| Summary: | sendmail new security issue fixed upstream in 8.14.9 (CVE-2014-3956) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cjw, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/601580/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | sendmail-8.14.8-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-05-23 12:59:12 CEST
David Walser
2014-05-23 12:59:21 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Upstream announcement: http://www.sendmail.com/sm/open_source/download/8.14.9/ CVE request: http://openwall.com/lists/oss-security/2014/06/03/1 CVE-2014-3956 assigned: http://openwall.com/lists/oss-security/2014/06/04/5 Summary:
sendmail new security issue fixed upstream in 8.14.9 =>
sendmail new security issue fixed upstream in 8.14.9 (CVE-2014-3956)
David Walser
2014-06-07 15:55:14 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/601580/ Fedora has issued an advisory for this on June 5: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134349.html Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated sendmail packages fix security vulnerability: Sendmail before 8.14.9 does not properly closing file descriptors before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer) (CVE-2014-3956). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134349.html ======================== Updated packages in core/updates_testing: ======================== sendmail-8.14.6-2.1.mga3 sendmail-doc-8.14.6-2.1.mga3 sendmail-cf-8.14.6-2.1.mga3 sendmail-devel-8.14.6-2.1.mga3 sendmail-8.14.7-3.1.mga4 sendmail-doc-8.14.7-3.1.mga4 sendmail-cf-8.14.7-3.1.mga4 sendmail-devel-8.14.7-3.1.mga4 from SRPMS: sendmail-8.14.6-2.1.mga3.src.rpm sendmail-8.14.7-3.1.mga4.src.rpm CC:
(none) =>
cjw Testing mga4 64
# service sendmail start
# service sendmail status
# mail claire@localhost
Subject: testing sendmail
test test test test test
test test test test test
EOT <------------- Press ctrl-d at the end of the message
#
[claire@localhost ~]$
You have mail in /var/spool/mail/claire
[claire@localhost ~]$ mail
Heirloom mailx version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/claire": 1 message 1 new
>N 1 root Fri Jun 20 16:01 21/876 testing sendmail
?
Message 1:
From root@localhost Fri Jun 20 16:01:34 2014
Return-Path: <root@localhost>
From: root <root@localhost>
Date: Fri, 20 Jun 2014 16:01:34 +0100
To: claire@localhost
Subject: testing sendmail
User-Agent: Heirloom mailx 12.4 7/29/08
Content-Type: text/plain; charset=us-ascii
Status: R
test test test test test
test test test test test
? delete
? quitWhiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga4-64-ok Testing complete mga4 32 Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga4-32-ok mga4-64-ok Testing complete mga3 32 & 64 Whiteboard:
MGA3TOO has_procedure mga4-32-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0270.html Status:
NEW =>
RESOLVED |