Re: Sendmail Critical Vulnerability (413 Views)
Reply
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 1 of 14 (483 Views)

Sendmail Critical Vulnerability

There is a new critical vulnerability for all versions of sendmail prior to 8.12.8. This means that all of our SA1100s are vulnerable (my SA1100 uses version 8.10.2 - you can check by telnetting to port 25 of your appliance and reading the version) and since most of us use them for email we need to update ASAP. I have downloaded the newest version (from http://www.sendmail.org) but I'm unsure about how to compile it and install it without compromising the somewhat unorthodox directory structure of the SA1100. Can I just build a new binary and install it with unchanged config files? Does anyone have any information on this???
Please use plain text.
Occasional Advisor
Sean_71
Posts: 11
Registered: ‎02-14-2003
Message 2 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

Hi Craig can you let the group no if you do managed to upgrade this. I was under the impression if the rpm -Uvh would update the binaries. But please don't quote me on this. I tried to update perl on mine and it ended up corrupting the image, this is properly because the or the admin scripts are written in perl. However this ended up being a library thing. What we need to do, if for a group of us to try and update the whole image to the newest redhat 8 while maintaning it fuctionality, and make it publicly available though ftp. I for one would be quite happy to pay a small fee towards covering people efforts, and hosting costs to provide such a images
Sean

who dares wins
Please use plain text.
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 3 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

I compiled the sendmail package with no errors but found that simply substituting the binary (new sendmail) for the old binary didn't work. I tried to restart sendmail without success. So now I'm looking at what exactly needs to be changed in order to get the new package working. If anyone else has looked at this your comments and suggestions would be much appreciated.
Please use plain text.
Occasional Advisor
BR699722
Posts: 10
Registered: ‎07-22-2002
Message 4 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

hi,

just compiling the new sendmail sources and replacing the binaries won??t work, cause Sendmail 8.12 uses two mailqueues. So you have to rebuild the sendmail.cf and make some other configuration changes.

The easiest way is to patch your current Sendmail with an rpm-package from redhat (if you have the redhat-distribution installed)
Download the patch and install it with "rpm -u package-name". Then restart sendmail. Be sure to make an backup copy of /etc/mail (whole directory) and /etc/sendmail.cf


HtH
Thomas
Please use plain text.
Honored Contributor
Robert-Jan Goossens
Posts: 7,384
Registered: ‎04-04-2000
Message 5 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

Hi Craig,

follow next link to the HPUX forum, the link is specified call about sendmail Vulnerability.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x82599c196a4bd71190080090279cd0f9,00.html

Robert-Jan.
Please use plain text.
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 6 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

How do I determine what version of Red Hat my server is running? I can easily determine the kernel version, the sendmail version, etc. but finding the version of Red Hat (in order to get the correct rpm) is proving difficult.
Please use plain text.
Honored Contributor
Robert-Jan Goossens
Posts: 7,384
Registered: ‎04-04-2000
Message 7 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

Hi,

if i'm not mistaken,

# uname -a
or
# uname -v

Robert-Jan.
Please use plain text.
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 8 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

The uname -a command only returns the kernel version. On standard Linux boxes you can tell the Distro version when you telnet in, but not with the HP boxes. Any other ideas? I think it must be one of the RH v.6 distros but really would like to be sure.
Please use plain text.
Honored Contributor
Robert-Jan Goossens
Posts: 7,384
Registered: ‎04-04-2000
Message 9 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

Hi,

how about downloading and installing sysinfo ?

http://www.magnicomp.com/sysinfo/sysinfo.shtml

Hope it helps,

Robert-Jan.
Please use plain text.
Occasional Advisor
Sean_71
Posts: 11
Registered: ‎02-14-2003
Message 10 of 14 (483 Views)

Re: Sendmail Critical Vulnerability

I beleive that all the sa1100/1120 are based upon Redhat 6.2 server install with a few core component changed such as sendmail and apache.

who dares wins
Please use plain text.
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 11 of 14 (413 Views)

Re: Sendmail Critical Vulnerability

According to RH's web site, the version of sendmail for 6.2 was 8.11.6 but the version of sendmail on my SA1100 is 8.10.2. I don't believe that simply doing an RPM -U of 8.12.8 would work, either (there are some file differences). I can't find anything on RH's site that offers upgrades for anything older than 6.2 but I'm still looking at their ftp site (can't get on at the moment).

We are very close to simply buying a cobalt and being done with this crapola.
Please use plain text.
Occasional Advisor
BR699722
Posts: 10
Registered: ‎07-22-2002
Message 12 of 14 (413 Views)

Re: Sendmail Critical Vulnerability

hi Craig,

the rpm program offers an option, to test the dependencies of an rpm package (i.e. rpm -U --test rpm-package)
IMHO you could upgrade to 8.11.6-126 (where 126 is the patch level), whithout config changes. This version is secured against the Vulnerability.
sendmail 8.12.x is working different to the prior versions and so you have to configure it again, if you upgrade to this version.

cu
Thomas
Please use plain text.
Occasional Advisor
Craig Jungers
Posts: 8
Registered: ‎01-13-2003
Message 13 of 14 (413 Views)

Re: Sendmail Critical Vulnerability

The rpm RH lists for V6.2 is not the same as the one that was installed in the SA1100 (we've already covered this). Because of the nature of the SA1100 and it's non-standard mail delivery system I was very VERY reluctant to simply install an RPM from redhat. Installing the latest sendmail (8.12.8) didn't work because the file structure of this version is very different from older versions.

What I finally did was to download the patched source RPM (sendmail-8.11.6-1.62.2.src.rpm), did an install ("rpm -i sendmail...etc"), then compiled it ("sh Build").Then Icopied each of the following files to a .bak backup in its subdirectory.

/usr/bin/rmail
/usr/sbin/mailstats
/usr/sbin/makemap
/usr/sbin/praliases
/usr/sbin/sendmail
/usr/sbin/smrsh

I then stopped the mail daemon using the web-based control screen.

I now had a backup copy of each of these files in its subdir ready to copy back into position should this upgrade fail. I then copied the new version of each of these new files into the appropriate subdirectory and restarted the mail daemon using the web-based controls.

The control page reported that sendmail had started and was running. I then went to an account outside this system and sent a test email which worked. Then I watched /var/log/maillog for a few minutes looking for obvious problems. None so far. :)

If you need to upgrade your SA1100 appliance server this method should work for you as well. I want to thank all who offered their suggestions.

Please use plain text.
Occasional Advisor
Sean_71
Posts: 11
Registered: ‎02-14-2003
Message 14 of 14 (413 Views)

Re: Sendmail Critical Vulnerability

This is why we need make an image then we can experiment with updating pkgs and testing various configurations and be assured if anything goes wrong we can restore the original image.

I have a SA1120 and various other 1U servers and plenty of disk space, that i would be fully prepared to make available if anyone wants to get involed in creating a new image.

who dares wins
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation