Subject: CVS commit: [pkgsrc-2005Q4] pkgsrc/mail/sendmail812
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 03/24/2006 16:11:16
Module Name: pkgsrc
Committed By: salo
Date: Fri Mar 24 16:11:16 UTC 2006
Modified Files:
pkgsrc/mail/sendmail812 [pkgsrc-2005Q4]: Makefile Makefile.common
distinfo
Log Message:
Pullup ticket 1254 - requested by Todd Vierling
security fix for sendmail812
Revisions pulled up:
- pkgsrc/mail/sendmail812/Makefile 1.8
- pkgsrc/mail/sendmail812/Makefile.common 1.10
- pkgsrc/mail/sendmail812/distinfo 1.4
Module Name: pkgsrc
Committed By: tv
Date: Wed Mar 22 21:19:06 UTC 2006
Modified Files:
pkgsrc/mail/sendmail812: Makefile Makefile.common distinfo
Log Message:
Update sendmail (with vendor patch) to address the current security issue:
http://www.kb.cert.org/vuls/id/834865
Bump to nb2.
This will change the internal version of sendmail to 8.12.11.20060308.
> SECURITY: Replace unsafe use of setjmp(3)/longjmp(3) in the server
> and client side of sendmail with timeouts in the libsm I/O
> layer and fix problems in that code. Also fix handling of
> a buffer in sm_syslog() which could have been used as an
> attack vector to exploit the unsafe handling of
> setjmp(3)/longjmp(3) in combination with signals.
> Problem detected by Mark Dowd of ISS X-Force.
> Handle theoretical integer overflows that could triggered if
> the server accepted headers larger than the maximum
> (signed) integer value. This is prevented in the default
> configuration by restricting the size of a header, and on
> most machines memory allocations would fail before reaching
> those values. Problems found by Phil Brass of ISS.
To generate a diff of this commit:
cvs rdiff -r1.6 -r1.6.4.1 pkgsrc/mail/sendmail812/Makefile
cvs rdiff -r1.9 -r1.9.2.1 pkgsrc/mail/sendmail812/Makefile.common
cvs rdiff -r1.3 -r1.3.4.1 pkgsrc/mail/sendmail812/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.