Vulnerability Bulletins

int(2655)

Vulnerability Bulletins

Denegación de servicio en Sendmail
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Denegación de Servicio
Dificulty	Experto
Required attacker level	Acceso remoto sin cuenta a un servicio estandar
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	Sendmail
Description
Se ha descubierto una vulnerabilidad en Sendmail. La vulnerabilidad reside en un error al manejar ciertos mensajes con líneas de cabecera especialmente largas lo que podría causar un error al intentar acceder a un puntero ya liberado (use-after-free bug). Un atacante podría causar una denegación de servicio.
Solution
Actualización de software OpenBSD OpenBSD 3.8 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/010_sendmail3.patch OpenBSD 3.9 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/005_sendmail3.patch Debian Debian Linux 3.1 Source http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.dsc http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3.diff.gz http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz Architecture independent http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.4-3sarge3_all.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge3_all.deb Alpha http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_alpha.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_alpha.deb AMD64 http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_amd64.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_amd64.deb ARM http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_arm.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_arm.deb HP Precision http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_hppa.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_hppa.deb Intel IA-32 http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_i386.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_ia64.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_ia64.deb Motorola 680x0 http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_m68k.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_mips.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_mipsel.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_powerpc.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_s390.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge3_sparc.deb http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge3_sparc.deb Mandriva Corporate Server 3.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/sendmail-8.12.11-1.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/sendmail-cf-8.12.11-1.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/sendmail-devel-8.12.11-1.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/sendmail-doc-8.12.11-1.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/sendmail-8.12.11-1.3.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/sendmail-8.12.11-1.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/sendmail-cf-8.12.11-1.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/sendmail-devel-8.12.11-1.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/sendmail-doc-8.12.11-1.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/sendmail-8.12.11-1.3.C30mdk.src.rpm Multi Network Firewall 2.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/sendmail-8.12.11-1.3.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/RPMS/sendmail-cf-8.12.11-1.3.M20mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf/2.0/SRPMS/sendmail-8.12.11-1.3.M20mdk.src.rpm Mandrivalinux 2006 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/sendmail-8.13.4-6.3.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/sendmail-cf-8.13.4-6.3.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/sendmail-devel-8.13.4-6.3.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/sendmail-doc-8.13.4-6.3.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/sendmail-8.13.4-6.3.20060mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/sendmail-8.13.4-6.3.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/sendmail-cf-8.13.4-6.3.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/sendmail-devel-8.13.4-6.3.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/sendmail-doc-8.13.4-6.3.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/sendmail-8.13.4-6.3.20060mdk.src.rpm Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux Sun(102664) Solaris 9 / SPARC / patch 113575-08 Solaris 9 / x86 / patch 114137-07 Solaris 10 / SPARC / patch 125011-01 Solaris 10 / x86 / patch 125012-01 http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage
Standar resources
Property	Value
CVE	CVE-2006-4434
BID	19714
Other resources
OpenBSD Security Advisory Aug 25, 2006 (005) http://www.openbsd.org/errata.html#sendmail3 OpenBSD Security Advisory Aug 25, 2006 (010) http://www.openbsd.org/errata38.html#sendmail3 Debian Security Advisory (DSA 1164-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00254.html Mandriva Security Advisory (MDKSA-2006:156) http://www.mandriva.com/security/advisories?name=MDKSA-2006:156 SUSE Security Advisory (SUSE-SR:2006:021) http://www.novell.com/linux/security/advisories/2006_21_sr.html Sun Alert Notification (102664) http://sunsolve.sun.com/search/document.do?assetkey=1-26-102664-1

Version history
Version	Comments	Date
1.0	Aviso emitido	2006-08-28
1.1	CVE añadido. Aviso emitido por Debian (DSA 1164-1). Aviso emitido por Mandriva (MDKSA-2006:156)	2006-08-31
1.2	Aviso emitido por Suse (SUSE-SR:2006:021)	2006-09-04
1.3	Aviso emitido por Sun (102664)	2006-10-17
1.4	Aviso actualizado por Sun (102664)	2006-11-29
1.5	Aviso actualizado por Sun (102664)	2007-01-31

Vulnerability Bulletins

Denegación de servicio en Sendmail

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history