Debian Bug report logs -
#750562
sendmail: CVE-2014-3956
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 4 Jun 2014 14:03:07 UTC
Severity: grave
Tags: security
Fixed in versions sendmail/8.14.4-6, sendmail/8.14.4-4+deb7u1
Done: Andreas Beckmann <anbe@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#750562; Package sendmail.
(Wed, 04 Jun 2014 14:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>.
(Wed, 04 Jun 2014 14:03:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sendmail
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see http://www.openwall.com/lists/oss-security/2014/06/03/1 for
details.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#750562; Package sendmail.
(Wed, 04 Jun 2014 22:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Wed, 04 Jun 2014 22:12:08 GMT) (full text, mbox, link).
Message #10 received at 750562@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 8.14.4-6
On 2014-06-04 15:44, Moritz Muehlenhoff wrote:
> Hi,
> please see http://www.openwall.com/lists/oss-security/2014/06/03/1 for
> details.
That's a trivial patch that I already cherry-picked from 8.14.9 into sid
(there was no CVE at that time).
For some reason the amd64 build got stuck in "Uploaded" state and
therefore the package does not migrate ...
For fixing this in wheezy: do you want to handle this via a security
update or just via proposed-updates?
Andreas
Marked as fixed in versions sendmail/8.14.4-6.
Request was from Andreas Beckmann <anbe@debian.org>
to 750562-submit@bugs.debian.org.
(Wed, 04 Jun 2014 22:12:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#750562; Package sendmail.
(Tue, 10 Jun 2014 19:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Tue, 10 Jun 2014 19:45:12 GMT) (full text, mbox, link).
Message #17 received at 750562@bugs.debian.org (full text, mbox, reply):
On Thu, Jun 05, 2014 at 12:08:34AM +0200, Andreas Beckmann wrote:
> Control: fixed -1 8.14.4-6
>
> On 2014-06-04 15:44, Moritz Muehlenhoff wrote:
> > Hi,
> > please see http://www.openwall.com/lists/oss-security/2014/06/03/1 for
> > details.
>
> That's a trivial patch that I already cherry-picked from 8.14.9 into sid
> (there was no CVE at that time).
>
> For some reason the amd64 build got stuck in "Uploaded" state and
> therefore the package does not migrate ...
>
> For fixing this in wheezy: do you want to handle this via a security
> update or just via proposed-updates?
This seems minor; please update via a point update.
Cheers,
Moritz
Reply sent
to Andreas Beckmann <anbe@debian.org>:
You have taken responsibility.
(Sat, 12 Sep 2015 21:21:37 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 12 Sep 2015 21:21:37 GMT) (full text, mbox, link).
Message #22 received at 750562-close@bugs.debian.org (full text, mbox, reply):
Source: sendmail
Source-Version: 8.14.4-4+deb7u1
We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 750562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated sendmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Sep 2015 23:18:29 +0200
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all i386
Version: 8.14.4-4+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Description:
libmilter-dev - Sendmail Mail Filter API (Milter)
libmilter1.0.1 - Sendmail Mail Filter API (Milter)
libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter)
rmail - MTA->UUCP remote mail handler
sendmail - powerful, efficient, and scalable Mail Transport Agent
sendmail-base - powerful, efficient, and scalable Mail Transport Agent
sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
sendmail-cf - powerful, efficient, and scalable Mail Transport Agent
sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
sensible-mda - Mail Delivery Agent wrapper
Closes: 597781 692047 709895 714184 717951 720435 724772 737164 747910 750562
Changes:
sendmail (8.14.4-4+deb7u1) wheezy; urgency=medium
.
* QA upload.
* Set maintainer to Debian QA Group. (See: #740070)
* Merge some bugfixes from sid.
* close_on_exec.patch: Properly set the close-on-exec flag for file
descriptors before executing mailers, cherry-picked from sendmail 8.14.9.
CVE-2014-3956 (Closes: #750562)
* libmilter-assert.patch: Fix an incorrect assertion in libmilter,
cherry-picked from sendmail 8.14.7. (LP: #1299571)
* Add support for OpenSSL options SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
(backported from 8.14.8), thanks to David F. Skoll. (Closes: #747910)
* conf.c-ipv6.patch: Fix A-only MX CNAME interface binding issues when using
IPv6, thanks to David F. Skoll. (Closes: #737164) (LP: #1223633)
(backported from 8.14.6)
* raise-max-daemons.patch: Raise MAXDAEMONS from 10 to 64, thanks to
Kees Cook. (Closes: #720435)
* Switch from deprecated 'find -perm +xxx' to 'find -perm /xxx'.
(Closes: #724772)
* Start sendmail after bind9 (or any other named) if it is installed.
(Closes: #714184)
* sendmailconfig: Add missing quoting, thanks to Stuart Sheldon.
(Closes: #692047)
* Fix infinite loop in update_db, thanks to Flo. (Closes: #717951)
* Do not ship duplicate sendmail.8 manpage. (Closes: #709895, #597781)
Checksums-Sha1:
8963b34763170c8a53a052ba12a16b39ec9da765 2562 sendmail_8.14.4-4+deb7u1.dsc
bd3820dfa1de99c22447fbaa51af374538348f1b 384460 sendmail_8.14.4-4+deb7u1.diff.gz
efb5ba095eb756b4f61f0448d31cb24d7b574fe9 836800 sendmail-doc_8.14.4-4+deb7u1_all.deb
29b8ed246b4f49702512ae8b37869d1508e8d679 215868 sendmail_8.14.4-4+deb7u1_all.deb
e2979a39710dbcc37d6a0979b80d090cb080bc1d 364316 sendmail-base_8.14.4-4+deb7u1_all.deb
a2e2dc6ab8b862ef8e9342ec6258e39b048d3b31 301142 sendmail-cf_8.14.4-4+deb7u1_all.deb
f3ca53865bfcf6d713064d9f950e0466dab1367e 964028 sendmail-bin_8.14.4-4+deb7u1_i386.deb
af40d5808361069325c654a8a3b515069adeb9ae 249602 rmail_8.14.4-4+deb7u1_i386.deb
4ba831626e894028bf47bb9905a41b6ad35cf01d 218684 sensible-mda_8.14.4-4+deb7u1_i386.deb
549e3156680dbcb544ece7511f02a7ee5acc9499 241606 libmilter1.0.1_8.14.4-4+deb7u1_i386.deb
687ef6a3bf565cfe7bace8b4de9ff8d842a96ea5 269054 libmilter1.0.1-dbg_8.14.4-4+deb7u1_i386.deb
f5c42b87040055c98a0daaa12ae2c3e44979ba6e 332522 libmilter-dev_8.14.4-4+deb7u1_i386.deb
Checksums-Sha256:
3ff4e92ab92a07cac2aa9c3f0b7c4fffbdcf9be2e557f8679e1d31cb9dc54f4d 2562 sendmail_8.14.4-4+deb7u1.dsc
0ed484e7907f3968c5d7b056ecf4b2dfac407c041d9d5b58b38745913e946ee6 384460 sendmail_8.14.4-4+deb7u1.diff.gz
ff286e55ea7dd33608803b035a1381f81f1a647dd7d59f0bb478e7c94f12329f 836800 sendmail-doc_8.14.4-4+deb7u1_all.deb
a145ee7b1d178350c17ba0131711bf0124fe59f764b2f725c956c88497ddadaa 215868 sendmail_8.14.4-4+deb7u1_all.deb
aa36c29d3c3fb51fef36bb3b58abdb7800583a87ef9273463a27efec48a7b03b 364316 sendmail-base_8.14.4-4+deb7u1_all.deb
0eca2a2e3d860b117a3766a15d830b13f0ab0d8f1a37cc4e378eb06d18af1e09 301142 sendmail-cf_8.14.4-4+deb7u1_all.deb
86c01411fb4ab18f5fb0a51a4e450d2dec935d10496cf9430b0569a6dc88e807 964028 sendmail-bin_8.14.4-4+deb7u1_i386.deb
77c9b7636114d13f044eae68c3209d97ec23a79dbf054420cb79786763b94c3d 249602 rmail_8.14.4-4+deb7u1_i386.deb
4361d73779c24e46d3900c6684fafc3b547d625fd03386e7244e4e0362e38455 218684 sensible-mda_8.14.4-4+deb7u1_i386.deb
1624aa8c2e4bc4a13e30fbe7e0067139d0577965841359f8f7f72fd2969dead7 241606 libmilter1.0.1_8.14.4-4+deb7u1_i386.deb
bf15a36de782a09f8ccbee95046d2b727db1fa0452b7123572bf92f2ff809548 269054 libmilter1.0.1-dbg_8.14.4-4+deb7u1_i386.deb
b72a9030aaccd8eb66c86da09e9e3c8e77e024e5f353b3060fc26e641ad2abb2 332522 libmilter-dev_8.14.4-4+deb7u1_i386.deb
Files:
fa292e496d4a2f7249db378ca4e5bc31 2562 mail extra sendmail_8.14.4-4+deb7u1.dsc
c749e2cf8c40a657492593f804b4a015 384460 mail extra sendmail_8.14.4-4+deb7u1.diff.gz
3db18e4a221859a522a5fced14bad044 836800 doc extra sendmail-doc_8.14.4-4+deb7u1_all.deb
d8723d0ef8b4445d93d7d7114e71f7ba 215868 mail extra sendmail_8.14.4-4+deb7u1_all.deb
6e52a39d2fff6217fd24ace42385f12c 364316 mail extra sendmail-base_8.14.4-4+deb7u1_all.deb
57b135dee8922193ff8ed5a1b1556877 301142 mail extra sendmail-cf_8.14.4-4+deb7u1_all.deb
afbbc8a4b0e5ca65dbf38628c163dfa3 964028 mail extra sendmail-bin_8.14.4-4+deb7u1_i386.deb
8f4e22d0c884ad0d01f2e3cf3f87e3bb 249602 mail extra rmail_8.14.4-4+deb7u1_i386.deb
dffeab9bcf8b8b434afa50974b5fb83c 218684 mail extra sensible-mda_8.14.4-4+deb7u1_i386.deb
793fdc80604b2449c441526099cc7047 241606 libs extra libmilter1.0.1_8.14.4-4+deb7u1_i386.deb
375b94df89fd4c760c8611352fdbca55 269054 libs extra libmilter1.0.1-dbg_8.14.4-4+deb7u1_i386.deb
1058f30e4bb9a15f1732ecee1ffa0462 332522 libdevel extra libmilter-dev_8.14.4-4+deb7u1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJV8KVyAAoJEF+zP5NZ6e0IcsIP/jXKzhaHBFMx8PsZkBwhLL6+
72IjeXLTl4Oiak2tGSSnFJnaQcigSRG7sqfjQ1K7WrIxNYYXsYC6BVAVTVNdNoUL
VKSkKCrvVLWW0MzZQ8T7qN6poafc9Kp2JZGts4l+BR9ks6dwRv/xXljwVEzOzRrH
6rbL9Z+nAWwK+NKqmjkPcRA+4FyfSxdurCRPN+ObGBPpFl3HDmPUs1WhKvE/RtfF
3onNxdOUpbi63AazOgyzHWwDkUCURpE6bJFsqpOb5SxtQf2r/LKovMz8nIk/U7wD
L2vG/PhajTrEH3AJajuKsJq7C8eH1IeypogwmcGo0o36YurHLIQ7I4TQJ+01vzgf
qUY3CRUVuaIpga5RX2tLrDCzcrrYiJE4XsILiY6ZNSdbUFcmBIpX+hBBXt5vXDcK
iuO3iPIizQ+zZsXSSjcKhiSidapaGYwigHFIsKza0xRgNBpFSynKUk8abGiVJ3NQ
QqlbPFBWpk0QgphuUolhtSQmAw+csIOoHZcwYOnXzDHHWILDgwN+xfalNFWuL0Yh
Z8GzQp8xFmbNmXE7GQpvdXaW2eN7/ni7XJMoo1Fg9G2YH+AQvs0gqbVr4KO3MuNF
Ln6qBP57OGpRT66D4dv+zNANB4e130QxXYue5CYjjMleyYwfC6rL/QJNf7/9a5Vj
RZesu0Y7EgEKjmiwZDfI
=Qhul
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Oct 2015 07:31:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:26:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon