What Are You Looking For?

Sign Up
Date:         Wed, 7 Apr 2010 13:29:51 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Low: sendmail on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Low: sendmail security and bug fix update
Issue date:	2010-03-30
CVE Names:	CVE-2006-7176 CVE-2009-4565

The configuration of sendmail in Scientific Linux was found to not 
reject the "localhost.localdomain" domain name for email messages that 
come from external hosts. This could allow remote attackers to disguise 
spoofed messages. (CVE-2006-7176)

A flaw was found in the way sendmail handled NUL characters in the
CommonName field of X.509 certificates. An attacker able to get a
carefully-crafted certificate signed by a trusted Certificate Authority
could trick sendmail into accepting it by mistake, allowing the attacker 
to perform a man-in-the-middle attack or bypass intended client 
certificate authentication. (CVE-2009-4565)

Note: The CVE-2009-4565 issue only affected configurations using TLS 
with certificate verification and CommonName checking enabled, which is 
not a typical configuration.

This update also fixes the following bugs:

* sendmail was unable to parse files specified by the ServiceSwitchFile
option which used a colon as a separator. (BZ#512871)

* sendmail incorrectly returned a zero exit code when free space was 
low. (BZ#299951)

* the sendmail manual page had a blank space between the -qG option and
parameter. (BZ#250552)

* the comments in the sendmail.mc file specified the wrong path to SSL
certificates. (BZ#244012)

* the sendmail packages did not provide the MTA capability. (BZ#494408)

SL 5.x

     SRPMS:
sendmail-8.13.8-8.el5.src.rpm
     i386:
sendmail-8.13.8-8.el5.i386.rpm
sendmail-cf-8.13.8-8.el5.i386.rpm
sendmail-devel-8.13.8-8.el5.i386.rpm
sendmail-doc-8.13.8-8.el5.i386.rpm
     x86_64:
sendmail-8.13.8-8.el5.x86_64.rpm
sendmail-cf-8.13.8-8.el5.x86_64.rpm
sendmail-devel-8.13.8-8.el5.i386.rpm
sendmail-devel-8.13.8-8.el5.x86_64.rpm
sendmail-doc-8.13.8-8.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2006-7176 Low: sendmail SL5.x i386/x86_64

Low: sendmail security and bug fix update

Summary

come from external hosts. This could allow remote attackers to disguisespoofed messages. (CVE-2006-7176)A flaw was found in the way sendmail handled NUL characters in theCommonName field of X.509 certificates. An attacker able to get acarefully-crafted certificate signed by a trusted Certificate Authoritycould trick sendmail into accepting it by mistake, allowing the attackerto perform a man-in-the-middle attack or bypass intended clientcertificate authentication. (CVE-2009-4565)Note: The CVE-2009-4565 issue only affected configurations using TLSwith certificate verification and CommonName checking enabled, which isnot a typical configuration.This update also fixes the following bugs:* sendmail was unable to parse files specified by the ServiceSwitchFileoption which used a colon as a separator. (BZ#512871)* sendmail incorrectly returned a zero exit code when free space waslow. (BZ#299951)* the sendmail manual page had a blank space between the -qG option andparameter. (BZ#250552)* the comments in the sendmail.mc file specified the wrong path to SSLcertificates. (BZ#244012)* the sendmail packages did not provide the MTA capability. (BZ#494408)SL 5.xSRPMS:sendmail-8.13.8-8.el5.src.rpmi386:sendmail-8.13.8-8.el5.i386.rpmsendmail-cf-8.13.8-8.el5.i386.rpmsendmail-devel-8.13.8-8.el5.i386.rpmsendmail-doc-8.13.8-8.el5.i386.rpmx86_64:sendmail-8.13.8-8.el5.x86_64.rpmsendmail-cf-8.13.8-8.el5.x86_64.rpmsendmail-devel-8.13.8-8.el5.i386.rpmsendmail-devel-8.13.8-8.el5.x86_64.rpmsendmail-doc-8.13.8-8.el5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity
Issued Date: : 2010-03-30
CVE Names: CVE-2006-7176 CVE-2009-4565
The configuration of sendmail in Scientific Linux was found to not
reject the "localhost.localdomain" domain name for email messages that

Related News

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Nov 28, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses

About Us

Powered By

Footer Logo