http://blog.gmane.org/gmane.mail.sendmail.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.mail.sendmail.announce/28 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.14.5. This version fixes a few problems, including: o SMTP extensions are no longer cached across connections as the cache is based on hostname which may not be a unique identifier for a server, i.e., different machines may have the same hostname but provide different SMTP extensions. o An out-of-bounds access is avoided in case a resolver reply for a DNS map lookup returns a size larger than 1K. o The interrupt signal handler has been cleaned up to avoid invoking functions that are not signal-safe. o At most two AUTH lines are read from a server to avoid a DoS attack against the client (memory exhaustion). A complete list of changes can be found in the release notes (see below). Please send bug reports and general feedback to one of the addresses listed at: http://www.sendmail.org/email-addresses.html The version can be found at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.5.tar.Z.sig MD5 signatures: f3ebb70a5af37aaa6174bc07fb9cd1ae sendmail.8.14.5.tar.Z d5c02a48b1c2c75babb9c666f5b3b1a6 sendmail.8.14.5.tar.Z.sig 02ccfc331cc81ed00ec8bb5ecfc69018 sendmail.8.14.5.tar.gz 43b8cb0eac8e4d9fe47013fa78f32752 sendmail.8.14.5.tar.gz.sig You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding sig file. The PGP signature was created using the Sendmail Signing Key/2011, available on the web site (http://www.sendmail.com/sm/open_source/download/) or on the public key servers. Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. SENDMAIL RELEASE NOTES $Id: RELEASE_NOTES,v 8.1991 2011/05/15 04:28:16 ca Exp $ This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.14.5/8.14.52011/05/17 Do not cache SMTP extensions across connections as the cache is based on hostname which may not be a unique identifier for a server, i.e., different machines may have the same hostname but provide different SMTP extensions. Problem noted by Jim Hermann. Avoid an out-of-bounds access in case a resolver reply for a DNS map lookup returns a size larger than 1K. Based on a patch from Dr. Werner Fink of SuSE. If a job is aborted using the interrupt signal (e.g., control-C from the keyboard), perform minimal cleanup to avoid invoking functions that are not signal-safe. Note: in previous versions the mail might have been queued up already and would be delivered subsequently, now an interrupt will always remove the queue files and thus prevent delivery. Per RFC 6176, when operating as a TLS client, do not offer SSLv2. Since TLS session resumption is never used as a client, disable use of RFC 4507-style session tickets. Work around gcc4 versions which reverse 25 years of history and no longer align char buffers on the stack, breaking calls to resolver functions on strict alignment platforms. Found by Stuart Henderson of OpenBSD. Read at most two AUTH lines from a server greeting (up to two lines are read because servers may use "AUTH mechs" and "AUTH=mechs"). Otherwise a malicious server may exhaust the memory of the client. Bug report by Nils of MWR InfoSecurity. Avoid triggering an assertion in the OpenLDAP code when the connection to an LDAP server is lost while making a query. Problem noted and patch provided by Andy Fiddaman. If ConnectOnlyTo is set and sendmail is compiled with NETINET6 it would try to use an IPv6 address if an IPv4 (or unparseable) address is specified. If SASLv2 is used, make sure that the macro {auth_authen} is stored in xtext format to avoid problems with parsing it. Problem noted by Christophe Wolfhugel. CONFIG: FEATURE(`ldap_routing') in 8.14.4 tried to add a missing -T&lt;TMPF&gt; that is required, but failed for some cases that did not use LDAP. This change has been undone until a better solution can be implemented. Problem found by Andy Fiddaman. CONFIG: Add cf/ostype/solaris11.m4 for Solaris11 support. Contributed by Casper Dik of Oracle. CONTRIB: qtool.pl: Deal with H entries that do not have a letter between the question marks. Patch from Stefan Christensen. DOC: Use a better description for the -i option in sendmail. Patch from Mitchell Berger. Portability: Add support for Darwin 10.x (Mac OS X 10.6). Enable HAVE_NANOSLEEP for FreeBSD 3 and later. Patch from John Marshall. Enable HAVE_NANOSLEEP for OpenBSD 4.3 and later. Use new directory "/system/volatile" for PidFile on Solaris 11. Patch from Casper Dik of Oracle. Fix compilation on Solaris 11 (and maybe some other OSs) when using OpenSSL 1.0. Based on patch from Jan Pechanec of Oracle. Set SOCKADDR_LEN_T and SOCKOPT_LEN_T to socklen_t for Solaris 11. Patch from Roger Faulkner of Oracle. New Files: cf/ostype/solaris11.m4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (OpenBSD) iQEcBAEBAgAGBQJN0eGPAAoJEDmkx32peISwHvUIAINCS9zvq05WNy0sUxzS9krb JVb1+RCwSjcKqpNbZ2+dhK7wTEuET+x1RItsKl0v2ZNrei2p3xg1PvXUs/A4TVK8 +vIgNTpGhRbsNLDcPOszFdy4i+OhB8vRlZpboFl8OKL105VbC1gUMUpdIUK1TX8I nZDeQKotIDXmkpH2k8dCuclLWO4NSyX9yZ0VZulintR79+bCIY5iP2UvSaFSPbne O5YzqRsVkd0xoSRDxsVMtbZAwDseHU/YLsCpLC2u0kCAbCjLgG5p+Tz+IYXjiscm fxsUUK+oN57/YQEXA7fLCLMf6RPFGXaz+Il7CpNFKi6krF6DOyjgjsWNBe6kSh8= =pRJn -----END PGP SIGNATURE----- </pre> Claus Assmann 2011-05-17T13:34:12 http://permalink.gmane.org/gmane.mail.sendmail.announce/27 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.14.4. This version fixes some problems: o some certificate authorities do not properly check the requests they are signing and hence allow spoofing via an embedded NUL in the CN entry. Some checks have been added to deal with "bogus" CNs (see below and doc/op/op.*). o a workaround for a Linux resolver problem has been added to avoid core dumps. o the value of headers, e.g., Precedence, Content-Type, et.al., was not extracted correctly thus preventing them from being recognized properly; leading spaces were not stripped (which was an unintended side effect of an earlier change) and hence comparing them with expected values (e.g., "first-class" for Precedence) did not work. o between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced. A complete list of changes can be found in the release notes (see below). Please send bug reports and general feedback to one of the addresses listed at: http://www.sendmail.org/email-addresses.html The version can be found at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.4.tar.gz ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.4.tar.gz.sig ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.4.tar.Z ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.4.tar.Z.sig MD5 signatures: 1b23d5000c8e7bfe82ec1a27f2f5fdc5 sendmail.8.14.4.tar.gz 0986e83fefad74477e5473860eb7a3dc sendmail.8.14.4.tar.gz.sig db975437af4b08ed3b88deaccec26f89 sendmail.8.14.4.tar.Z 8a5740dff8a85e0d5a8d754bf73c0b28 sendmail.8.14.4.tar.Z.sig You either need the first two files or the third and fourth, i.e., the gzip'ed version or the compressed version and the corresponding sig file. The PGP signature was created using the Sendmail Signing Key/2009, available on the web site (http://www.sendmail.org/) or on the public key servers. Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. SENDMAIL RELEASE NOTES $Id: RELEASE_NOTES,v 8.1963 2009/12/23 04:43:46 ca Exp $ This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. 8.14.4/8.14.42009/12/30 SECURITY: Handle bogus certificates containing NUL characters in CNs by placing a string indicating a bad certificate in the {cn_subject} or {cn_issuer} macro. Patch inspired by Matthias Andree's changes for fetchmail. During the generation of a queue identifier an integer overflow could occur which might result in bogus characters being used. Based on patch from John Vannoy of Pepperdine University. The value of headers, e.g., Precedence, Content-Type, et.al., was not processed correctly. Patch from Per Hedeland. Between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced from MAXNAME (256) to MAXSHORTSTR (203). Patch from John Gardiner Myers of Proofpoint; the problem was also noted by Steve Hubert of University of Washington. Prevent a crash when a hostname lookup returns a seemingly valid result which contains a NULL pointer (this seems to be happening on some Linux versions). The process title was missing the current load average when the MTA was delaying connections due to DelayLA. Patch from Dick St.Peters of NetHeaven. Do not reset the number of queue entries in shared memory if only some of them are processed. Fix overflow of an internal array when parsing some replies from a milter. Problem found by Scott Rotondo of Sun Microsystems. If STARTTLS is turned off in the server (via M=S) then it would not be initialized for use in the client either. Patch from Kazuteru Okahashi of IIJ. If a Diffie-Hellman cipher is selected for STARTTLS, the handshake could fail with some TLS implementations because the prime used by the server is not long enough. Note: the initialization of the DSA/DH parameters for the server can take a significant amount of time on slow machines. This can be turned off by setting DHParameters to none or a file (see doc/op/op.me). Patch from Petr Lampa of the Brno University of Technology. Fix handling of `b' modifier for DaemonPortOptions on little endian machines for loopback address. Patch from John Beck of Sun Microsystems. Fix a potential memory leak in libsmdb/smdb1.c found by parfait. Based on patch from Jonathan Gray of OpenBSD. If a milter sets the reply code to "421" during the transfer of the body, the SMTP server will terminate the SMTP session with that error to match the behavior of the other callbacks. Return EX_IOERR (instead of 0) if a mail submission fails due to missing disk space in the mail queue. Based on patch from Martin Poole of RedHat. CONFIG: Using FEATURE(`ldap_routing')'s `nodomain' argument would cause addresses not found in LDAP to be misparsed. CONFIG: Using a CN restriction did not work for TLS_Clt as it referred to a wrong macro. Patch from John Gardiner Myers of Proofpoint. CONFIG: The option relaytofulladdress of FEATURE(`access_db') did not work if FEATURE(`relay_hosts_only') is used too. Problem noted by Kristian Shaw. CONFIG: The internal function lower() was broken and hence strcasecmp() did not work either, which could cause problems for some FEATURE()s if upper case arguments were used. Patch from Vesa-Matti J Kari of the University of Helsinki. LIBMILTER: Fix internal check whether a milter application is compiled against the same version of libmilter as it is linked against (especially useful for dynamic libraries). LIBMILTER: Fix memory leak that occurred when smfi_setsymlist() was used. Based on patch by Dan Lukes. LIBMILTER: Document the effect of SMFIP_HDR_LEADSPC for filters which add, insert, or replace headers. From Benjamin Pineau. LIBMILTER: Fix error messages which refer to "select()" to be correct if SM_CONF_POLL is used. Based on patch from John Nemeth. LIBSM: Fix handling of LDAP search failures where the error is carried in the search result itself, such as seen with OpenLDAP proxy servers. VACATION: Do not refer to a local variable outside its scope. Based on patch from Mark Costlow of Southwest Cyberport. Portability: Enable HAVE_NANOSLEEP for SunOS 5.11. Patch from John Beck of Sun Microsystems. Drop NISPLUS from default SunOS 5.11 map definitions. Patch from John Beck of Sun Microsystems. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (OpenBSD) iQCVAwUBSzu+TBKJbpunfyQpAQKvUQP/Wn36SntcxQhNSv8Ei+i4kbC8xBE3Zh1v Ko7hFjfaYhxZena2xF6qXgAwstm4uzYY7fbYSZBvVV+q7dWHXHsH20ny/Q6G5bC0 O6uaAmJSeaCerGPhF90v1T/qhPTBqJjYaShLVtZSElxn4lwhsOJvSCbIuyeO18B9 NziF/zq5pkg= =e4v4 -----END PGP SIGNATURE----- </pre> Claus Assmann 2009-12-30T23:37:06 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.mail.sendmail.announce