPMS/sendmail-8.8.6-1.i386.rpm d73d10ed515a39f8218af6c9599313a5 RPMS/sendmail-cf-8.8.6-1.i386.rpm a6b771657f9e7203f9217ab84cce4007 RPMS/sendmail-doc-8.8.6-1.i386.rpm e6b89f61566ef69b3d3ccfaa9a0b7bff SRPMS/sendmail-8.8.6-1.src.rpm Please follow these instructions precisely to update any older version of sendmail that may be on your system: /etc/rc.d/init.d/mta stop rpm -q sendmail-doc && rpm -U RPMS/sendmail-doc-8.8.6-1.i386.rpm rpm -q sendmail-cf && rpm -U RPMS/sendmail-cf-8.8.6-1.i386.rpm rpm -e sendmail && rpm -i RPMS/sendmail-8.8.6-1.i386.rpm [ -e /etc/sendmail.cf.rpmsave ] && echo "configuration changed..." /etc/rc.d/init.d/mta start Note: One must perform the updates in the order shown above to avoid having rpms conflict during the upgrade. Note: The warning message "cannot remove /usr/share/sendmail - directory not empty" during installation of sendmail-cf can be safely ignored. Note: /etc/sendmail.cf has changed quite a bit -- overwriting it with a potential /etc/sendmail.cf.rpmsave is NOT a viable option! Previous changes have to be re-applied (preferably with m4 and .mc files). IV. References / Credits This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This advisory is based on a the sendmail upgrade announced to the BUGTRAQ email list by Eric Allman - message id: <199706142156.OAA18269@knecht.Oxford.Reference.COM> See also the Sendmail Home Page: http://www.sendmail.org/ Sendmail has a Usenet newsgroup: comp.mail.sendmail. This advisory closes Caldera's internal bug report #804. $Id: SA-1997.10,v 1.2 1997/07/23 02:12:09 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBM9Vonen+9R4958LpAQGz5wQAslufeelpd3+pSdgS8o8RuO+MdncPniYW izXYYa979TfCsy+0iZ1T8cbqZW8Esyifvq3Ui2qIMld5PKawslVlxZ/XxlyZmmS+ FbUfeiglABTHYKKV18uqUHJvvL+Oz+u3aLwV+jrgCcX0XjHNRR3RPbPKEnEIOckT dXYBtOCWnRc= =3eJB -----END PGP SIGNATURE-----