Upstream has released version 8.14.9 on May 22: http://freecode.com/projects/sendmail/releases/363923 It fixes a security issue. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Upstream announcement: http://www.sendmail.com/sm/open_source/download/8.14.9/
CVE request: http://openwall.com/lists/oss-security/2014/06/03/1
CVE-2014-3956 assigned: http://openwall.com/lists/oss-security/2014/06/04/5
Summary: sendmail new security issue fixed upstream in 8.14.9 => sendmail new security issue fixed upstream in 8.14.9 (CVE-2014-3956)
URL: (none) => http://lwn.net/Vulnerabilities/601580/
Patch: http://pkgs.fedoraproject.org/cgit/sendmail.git/plain/sendmail-8.14.9-close-on-exec.patch?h=f20&id=907e32ef2b4dd9323fed9b09aada68c351a083ae
Fedora has issued an advisory for this on June 5: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134349.html
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated sendmail packages fix security vulnerability: Sendmail before 8.14.9 does not properly closing file descriptors before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer) (CVE-2014-3956). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134349.html ======================== Updated packages in core/updates_testing: ======================== sendmail-8.14.6-2.1.mga3 sendmail-doc-8.14.6-2.1.mga3 sendmail-cf-8.14.6-2.1.mga3 sendmail-devel-8.14.6-2.1.mga3 sendmail-8.14.7-3.1.mga4 sendmail-doc-8.14.7-3.1.mga4 sendmail-cf-8.14.7-3.1.mga4 sendmail-devel-8.14.7-3.1.mga4 from SRPMS: sendmail-8.14.6-2.1.mga3.src.rpm sendmail-8.14.7-3.1.mga4.src.rpm
CC: (none) => cjwVersion: Cauldron => 4Assignee: cjw => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing mga4 64 # service sendmail start # service sendmail status # mail claire@localhost Subject: testing sendmail test test test test test test test test test test EOT <------------- Press ctrl-d at the end of the message # [claire@localhost ~]$ You have mail in /var/spool/mail/claire [claire@localhost ~]$ mail Heirloom mailx version 12.4 7/29/08. Type ? for help. "/var/spool/mail/claire": 1 message 1 new >N 1 root Fri Jun 20 16:01 21/876 testing sendmail ? Message 1: From root@localhost Fri Jun 20 16:01:34 2014 Return-Path: <root@localhost> From: root <root@localhost> Date: Fri, 20 Jun 2014 16:01:34 +0100 To: claire@localhost Subject: testing sendmail User-Agent: Heirloom mailx 12.4 7/29/08 Content-Type: text/plain; charset=us-ascii Status: R test test test test test test test test test test ? delete ? quit
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0270.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED