Bulletin d'alerte Debian

DSA-1155-2 sendmail -- Erreur de programmation

Date du rapport:

24 août 2006

Paquets concernés:

Vulnérabilité:

Oui

Références dans la base de données de sécurité:

Dans le système de suivi des bogues Debian : Bogue 373801, Bogue 380258.
Dans la base de données de suivi des bogues (chez SecurityFocus) : Identificateur BugTraq 18433.
Dans le dictionnaire CVE du Mitre : CVE-2006-1173.
Les annonces de vulnérabilité et les bulletins d'alerte du CERT : VU#146718.

Pour plus d'information:

Il est apparu que le paquet binaire sendmail dépendait de libsasl2 (>= 2.1.19.dfsg1) qui n'est disponible ni dans l'archive stable ni dans celle de sécurité. Il est prévu d'incorporer cette version dans la prochaine mise à jour de la version stable cependant.

Vous devrez télécharger le fichier référencé pour votre architecture ci-dessous et l'installer avec la commande dpkg -i.

Comme alternative, l'ajout temporaire de la ligne suivant à /etc/apt/sources.list palliera au problème également :


  deb http://ftp.debian.de/debian stable-proposed-updates main

Afin d'être complet, voici le bulletin d'alerte initial :

Frank Sheiness a découvert qu'une routine de conversion MIME de sendmail, un agent de transport de courriels puissant, efficace et modulable, pourrait être trompée par un courriel réalisé spécialement pour engendrer une récursion sans fin.

Pour la distribution stable (Sarge), ce problème a été corrigé dans la version 8.13.4-3sarge2.

Pour la distribution instable (Sid), ce problème a été corrigé dans la version 8.13.7-1.

Nous vous recommandons de mettre à jour votre paquet sendmail.

Corrigé dans:

Debian GNU/Linux 3.1 (sarge)

Source :: http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2.dsc; http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2.diff.gz; http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4.orig.tar.gz; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1-0sarge2.dsc; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1-0sarge2.diff.gz; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.19.dfsg1.orig.tar.gz
Composant indépendant de l'architecture :: http://security.debian.org/pool/updates/main/s/sendmail/sendmail-base_8.13.4-3sarge2_all.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-cf_8.13.4-3sarge2_all.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.13.4-3sarge2_all.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.13.4-3sarge2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_alpha.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_alpha.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_alpha.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_alpha.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_alpha.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_amd64.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_amd64.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_amd64.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_amd64.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_arm.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_arm.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_arm.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_arm.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_arm.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_i386.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_i386.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_i386.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_i386.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_i386.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_ia64.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_ia64.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_ia64.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_ia64.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_ia64.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_hppa.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_hppa.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_hppa.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_hppa.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_hppa.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_m68k.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_m68k.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_m68k.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_m68k.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_m68k.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_mips.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_mips.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_mips.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_mips.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_mips.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_mipsel.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_mipsel.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_powerpc.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_powerpc.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_s390.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_s390.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_s390.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_s390.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_s390.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.13.4-3sarge2_sparc.deb; http://security.debian.org/pool/updates/main/s/sendmail/libmilter0_8.13.4-3sarge2_sparc.deb; http://security.debian.org/pool/updates/main/s/sendmail/rmail_8.13.4-3sarge2_sparc.deb; http://security.debian.org/pool/updates/main/s/sendmail/sendmail-bin_8.13.4-3sarge2_sparc.deb; http://security.debian.org/pool/updates/main/s/sendmail/sensible-mda_8.13.4-3sarge2_sparc.deb; http://ftp.debian.org/debian/pool/main/c/cyrus-sasl2/libsasl2_2.1.19.dfsg1-0sarge2_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.

Les sommes MD5 des fichiers indiqués sont disponibles dans la nouvelle annonce de sécurité.