CA-95:08.README
Issue date: August 17, 1995
Date of last revision: November 7, 1995

This file is a supplement to CERT advisory CA-95:08, "Sendmail v.5
Vulnerability," distributed on August 17, 1995.  We will update this file as
additional information becomes available.

Note: After we publish checksums in advisories and READMEs, files are
sometimes updated at individual locations because of system upgrades or patch
installation. For current MD5 checksum values, we recommend that you check
with your vendor.

/////////////////
Added November 7, 1995

We have received questions about running smrsh. You should run smrsh with any
UNIX system that is running sendmail, regardless of vendor or version. Even
with Eric Allman's sendmail version 8.6.12, it is necessary for
security-conscious sites to use the smrsh program, as this carries out
preprocessing of mail headers and adds an extra layer of defense by
controlling what programs can be spawned by the incoming mail message. Note
that smrsh has now been included as part of the sendmail distribution
(effective with 8.7).

We also urge you to ensure that all patches are installed for the distribution
of sendmail you are using. Regardless of the vendor or version of your UNIX
systems and sendmail, the general advice to "run the smrsh tool in conjunction
with the most recently patched version of sendmail for your system" holds
true.

Please also review recent CERT advisories concerning sendmail vulnerabilities.

////////////////////

////////////////////
Added: September 20, 1995

In the advisory, we referred to Linux, NetBSD, and FreeBSD as
being in the public domain; they are not. However, they are freely
available and distributable.


As of September 20, information has been added for Data General Corporation.

////////////////////                   
Added: August 21, 1995

Sendmail can also be obtained by anonymous FTP from  

        ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/


As of August 21, 1995, changes have been made to the vendor information below
for Silicon Graphics Inc. and Sun Microsystems, Inc. 

////////////////////                   

The text below originally appeared in the advisory.
Summary from Section I:

     Source or Vendor           Status
     ----------------          --------------------------------------
     Eric Allman                sendmail 8.6.10 or later not vul. 
     Apple Computer, Inc.       upgrades to A/UX 3.1 and 3.1.1 not vul.
     Berkeley SW. Design        BSD/OS 2.0 vulnerable - patch available
                                BSD/OS 2.0.1 not vulnerable
     Cray Research, Inc.        not vulnerable
*    Data General Corp.		DG/UX 5.4R3.00, 5.4R3.10 vulnerable - patches
				  in progress
				upcoming release (R4.10, R4.11) not vulnerable
     Digital Equipment Corp.    not vulnerable if current with patches 
     Harris Computer Systems    not vulnerable        
     Hewlett-Packard Company    not vul. - see HP bulletin #25
     IBM Corporation            AIX 3.2 not vulnerable with patch 
                                AIX 4.1 not vulnerable
     NEC Corporation            vulnerable - patches available
     NeXT Computer, Inc.        vulnerable - patch is planned 
     Open Software Foundation   not vulnerable
     The Santa Cruz Operation   vulnerable - patches available
     Silicon Graphics Inc.      not vulnerable if current with patches 
     Solbourne (Grumman)        vulnerable - patch is planned
     Sun Microsystems, Inc.     Solaris 2.x not vulnerable
                                Sun OS 4.1.3, 4.1.3_u1, & 4.1.4 vul. - patch
                                                              available soon

Appendix:

Below is information we have received from vendors about the vulnerability in
sendmail version 5. If you do not see your vendor's name below, contact the
vendor directly for information.

-------------
Eric Allman              


Sendmail 8.6.10 and later are not vulnerable. The current version is 8.6.12.
Because the current version addresses vulnerabilities that appear in earlier
versions, it is a good idea to use 8.6.12.

Sendmail is available by anonymous FTP from

   ftp://ftp.cs.berkeley.edu/ucb/sendmail
   ftp://info.cert.org/pub/tools/sendmail/sendmail.8.6.12

////////////////////

Added September 20, 1995

The correct URL for the Australian FTP site is
   ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail
////////////////////

The checksums are

    MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
    MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6
    MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f
    MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8
    MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841

-------------
Apple Computer, Inc.

[The following information also appeared in CERT advisory
CA-95:05, "Sendmail Vulnerabilities."]

An upgrade to A/UX version 3.1 (and 3.1.1) for these vulnerabilities is
available.  The upgrade replaces the sendmail binary with the 8.6.10
version.  It is available via anonymous FTP from ftp.support.apple.:

        pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/sendmail/

It is also available via anonymous FTP from abs.apple.com:

        pub/abs/aws95/patches/sendmail/

In both cases the compressed binary has the following signature:

        MD5 (sendmail.Z) = 31bb15604517630f46d7444a6cfab3f1

Uncompress(1) this file and replace the existing version in /usr/lib;
be sure to preserve the hard links to /usr/ucb/newaliases and
/usr/ucb/mailq, kill the running sendmail and restart.

Earlier versions of A/UX are not supported by this patch.  Users of
previous versions are encouraged to update their system or compile 
the latest version of sendmail available from ftp.cs.berkeley.edu.

Customers should contact their reseller for any additional information.

-------------
Berkeley Software Design, Inc. (BSDI)

BSD/OS V2.0.1 is not vulnerable.

BSD/OS V2.0 users should install patch U200-011, available from
ftp.bsdi.com in bsdi/patches/U200-011.

BSDI Support contact information:
    Phone: +1 719 536 9346
    EMail: support@bsdi.com

-------------
Cray Research, Inc.
not vulnerable

-------------
////////////////////
Added September 20, 1995

Data General Corporation

DG/UX 5.4R3.00 and 5.4R3.10 (and associated Trusted version) are 
vulnerable.  Patches in progress now.

The upcoming release (R4.10 and R4.11) will not have this vulnerability
since these releases ship sendmail version 8.
////////////////////

-------------
Digital Equipment Corp.  

A patch for SENDMAIL (ULTSENDMAIL_EO1044 & OSFSENDMAIL_E01032) has been
available for some time, so if you have kept current with patches you are not
vulnerable to this particular reported problem.

If you have not applied the kits above, Digital Equipment Corporation strongly
urges customers to upgrade to the latest versions of ULTRIX V4.4 or DIGITAL
DEC OSF/1 V3.2, then apply the appropriate sendmail solution kit.

The above kits can be obtained through your normal Digital support channels or
by access (kit) request via DSNlink, DSIN, or DIA.

-------------
Grumman Systems Support Corporation (GSSC)

GSSC now performs all Solbourne software and hardware support.

We recommend running sendmail 8.6.10 (or later revision.)
8.6.12 has proven reliable in production use on Solbourne systems.

We plan to release the Solbourne version of the Sun patch
when it becomes available.

Contact info:

        ftp: ftp.nts.gssc.com
        phone: 1-800-447-2861
        email: support@nts.gssc.com

-------------
Harris Computer Systems  
not vulnerable

-------------
Hewlett-Packard Company

Hewlett-Packard issued security bulletin #25 on April 2, 1995 announcing
patches and describing a fix. The patches are

                 PHNE_5402 (series 700/800, HP-UX 9.x), or
                 PHNE_5401 (series 700/800, HP-UX 8.x), or
                 PHNE_5384 (series 300/400, HP-UX 9.x), or
                 PHNE_5383 (series 300/400, HP-UX 8.x), or
                 PHNE_5387 (series 700, HP-UX 9.09), or
                 PHNE_5388 (series 700, HP-UX 9.09+), or
                 PHNE_5389 (series 800, HP-UX 9.08)

The bulletin is available from the HP SupportLine and from http://www.hp.com
in the HPSL category and from http://support.mayfield.hp.com.

Patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP
SupportLine.  To obtain HP security patches, you must first register with the
HP SupportLine.  The registration instructions are available via anonymous FTP
at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval".

HP SupportLine: 1-415-691-3888
phone: 1-415-691-3680
telnet/ftp: support.mayfield.hp.com 
WWW: http://www.hp.com
     http://support.mayfield.hp.com.

-------------
IBM Corporation

A patch (ptf U425863) has been available for AIX 3.2 for some time. 
To determine if you have this ptf on your system, run the following command:
     % lslpp -lB U425863

If you have not already applied the patch, you can order it from IBM as APAR
ix40304 To order APARs from IBM in the U.S., call 1-800-237-5511. To obtain
APARs outside of the U.S., contact your local IBM representative.

-------------
NEC Corporation

       OS                 Version           Status
------------------     ------------     ------------------------------
EWS-UX/V(Rel4.0)       R1.x - R6.x      vulnerable

EWS-UX/V(Rel4.2)       R7.x - R10.x     vulnerable
                                        patch available

EWS-UX/V(Rel4.2MP)     R10.x            vulnerable
                                        patch available

UP-UX/V                R1.x - R4.x      vulnerable

UP-UX/V(Rel4.2MP)      R5.x - R7.2      vulnerable
                                        patch available except for R5.x

UX/4800                R11.x            not vulnerable


Contacts for further information:
e-mail:UXcert-CT@d2.bsd.nes.nec.co.jp

-------------
NeXT Computer, Inc.      

The sendmail executables included with all versions of NEXTSTEP up
to and including release 3.3 are vulnerable to this problem.  The
SendmailPatch previously released for NEXTSTEP 3.1 and 3.2 is also
vulnerable.

An updated patch is planned which will address this vulnerability.
The availability of this patch will be indicated in the NeXTanswers
section of http://www.next.com/.  For further information you may
contact NeXT's Technical Support Hotline at (+1-800-955-NeXT) or
via email to ask_next@NeXT.com.

-------------
Open Software Foundation 
not vulnerable

-------------
The Santa Cruz Operation

Support Level Supplement (SLS) net382e, contains a patched version of
sendmail for the following releases:

        SCO TCP/IP Runtime System Release 1.2.1
        SCO Open Desktop Lite Release 3.0
        SCO Open Desktop Release 3.0
        SCO Open Server Network System Release 3.0
        SCO Open Server Enterprise System Release 3.0

SCO OpenServer 5 contains Sendmail version 8.6.8, and contains fixes
to all problems reported in this and previous sendmail advisories. 
Users of previous releases should consider updating.

NOTE: The MMDF (M)ulti-Channel (M)emorandum (D)istribution
(F)acility is the default mail system on SCO systems.  The MMDF mail
system is not affected by any of the problems mentioned in these
advisories.  Administrators who wish to use sendmail must specifically
configure the system to do so during or after installation.

To acquire SLS net382e:

Anonymous ftp on the Internet:
==============================

ftp://ftp.sco.COM/SLS/net382e.Z         (disk image)
ftp://ftp.sco.COM/SLS/net382e.ltr.Z     (documentation)

Anonymous uucp:
===============

United States:
--------------
sosco!/usr/spool/uucppublic/SLS/net382e.Z (disk image)
sosco!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)

United Kingdom:
---------------
scolon!/usr/spool/uucppublic/SLS/net382e.Z (disk image)
scolon!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)


The telephone numbers and login names for the machines sosco and scolon
are provided with the default /usr/lib/uucp/Systems file shipped with
every SCO system. 

The checksums for the files listed above are as follows:

file                 sum -r                     md5
===========================     ================================
net382e.Z:      29715  1813     41efeaaa855e4716ed70c12018014092
net382e.ltr.Z   52213    14     287ba6131519cba351bc58cb32880fda


The Support Level Supplement is also available on floppy media from SCO
Support at the following telephone numbers:

        USA/Canada: 6am-5pm Pacific Daylight Time (PDT)
        -----------
        1-408-425-4726  (voice)
        1-408-427-5443  (fax)

        Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
        ------------------------------------------------ Daylight Time
                                                         (PDT)
        1-408-425-4726  (voice)
        1-408-427-5443  (fax)

        Europe, Middle East, Africa: 9am-5:00pm Greenwich Mean Time (GMT)
        ----------------------------
        +44 1923 816344 (voice)
        +44 1923 817781 (fax)

For further information, contact SCO at one of the above numbers,
send electronic mail to support@sco.COM, or see the SCO Web Page at:
http://www.sco.COM.

-------------
Silicon Graphics Inc.

On February 22, 1995, Silicon Graphics issued security advisory 19950201
addressing sendmail issues being raised at the time and previous older
version sendmail issues.   Patches are still available and as part of these
patches, sendmail version 8.6.12 is provided as standard.  At the time
of this writing here is the patch information.

**** IRIX 3.x ****

Unfortunately, Silicon Graphics Inc, no longer supports the IRIX 3.x
operating system and therefore has no patches or binaries to provide.

However, two possible actions still remain: 1) upgrade the system to a 
supported version of IRIX (see below) and then install the binary/patch
or 2) obtain the sendmail source code from anonymous FTP at 
ftp.cs.berkeley.edu and compile the program manually. 

**** IRIX 4.x ****

For the IRIX operating system version 4.x, a manually installable
binary replacement has been generated and made available via anonymous
ftp and/or your service/support provider.  The binary is sendmail.new.Z 
and is installable on all 4.x platforms.

//////////////////
Added August 21, 1995

The following original advisory text is incorrect:

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   The
binary maybe be found in the following directories on the ftp server:

        ~ftp/Security

                or

        ~ftp/Patches/4.x

                        ##### Checksums ####

Filename:                 sendmail.new.Z
Algorithm #1 (sum -r):    27178 422 sendmail.new.Z
Algorithm #2 (sum):       46012 422 sendmail.new.Z
MD5 checksum:             146DD1019673D7C2C89A78D7ACF85CF6

CORRECTION  to file locations and checksums listed in the paragraph above:

Binaries can be found at ftp://ftp.sgi.com/ftp/Patches/4.x
but not at the alternative location, ~ftp/Security.

  ##### Checksums as of August 17, 1995, 5 p.m. EDT ####

Filename:                 sendmail.new.Z
Algorithm #1 (sum -r):    30749 422 sendmail.new.Z
Algorithm #2 (sum):       62511 422 sendmail.new.Z

MD5 checksum:             AB327D85D40085D74E9C230EB1A002C3


Note: SGI plans to upgrade the IRIX 4.x patch soon. If there is a difference
between the checksums of the file you obtain and those reported here, you
should rely on SGI's <sendmail-filename>.pgp.and.chksums file.

/////////////////

After obtaining the binary, it may be installed with the instructions
below:

        1) Become the root user on the system.

                % /bin/su -
                Password:
                #

        2) Stop the current mail processes.

                # /etc/init.d/mail stop

        3) Rename the current sendmail binary to a temporary 
           name.

                # mv /usr/lib/sendmail /usr/lib/sendmail.stock
                
        4) Change permissions on the old sendmail binary so it can not
           be used anymore.

                # chmod 0400 /usr/lib/sendmail.stock

        5) Uncompress the binary.

                # uncompress /tmp/sendmail.new.Z

        6) Put the new sendmail binary into place (in the example
           here the binary was retrieved via anonymous ftp and put
           in /tmp)

                # mv /tmp/sendmail.new /usr/lib/sendmail

        7) Insure the correct permissions and ownership on the new
           sendmail.

                # chown root.sys /usr/lib/sendmail
                # chmod 4755 /usr/lib/sendmail

        8) Restart the mail system with the new sendmail binary in place.

                # /etc/init.d/mail start

        9) Return to normal user level.

                # exit

**** IRIX 5.0.x, 5.1.x ****

For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first.  When the upgrade is completed,
then the patch described in the next section "**** IRIX 5.2, 5.3, 6.0, 
6.0.1 ***"  can be applied.

**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****

For the IRIX operating system versions 5.2, 5.3, 6.0 and 6.0.1, an
inst-able patch has been generated and made available via anonymous 
ftp and/or your service/support provider.  The patch is number 332 
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .   

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   Patch
332 can be found in the following directories on the ftp server:

        ~ftp/Security
                or 
        ~ftp/Patches/5.2
        ~ftp/Patches/5.3
        ~ftp/Patches/6.0
        ~ftp/Patches/6.0.1

For obtaining security information, patches or assistance, please
contact your SGI support provider.

If there are questions about this patch information, email can be 
sent to cse-security-alert@csd.sgi.com .

For reporting new SGI security issues, email can be sent to
security-alert@sgi.com .

-------------
Solbourne
see Grumman Systems Support Corporation

-------------
Sun Microsystems, Inc. 

Solaris 2.x is not vulnerable.

Sun OS 4.1.3, 4.1.37u1, and 4.1.4 are vulnerable, and a patch will be
available soon.

//////////////////
Added August 21, 1995

Correction: SunOS 4.1.37u1 should be SunOS 4.1.3_u1.
/////////////////


This patch can be obtained from local Sun Answer Centers and through anonymous
FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, the
patch is available from mcsun.eu.net (192.16.202.1) in the /sun/fixes
directory.



