| Summary: | <mail-mta/sendmail-8.14.4: X.509 NULL spoofing (CVE-2009-4565) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | net-mail+disabled, tb |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.sendmail.org/releases/8.14.4 | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
net-mail, we have 8.14.4 is in tree, is it ok to stabilize? CVE-2009-4565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4565): sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. I take that as a "yes". Arches, please test and mark stable: =mail-mta/sendmail-8.14.4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" x86 stable ppc and ppc64 done Stable for HPPA. alpha/arm/ia64/s390/sh/sparc stable amd64 stable, all arches done. GLSA request filed. This issue was resolved and addressed in GLSA 201206-30 at http://security.gentoo.org/glsa/glsa-201206-30.xml by GLSA coordinator Stefan Behte (craig). |
From the release notes ($URL): Handle bogus certificates containing NUL characters in CNs by placing a string indicating a bad certificate in the {cn_subject} or {cn_issuer} macro. Patch inspired by Matthias Andree's changes for fetchmail. During the generation of a queue identifier an integer overflow could occur which might result in bogus characters being used. Based on patch from John Vannoy of Pepperdine University. The value of headers, e.g., Precedence, Content-Type, et.al., was not processed correctly. Patch from Per Hedeland. Between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced from MAXNAME (256) to MAXSHORTSTR (203). Patch from John Gardiner Myers of Proofpoint; the problem was also noted by Steve Hubert of University of Washington. Prevent a crash when a hostname lookup returns a seemingly valid result which contains a NULL pointer (this seems to be happening on some Linux versions). The process title was missing the current load average when the MTA was delaying connections due to DelayLA. Patch from Dick St.Peters of NetHeaven. Do not reset the number of queue entries in shared memory if only some of them are processed. Fix overflow of an internal array when parsing some replies from a milter. Problem found by Scott Rotondo of Sun Microsystems. If STARTTLS is turned off in the server (via M=S) then it would not be initialized for use in the client either. Patch from Kazuteru Okahashi of IIJ. If a Diffie-Hellman cipher is selected for STARTTLS, the handshake could fail with some TLS implementations because the prime used by the server is not long enough. Note: the initialization of the DSA/DH parameters for the server can take a significant amount of time on slow machines. This can be turned off by setting DHParameters to none or a file (see doc/op/op.me). Patch from Petr Lampa of the Brno University of Technology. Fix handling of `b' modifier for DaemonPortOptions on little endian machines for loopback address. Patch from John Beck of Sun Microsystems. Fix a potential memory leak in libsmdb/smdb1.c found by parfait. Based on patch from Jonathan Gray of OpenBSD. If a milter sets the reply code to "421" during the transfer of the body, the SMTP server will terminate the SMTP session with that error to match the behavior of the other callbacks. Return EX_IOERR (instead of 0) if a mail submission fails due to missing disk space in the mail queue. Based on patch from Martin Poole of RedHat.