Slashdot Mirror
Security-Fix Sendmail 8.12.9 Released
bahamutirc writes "Yet another security problem was discovered by Michal Zalewski in Sendmail 8.12.8, 'a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable.' Apparently somebody jumped the gun and posted before Sendmail had a chance to notify anyone, so they had to release it today. Go grab your source." Here's the CERT advisory.
This is why every variable should just be a long int darnit
Banaaaana!
Nuff said.
~ The Devil
Patched and there's only 3 comments posted. Damn I'm good! :)
I would like to thank CERT for sending this security notification on a Saturday that I was working, rather than on a Saturday that I was not.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Be sure to remind sendmail users that you're doing it!
It's patch every other day; today isn't any other day, you know.
I switched to postfix last time! MWAHAHAHAHA!
Sendmail: The IIS of Open Source.
This is the straw that breaks the camel's back. I'm changing to another MTA.
NO CARRIER
if you dont care, dont read it...
go back rebooting your exchange "server"
"Providing hackers with security holes for DECADES" --jeff++
ipv6 is my vpn
I fought with the M4 format of sendmail.cfg for a while in setting up a complex system before switching to qmail. Ive tried postfix too, but I still see diehard sendmailers around.
For one, sendmail is really not intuitive. If youre given a server youve never seen before and have to alter some fancy configs in it, could you do it faster than if it were say qmail? Maybe if I stare at M4 pinfo I could begin to get it, I gave up early there.
Secondly these security problems.
So beside the fact that sendmail is the standard, quite mature and very flexible if you know how to config it, does it have any big edge over postfix or qmail that everyone should know about?
And can the sendmail developers be brave trailblazers and finally change the config file syntax to just text words like httpd.conf?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Developers recently have been getting fed up with security "advisories", that include an exploit, being posted on most "security" websites before they have even been notified. Unfortunatly this leads to many script kiddies getting their kicks from "owning" a popular site before they have been patched, and probably many of the websites that exist exist purly for this purpose. Sendmail are just the latest people to fall victim from this.
To avoid all this people should change to {postfix|qmail|smail|other}. It doesn't have this problem.
Alot of people suggest just switching to something else. Obviously, they don't want to. I use sendmail all the time, I love sendmail. If this was a windows app, i might switch, but being opensource as it is, when the holes are discovered, they are patched pretty quickly. I don't really see much point is saying switch to qmail or something else, people who want to use sendmail will keep using it.
See, they give you much needed practice of patching services at a proper pace! Patching it every 2 weeks or so is great practice for every administrator. Every good admin should have at least 1 box with sendmail on it. See, a few years ago I put on qmail. Now my patch skills are severely lacking. When this advisory for sendmail came out today, I said "that's enough, I'm falling behind. I'm going back to sendmail." I think I'll be much more happier now.
Not a fun thing to always be on the lookout for sendmail exploits. After the thousandth's exploit, I finally got my ass in order and switched to qmail. Much better and easier to configure too!
eTrade SUCKS
Comment removed based on user account deletion
Comment removed based on user account deletion
Thank you,
--The rest of the fucking Internet
--sdem
Looks like sourceforge has been hacked. There site is permanently donw for maintnemce
But that still doesn't make sendmail bad. Software has bugs. Your precious MTAs have bugs too. As a matter of fact, sendmail works. It has worked for decades. It's still around. And it will stay around for decades more.
Before y'all jump up and say: "Look! a possibly remote exploit!". Read the advisory. This will be VERY hard to exploit, besides your test lab where you control the address space and eventual host naming that just MIGHT overflow something, and then you need to figure out if it's even possible to do something more fun other than let some sendmail spawned child crash, whoopdeedoo.
Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.
So qmail and postfix zealots, shut the hell up please. We know. Yes, qmail and postfix are nice, and yes, they have some merits over sendmail and yes, I sometimes choose to prefer them for some jobs, but the inverse is also true. Right tool for the job and all that. Now be happy with your MTA and be done with it. Geez, it's only a mail server.
this Redhat advisory from a couple weeks ago already addressed this issue?
You need a password to get root access through telnet!
*ducks barrage of rotten fruit*
But seriously, and without the bad humor, it makes me wonder why everyone allways sees X as the bloated, non-scensical, anacronistic piece of junk that is holding LINUX/BSD back. Hell at least I can understand a XF86Conf-4 file (although the old style XF86Conf file is still rather infuriating).
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
I can't understand why any general-purpose distros still ship sendmail. Qmail is good too, though I prefer postfix.
Sendmail takes (on my system) a thousand-line config file just to have sane settings for the modern world. It has a horrendous security history.
Postfix has non-dumb defaults, is quite secure, and I cannot see why anyone wouldn't use it.
May we never see th
Is your sendmail buggy? Would it be time to change to Postfix?
Only $0,00.
Guess what, you are not "hardly a target". Script kiddies will hack your machine purely to have another platform to run DDOS attacks from, or to hack into yet other machines.
It doesn't matter who you are or what data you have. If you have an IP address, you are a target, period.
This one bug doesn't make sendmail bad. The fact that it's had scores of bugs does.
It's "only" a mail server, but what about a company whose email contains very sensitive information? They may feel safe using, say, smtps and imaps, but if sendmail isn't secure, they're sunk. In addition, getting on a mail server may allow access to a local network filled with insecure windows boxes. Oops.
You seem to be way too attached to sendmail. There are better alternatives available, so why not use them? I broke off from sendmail years ago, happily.
You should not create such an attachment to software; I use OpenSSH currently because it's free and works. I won't pretend it's not bug-ridden, though, and if something better comes along, I will switch because I care about security. I don't care if I've been using OpenSSH for years.
Geez, it's only a mail server.
And it's only an editor.
And it's only an operating system.
Come on, without fans of programs, the world would be lots less exciting.
Although it's not impossible to do, I still maintain that admins should patch their systems, but you don't have to rush. I don't see script kiddies exploting this one in the coming time yet. And besides, my data isn't worth crap either, so I'm harly a target.
Yeah, I used to say the same thing until I had a box get broken into.
May we never see th
I dare you to hack into this IP address and do something awful to it! I double dog dare you!
I'll even leave sendmail running to help you get in!
After researching sendmail, postfix, and qmail, I settled on qmail for it's speed and security. I can't count the number of times I had to upgrade sendmail in the past. I have never heard of a single remote exploit affecting qmail.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I converted the security patch to a unidiff and applied it to Red Hat's latest sendmail errata SRPM for Red Hat Linux 8.0. Use at your owk risk.
55 flaws in the code, 55 flaws in the code....
Take one down debug it around 58 flaws in the code...
http://saveie6.com/
- sendmail is one huge, bloated, insecure POS. ...and one last thing: WHO CARES ABOUT SYSTEM USERS? I'd guess 99,9% of all mail today is delivered via dedicated mail systems. Why is every single mail system out there system-user-centric and can only be taught virtual domains with ugly hacks and impractical aliases files?
- There's been no new qmail version for YEARS. Everything you need to add you have to search for on the web and patch it in, with patches conflicting and everything
- exim claims to be easier to configure than sendmail but in reality just replaces the $)(%")( with plain text
- The author of courier is an arrogant prick and I haven't found a way to use virtual domains without it being an ugly hack
- postfix is awfully documented and awkward to use with all its backward-compatibility hacks
You sound like a frustrated MS marketing slave ...
I've been using qmail 1.03 since 1999. Pretty nice to not have to upgrade software every few months because of security issues!
This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).
Main Configuration/Documenation
Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables,
and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary
documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for
FAQ's, HOWTO's and mailing lists.
Tables
Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form
The Type is the type of table/format being used. The Location is simply one of several things
For backwards compatibility, hash:/etc/alias is normally setup as an alias database.
Virtual Stuff
Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.
Fallback Address or "Catchalls"
Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.
Configurable bounce errors
I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).
Delivery to a piped process
Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery.
Here are some examples:
Backup mail spooling
In postfix there is a transports map that has three fields: domain(key), transport(servic
Does anyone happen to know if Red Hat will be releasing a patch for version 6.2 of their distibution? I suppose I could patch it manually, but it'd be nice to stick with Red Hat fixes until I migrate to a newer version early this summer.
I ask as I belive this weekend is the offical EOL for 6.2 errata.
Sendmail gets a bad name sometimes from folks who gave up on it for various reasons (Too hard?). Sometimes some of these "administrators" can't tell the difference between a Message store and an MTA. /var/mail is not sendmail!
.com) and having an open relay was normal. Think ARPAnet.
/var/mail, etc...). Think scale and way beyond systems for only 10s of thousands or less.
I personally like the way the sendmail community handles these issues when they arise. 2 reports in a row is a bummer, but the frequency is exaggerated. I respect the fact that there are other open source MTAs and think they can be made to work well too (postfix, qmail, exim, etc...).
Please keep in mind that this MTA was around when the network was more of a community (not a lot of
Sendmail pioneered lots of the AntiSPAM/AntiSPAMMER features that are taken for granted today (advanced relay control, ip to dns a record verify, DNS blacklisting etc...).
There are reasons why many (think mega sized corporations around the world) use sendmail in front of their message store systems (Exchange, Notes, Cyrus,
It has/provides:
The ability to use LDAP information for routing.
The ability to use LDAP instead of a flat Alias file.
LDAP intelligence at the port 25 gateway (Think not have unreturnable bounce messages traveling all the way into the network and then getting stuck at your message store) A smart MTA at the gateway will break the connection and not waste time trying to pass the message through.
Pass based (w/crypt options) SMTP Authentication
Certificate base SMTP authentication
Unlimited relay control options (rule sets and milters)
Built in SMTP encryption (TLS/SSL) with support for PKI systems
Multiple queues and deterministic queuing (queue groups)
Fallback MX (this is huge for failover)
Mid-protocol conversation filtering (Milter, do all of your attachment stripping and message scanning without adding extra hops).
Capable of sending email just as fast as any other MTA without violating RFCs (do you really not want to commit your data to stable storage?) and putting your data at risk.
SMTP pipelining (why open a new connection each time?)
Active development with developers developing to the RFC/IETF's standards and the needs of today's internet.
Ability to be configured to avoid port 25 Denial of service attacks that other MTAs are vulnerable to.
My 2 pennies, just another opinion, now leaving verbose mode...
Hear hear! Same with all you Linux/Apache operators. Yes, we know that NT4.0/IIS is hopelessly unpatchable and responsible for the wasting of untold gigabyte hours of bandwidth due to worm propogation and becoming willing DDOS zombies, but please shut the hell up about your superior software. Geez, it's only software on an Internet that we all have to share. Thank you.
About my "attachement to sendmail": It's all dependant what the machines job is. Read my post again. Every MTA shines somewhere. Qmail is nice if you have LOTS of users/mailboxes, postfix and exim are nice if you have a heavily loaded box that has to shift a lot of mail, and sendmail is just great for everything else. That's my right-tool-for-the-job attitude.
I guess you only read the subject line of my post, and then just concluded I must be some rabid sendmail user (a.k.a. Slashdot Knee-Jerk). Well, you're wrong :)
1) Qmail doesn't follow convention. Forget inetd, DJB uses his own, goofy "tcpserver". Never mind any other services you have on the machine, and pray to god they don't conflict. You *can* get qmail to work with xinet.d, but good luck getting all the (much needed) features working, since with xinet.d you get an open mail relay by default.
/etc/rc.d/init.d/sendmail restart takes care of most of it.
2) There are like 5 different programs, each with different user accounts (qmaild, qmaill, qmailp, qmialq, qmailr, qmails, vmail, etc) - all running from the same !@#!@ bin directory! Talk about confusing as !@#! hell when you want to audit permissions!
3) Qmail has a truly hideous license. Yeah, it's "open source", but you can't redistribute changes!!?!
This means:
4) If you want something decent (such as LDAP support,antivirus filtering or integration with SpamAssassin, etc.) you have to apply 57 god-knows patches to the "official" qmail source, and in just the right order to get everything working.
5) The log format is different than sendmail's. While this is understandable, it means that all these neat reporting tools for sendmail can't be used.
And finally,
6) Administering Sendmail on RH Linux is a breeze. up2date sendmail;
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It looks to me like OSX 10.2.4 is vulnerable to this exploit. The CERT advisory says all version previous to 8.12.9 and I'm pretty sure OSX uses 10.12.6. Can anyone confirm this? It is disabled by default, so it is not large issue. Anyone care to bet as to how long for a security patch?
You remind me of the Nerd in a Shoe!
--sdem
THANK GOD! for MGT
Login to all servers "File -> All Bonded"
run commands and your done!
The problem is that sendmail has to be patched for a new bug every 2-3 weeks. Qmail is still at 1.0.3 and hasn't been updated for years - no security-related bugs have been discovered.
With the current track record I think we can agree that sendmail has had tons of bugs. Since you are claiming that qmail has them to - please point us to ONE.
As for patching - do you guarantee that you will personally update every single mailserver you install, anywhere, forever, without any support agreement or compensation? If not you just proved my point.
Not yet, anyway... But read on:
With the current track record I think we can agree that sendmail has had tons of bugs. Since you are claiming that qmail has them to - please point us to ONE.
Claiming *any* piece of software is bug free is naieve. Sure there are bugs. They might not be straightforward to find, but sure, they're there. You clearly don't develop much, you would've known this if you did.
What's worse is that there might be Qmail related exploits around that we are not aware of. Surely the blackhats will not disclose those bugs and we will probably never hear about it from them. If a MTA has a "flawless" security record, I'd be worried. Has anyone ever properly audited the Qmail code, besides DJB? It's kinda like claiming you've never been broken into. It might just be the case that you have had an intrusion, but you never noticed.
Also, you clearly exaggerate the rate of security related bugs in sendmail nowadays. Sure it has its bad spots, but then for years it's fine. Yes I patch and maintain the boxes I set up. I would be a crappy sysadmin if I didn't.
Interesting how we just had this article the other day.
I know some places process alot of mail with sendmail and need all the speed they can get, but the monster sites seem to have gone to qmail anyway. Considering the speed of my computer vs. the speed of my 'net pipe, I don't have much of a load on my mailserver, which leads me to ask:
Does anybody know of a good mailserver written in a higher-level language?
This is what, the 82nd remote root-exploit in sendmail due to C coding problems? Let's see something written in Perl or Python or Java, even.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Would be for them to stop releasing fixes. The same goes for BIND versions 9. These programs are endless thorns in the sides of the internet, and the developers of said programs would be doing us all a favor if they would just stop developing, pull the source off of the internet, and tell the world to use software that was coded to be secure.
qmail has no security holes. There's $500 sitting on the table for you if you can find a security hole.
-russ
Don't piss off The Angry Economist
All software has bugs. Bug-free software and hardware do NOT EXIST
In fact, the fact that nobody claimed that award, does not mean that Qmail is bugfree. Do you really think that some blackhat will give away an advisory? He couldn't care less about $ 500, he can intrude into Qmail boxes that are deployed widely and thought to be secure. That's priceless.
Of course that's speculation, but still. I'd be laughing my ass off if it were true.
Clarification: I of course don't intend malice. I just never agreed with DJB's money for bugs scheme, because it will cause the adverse effect of what he's trying to achieve. I don't agree with his licensing either.
M4 gets a bad reputation because of Sendmail. However, M4 is pretty cool, and quite useful. For example, I've used it in the past as a way to add includes and macros to SQL code (SQL code being built in a build environment, generally object defintions and stored procedures, run through the command line tool for whatever database you're using). That let me abstract out common pieces of code, minimizing copy&paste errors.
In general, M4 is just a macro processor, where there are some pre-defined macros, and you can define your own macros as well as changing various behaviors of M4. For example, to use my SQL example above, it was trivial to change M4's quoting characters to {} from `' (Because the `' quoting conflicted with SQL's '' quoting), and it was necessary to prefix M4 builtins with m4_ because SQL has some similarly-named functions (len(), for example). This was trivially done and stored in a "freeze" file for easy retrieval later. Write your M4 code to the changed definitions, and run M4 by specifying the freeze file. In essence, that's all Sendmail is doing -- Sendmail has defined some M4 macros, and you just use those macros to create your config. In Sendmail's case, the macros are poorly documented, and that makes configuration a real bear. But that's not M4's fault. It's Sendmail's.
What's worse is that there might be Qmail related exploits around that we are not aware of. Surely the blackhats will not disclose those bugs and we will probably never hear about it from them. If a MTA has a "flawless" security record, I'd be worried. Has anyone ever properly audited the Qmail code, besides DJB? It's kinda like claiming you've never been broken into. It might just be the case that you have had an intrusion, but you never noticed.
qmail has no security holes. Hundreds, if not thousands, of people have read the source code. Many people hate DJB and would love to find a security hole in his software. No one has found any.
Instead of making wild claims about non existant security holes that no one knows about, why don't you read the source code yourself and find out why it is secure?
Yeah.. when it's a Windows problem people jump on Microsoft's shit like it were pussy, and they weren't gay..
But when it's Sendmail.. for christs-fucking-sakes.. a software that has had an eternity in comparison to "get secure".. still has problems. And I love the respectful, informative tone to the Slashdot post. Fucking cunt hypocrits.
This last sentence shows how you are just as much a zealot as those you started this thread by castigating. But let's keep this focussed on sendmail. To take you back to your original claim (and I'm not disputing that different MTAs have different strengths), tell me : in what situations do you settle on sendmail as the solution? What strengths does it have and in what circumstances is it the best choice? (I have my own answer, but I'll save it just in case you can't come up with one)
My next sig will be ready soon, but subscribers can beat the rush
Comment removed based on user account deletion
Changelog says:
Is that something to do with char == signed char versus char == unsigned char ?
just patch it and move on...
sendmail was delivering mail long before the first source line of qmail was created, a little credit where credit is due.
I use qmail quite extensively, however what bugs me the most, is the significant amount of effort required in patching the souce to allow qmail to do anything fancy besides the basic functionality of delivering mail.
I did just try to buy sendmail from sendmail.com for a someone for whom I was doing some work, and we couldn't figure out how to do it from the website. There's no product or price list, certainly no "purchase online" section. You have to engage a salesperson, and the guy for whom I was working thought it was too much trouble to have to do phone-tag just to find out how much it would cost. He's still a sendmail user, but only the free version.
Don't queue mail with sendmail.
Send mail with Qmail.
{{.sig}}
I can't find anything other than this comment in which you say "sendmail is great for everything". You may call that an answer; seems like zealous idiocy to me.
My next sig will be ready soon, but subscribers can beat the rush
Look, here's the thing. Read the disclosure on Full-Disclosure and you'll see that it was obviously an integer overflow, but also that it was obviously easy to fix. One line. One typecast. Not rocket science.
The actual discussion was started by the availability of the patch.
Does it really take six days to change a typecast that leads to a root compromise? Does if you're sendmail!
Bravo, to those of you who believe in full disclosure, and boo, to those who call you irresponsible. The irresponsible parties here are Sendmail. Why the hell were they delaying for days when they already had World's Simplest Patch?
They make it sound like someone posted an exploit, which is demonstrably not true. The early disclosure was the disclosure of the patch.
I tried to patch 8.12.8 with the supplied patch set. But it failed because the file offsets were way of (e.g. in sendmail/conf.c hunk 1 is at 466 instead of 300 something).
Anyone else having the same problems?
[...]next time I'm working on a PDP/11 [...] (36 bit word size).
The PDP-11 has a 16-bit word size.
I think that you are thinking of the PDP-10.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
All software has bugs. Bug-free software and hardware do NOT EXIST
... find a security hole in qmail. Not only will you be $500 richer, but you'll cease to be considered an idiot by your betters.
Interesting. So
-russ
Don't piss off The Angry Economist
*** A NEW KIND OF PROGRAMMING ***
Do you want the instant respect that comes from being able to use technical
terms that nobody understands? Do you want to strike fear and loathing into
the hearts of DP managers everywhere? If so, then let the Famous Programmers'
School lead you on... into the world of professional computer programming.
They say a good programmer can write 20 lines of effective program per day.
With our unique training course, we'll show you how to write 20 lines of code
and lots more besides. Our training course covers every programming language
in existence, and some that aren't. You'll learn why the on/off switch for a
computer is so important, what the words *fatal error* mean, and who and what
you should blame when you make a mistake.
Yes, I want the brochure describing this incredible offer.
I enclose $1000 is small unmarked bills to cover the cost of
postage and handling. (No live poultry, please.)
*** Our Slogan: Top down programming for the masses. ***
- this post brought to you by the Automated Last Post Generator...