Информационная безопасность
[RU] switch to English


Дополнительная информация

  Подмена сертификата SSL в Sendmail

From:MANDRIVA
Date:17 января 2010 г.
Subject:[ MDVSA-2010:003 ] sendmail


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory                         MDVSA-2010:003
http://www.mandriva.com/security/
_______________________________________________________________________

Package : sendmail
Date    : January 11, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
          Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A security vulnerability has been identified and fixed in sendmail:

sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-4565).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

This update provides a fix for this vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
http://www.sendmail.org/releases/8.14.4
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
59415398189b3fcf81482a0aa548e2f4  2008.0/i586/sendmail-8.14.1-2.1mdv2008.0.i586.rpm
ea981097f72996a76eba3db1ca168c68  2008.0/i586/sendmail-cf-8.14.1-2.1mdv2008.0.i586.rpm
19d0308e739e5d2c1c3f4fa26cc58b83  2008.0/i586/sendmail-devel-8.14.1-2.1mdv2008.0.i586.rpm
ec7b8d7a0ef153e7a6eb892f0e37b5de  2008.0/i586/sendmail-doc-8.14.1-2.1mdv2008.0.i586.rpm
0db8b791cbd6ab9c5acbb4d36dfc2011  2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
27862cd3b57af76bbeaf4022b05f9944  2008.0/x86_64/sendmail-8.14.1-2.1mdv2008.0.x86_64.rpm
4585530d86a21d4f0354cf2458ff4822  2008.0/x86_64/sendmail-cf-8.14.1-2.1mdv2008.0.x86_64.rpm
f241b7f870d0bcbadc64cbd8c8642a4e  2008.0/x86_64/sendmail-devel-8.14.1-2.1mdv2008.0.x86_64.rpm
a92613cbc1eecc47aeff44c8a24ed32e  2008.0/x86_64/sendmail-doc-8.14.1-2.1mdv2008.0.x86_64.rpm
0db8b791cbd6ab9c5acbb4d36dfc2011  2008.0/SRPMS/sendmail-8.14.1-2.1mdv2008.0.src.rpm

Mandriva Linux 2009.0:
c7dfba4575fb7d2cae408ae4ffc3588f  2009.0/i586/sendmail-8.14.3-2.1mdv2009.0.i586.rpm
7a77a2fd891995e30dc77b843afb55d1  2009.0/i586/sendmail-cf-8.14.3-2.1mdv2009.0.i586.rpm
8c38bb523fe83f1a6936f89cef1d9aff  2009.0/i586/sendmail-devel-8.14.3-2.1mdv2009.0.i586.rpm
5f27bc4b53e33a3e6f543eef078ba603  2009.0/i586/sendmail-doc-8.14.3-2.1mdv2009.0.i586.rpm
1d87f6050c197ac42e6e2d599c6ccb02  2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
367a5fe461786ca07bd26f75d5e83b87  2009.0/x86_64/sendmail-8.14.3-2.1mdv2009.0.x86_64.rpm
74a5d145be5a34309a6b77d86c928221  2009.0/x86_64/sendmail-cf-8.14.3-2.1mdv2009.0.x86_64.rpm
b0880a184b15a235e0af6c977a86deb4  2009.0/x86_64/sendmail-devel-8.14.3-2.1mdv2009.0.x86_64.rpm
57629048e8712e85b4ad2b96b2820b4a  2009.0/x86_64/sendmail-doc-8.14.3-2.1mdv2009.0.x86_64.rpm
1d87f6050c197ac42e6e2d599c6ccb02  2009.0/SRPMS/sendmail-8.14.3-2.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
b4f3e0bbbcd2a31ac54e97db1e86d3cb  2009.1/i586/sendmail-8.14.3-3.1mdv2009.1.i586.rpm
4e455a03d26ac8db82520033f7c12b53  2009.1/i586/sendmail-cf-8.14.3-3.1mdv2009.1.i586.rpm
83ed44ff797b518f754191a2913fb99b  2009.1/i586/sendmail-devel-8.14.3-3.1mdv2009.1.i586.rpm
a6300984708e7c7e183de4cfeed303d4  2009.1/i586/sendmail-doc-8.14.3-3.1mdv2009.1.i586.rpm
715d4d5f51bb06566cc1cd2007eae13b  2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
cd8b93f0e5131be289a7820c668535d4  2009.1/x86_64/sendmail-8.14.3-3.1mdv2009.1.x86_64.rpm
35901aab57046009e74921a9f8537f5c  2009.1/x86_64/sendmail-cf-8.14.3-3.1mdv2009.1.x86_64.rpm
a6b5f206c58c9ed35417f49b157a245a  2009.1/x86_64/sendmail-devel-8.14.3-3.1mdv2009.1.x86_64.rpm
708d8cf9d104f38bbc5d117048536d44  2009.1/x86_64/sendmail-doc-8.14.3-3.1mdv2009.1.x86_64.rpm
715d4d5f51bb06566cc1cd2007eae13b  2009.1/SRPMS/sendmail-8.14.3-3.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
cb3ff51261f0a547e79fb2beb26ccd5d  2010.0/i586/sendmail-8.14.3-4.1mdv2010.0.i586.rpm
0e488f7f647c5c4a5aaa6e03aba37099  2010.0/i586/sendmail-cf-8.14.3-4.1mdv2010.0.i586.rpm
575a321bab56d672d8bc2bea109e0230  2010.0/i586/sendmail-devel-8.14.3-4.1mdv2010.0.i586.rpm
54a82cb021316e39766431c9ad6f36e8  2010.0/i586/sendmail-doc-8.14.3-4.1mdv2010.0.i586.rpm
d44550335102aefed7d2cfd94be56c18  2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
06be9e7dbda96eb506b58499a896f515  2010.0/x86_64/sendmail-8.14.3-4.1mdv2010.0.x86_64.rpm
ccad3d58cb1c296fef3cb9fc76b8ba5b  2010.0/x86_64/sendmail-cf-8.14.3-4.1mdv2010.0.x86_64.rpm
30ea827e1029bc2519263a0821611886  2010.0/x86_64/sendmail-devel-8.14.3-4.1mdv2010.0.x86_64.rpm
9dd4779fea3cde54fb211db8733164a0  2010.0/x86_64/sendmail-doc-8.14.3-4.1mdv2010.0.x86_64.rpm
d44550335102aefed7d2cfd94be56c18  2010.0/SRPMS/sendmail-8.14.3-4.1mdv2010.0.src.rpm

Corporate 4.0:
b4af5f228b216fa419a0490db166e286  corporate/4.0/i586/sendmail-8.13.4-6.5.20060mlcs4.i586.rpm
c8765f369aa52810a67f47118129802c  corporate/4.0/i586/sendmail-cf-8.13.4-6.5.20060mlcs4.i586.rpm
9d31c0b2d982582fabd7db9aa0d65270  corporate/4.0/i586/sendmail-devel-8.13.4-6.5.20060mlcs4.i586.rpm
9b0ebbce5cfd974ea19976f14329057e  corporate/4.0/i586/sendmail-doc-8.13.4-6.5.20060mlcs4.i586.rpm
e196e43d837e42491f6dfc950af0ebb7  corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
22d62ded1b3d7963740064769a7101bd  corporate/4.0/x86_64/sendmail-8.13.4-6.5.20060mlcs4.x86_64.rpm
17ed3192e319890184067239fb3f8c57  corporate/4.0/x86_64/sendmail-cf-8.13.4-6.5.20060mlcs4.x86_64.rpm
d702fb0c90ddc0c910869df484215e91  corporate/4.0/x86_64/sendmail-devel-8.13.4-6.5.20060mlcs4.x86_64.rpm
ed75310c08e8e2c0dc797c84ef71e3e7  corporate/4.0/x86_64/sendmail-doc-8.13.4-6.5.20060mlcs4.x86_64.rpm
e196e43d837e42491f6dfc950af0ebb7  corporate/4.0/SRPMS/sendmail-8.13.4-6.5.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
87fa356ac80447bcf7328ff16712e97b  mes5/i586/sendmail-8.14.3-2.1mdvmes5.i586.rpm
7204d91f35e0aec24c1dbd12af34f457  mes5/i586/sendmail-cf-8.14.3-2.1mdvmes5.i586.rpm
bdcc3f3bf303f764dd87d52ffc7e4aa1  mes5/i586/sendmail-devel-8.14.3-2.1mdvmes5.i586.rpm
faa0df4c43cddf8dcac3ddffb271211e  mes5/i586/sendmail-doc-8.14.3-2.1mdvmes5.i586.rpm
b71ace8a1ee671400e212ed9aa5200eb  mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
6899d9dde5ec73adc5071588ae9f5e8a  mes5/x86_64/sendmail-8.14.3-2.1mdvmes5.x86_64.rpm
6ff20eb453f84f067eb411b37a745774  mes5/x86_64/sendmail-cf-8.14.3-2.1mdvmes5.x86_64.rpm
12f793bc0f65025dc4b7bbc9b0730b89  mes5/x86_64/sendmail-devel-8.14.3-2.1mdvmes5.x86_64.rpm
08b141b3aeb79b431fcc78de84d86d29  mes5/x86_64/sendmail-doc-8.14.3-2.1mdvmes5.x86_64.rpm
b71ace8a1ee671400e212ed9aa5200eb  mes5/SRPMS/sendmail-8.14.3-2.1mdvmes5.src.rpm

Multi Network Firewall 2.0:
60b1e9af1bf3310ebc17da12c51169e8  mnf/2.0/i586/sendmail-8.12.11-1.5.M20mdk.i586.rpm
e36a464dcbde47632af940d79142be2a  mnf/2.0/i586/sendmail-cf-8.12.11-1.5.M20mdk.i586.rpm
9ba7304e2b06011ad188af55d59c69f0  mnf/2.0/i586/sendmail-devel-8.12.11-1.5.M20mdk.i586.rpm
168c304c45ff1d3064b795b80e75b19a  mnf/2.0/i586/sendmail-doc-8.12.11-1.5.M20mdk.i586.rpm
1bfda6494962b1b71e9127d5753492e6  mnf/2.0/SRPMS/sendmail-8.12.11-1.5.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security.  You can obtain the
GPG public key of the Mandriva Security Team by executing:

 gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

 http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

 security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Mandriva Security Team
 <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLTJFPmqjQ0CJFipgRAoKcAJ99aQC/zNJ+rZ9k9UMbTWlldiveLACg0c5X
W7OfxaxmPvfqiwxJE7tjcb8=
=Fkrf
-----END PGP SIGNATURE-----

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород