y Sendmail bug wrt DNS maps

Contributed by jose on 2003-08-25 from the mail-land-security dept.

From security-announce : "There is a potential problem in the sendmail 8.12 series with respect to DNS maps in sendmail 8.12.8 and earlier sendmail 8.12.x versions. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003 but not labeled as a security fix as it wasn't believed to be a security bug at the time. Note that only FEATURE(`enhdnsbl') uses a DNS map. We do not have an assessment whether this problem is exploitable but we want to inform you just in case you distribute sendmail 8.12.x versions before 8.12.9.
OpenBSD 3.2 shipped with sendmail 8.12.8 and thus has the bug. OpenBSD 3.3 shipped with sendmail 8.12.9 and does not have the bug.
The problem has been fixed in the OpenBSD 3.2-stable branch. In addition, a patch is available for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/016_sendmail.patch

Please note that this only affects sendmail configurations that use the "enhdnsbl" feature. The default OpenBSD sendmail config does not use this. Unless you have created a custom config that uses enhdnsbl, you do not need to apply the patch or update sendmail."

Sendmail has their own announcement on this issue. If you're still on 3.2, you should consider upgrading to 3.3, anyhow, to enjoy the benefits of several other security and reliability enhancements.

(Comments are closed)

Comments

By Arrigo Triulzi () on 2003-08-25 16:55 http://www.alchemistowl.org/arrigo

From the "does it work with the older OpenBSD versions?" department:

The patch applies cleanly and without problems following the instructions contained in the patch.

Hope this helps other fellows...
By anonymous () on 2003-08-26 02:46

... why the so called very secure OpenBSD uses Sendmail as a default MTA. Big fault!
Comments
1. By Wim () on 2003-08-26 03:14
  
  Wel, there are various reasons.
  
  First of all, what replacement with equal flexibility and features would you propose? Sure you can bring up Exim, Qmail or Postfix. And there the fun starts... it's a religious thing.
  
  But... which one of these has a valid license that is compatible with http://www.openbsd.org/policy.html ?
  
  Surely not Qmail. Nor Postfix.
  
  So, what is left over?
  
  OpenBSD is a free and functional OS. Ripping out Sendmail would surely cripple it, unless you can come up with a valid replacement.
  
  Wim.
  Comments
  1. By anonymous () on 2003-08-26 04:04
    
    Ok, thanks, don't know this thing with the policy.
    
    As a "newbie", this was my first impression/question.
  2. By Anonymous Coward () on 2003-08-26 08:47
    
    Does someone asked Wietse Wenema (Postfix "owner") if something could be forked in openbsd with a more compatible licence ?
    
    Just as we did for p0f, and Wietse Wenema is known to have accepted that sort of deal for tcp_wrappers ...
    
    Postfix was designed with security in mind (no security hole since it became public) but maybe Exim would be a better candidate if Wietse Wenema doesn't want us to fork postfix under bsd policy ?
    
    Comments
    
    By grey () on 2003-08-27 01:34
    
    This seems unlikely, since he worked on it while at IBM, and in case you hadn't noticed - it's an IBM oriented license on it. Most likely the license applied was dictated by his terms of employment. Just like Unix & Plan9 licensing have been dictated by Bell Labs, and not the creators.
    
    Not to say that asking isn't OK, but you might want to have a good expectation of the answer beforehand.
    
    I'd almost say you'd have better luck getting djb to apply a BSD license to his projects.
    
    By Michael Anuzis () on 2003-08-26 15:34
    
    http://packetstormsecurity.nl/filedesc/postfixdos.c.html Aug 5, 2003
    
    Comments
    
    By Anonymous Coward () on 2003-08-26 18:57
    
    Denial Of Service.
  3. By Anonymous Coward () on 2003-08-27 05:03
    
    Well, Exim is free.
    Courier-mta is free.
    So I don't beleive this argument.
    
    Sendmail stays there because TdR and somes are - stupidly - stucks to bad old tools and pseudo unix tradition.
    
    Comments
    
    By Anonymous Coward () on 2003-08-27 19:14
    
    It's not because they're free, that they're better than Sendmail.
  4. By Anonymous Coward () on 2003-09-01 20:16
    
    I would like to use sendmail ver.9.
2. By pravus () on 2003-08-27 13:10
  
  in a word... "standard".
  
  sendmail is *the* standard MTA for UNIX-ish systems. it seems as though it might be better if more people spent more of their time helping to fix the standard rather than call for it's replacement.
  
  let's face it, sendmail works. it's not perfect, but show me a piece of code that is of any significant size that is perfect. put your money where your mouth is and develop "the secure system".
  
  otherwise, you just sound like a parrot on the great anti-sendmail bandwagon. get a life... learn how to use ports if you don't like sendmail. i tire of your drivel.
  Comments
  1. By Anonymous Coward () on 2003-08-29 14:03
    
    It was the "standard" before there were functionally superior and more secure alternatives. Your choice... continue patching that aged crap or use something modern. At least take a look at Postfix and qmail.
By www () on 2003-08-26 02:54

Since Sendmail is not turned on by default on OpenBSD, so we proudly annouce that OpenBSD remains a "7 Years w/o a remote hole" OS.
Comments
1. By anonymous () on 2003-08-26 04:06
  
  If I disable all daemons on 2k/XP, it's secure by default too.
  Comments
  1. By Anonymous Coward () on 2003-08-26 04:51
    
    So what's the problem?
    You trolls go to another site, use another OS, dont' bother with openbsd if you dislike it so much >:(
  2. By Anonymous Coward () on 2003-08-26 04:53
    
    If you have to *disable* stuff, then by *default* it isn't secure.
    
    Comments
    
    By Anonymous Coward () on 2003-08-26 04:55
    
    If you dislike stuff, then, by default, *go away* from it!
    What are you waiting for?
    
    Comments
    
    By Anonymous Coward () on 2003-08-26 08:24
    
    You missed his point... before flaming, try to exercise your reading capabilities.
    
    Comments
    
    By Anonymous Coward () on 2003-08-30 09:45
    
    HE started to flame first!
    I was only releasing an advice :P
  3. By Anonymous Coward () on 2003-08-26 05:29
    
    but it's not the default in win2k/xp. so it's not secure by default install :P
  4. By Wim () on 2003-08-26 11:23
    
    Yes, if you disable everything, it is not vulnerable to any remote root holes (unless the mythical root-hole-in-TCP-IP is true ;-)
    
    But OpenBSD is more than just an analy paranoid system, it aims to be USEABLE.
    
    That's why it comes with all the default stuff installed that people need to run a production box. Enabling/disabling is more a question of policy, not security.
    
    (enabling rsh with + + in trusted hosts is not a question of policy but of beeing retarded ;-)
  5. By Anonymous Coward () on 2003-08-26 15:44
    
    > If I disable all daemons on 2k/XP, it's secure > by default too.
    All daemons are not disabled by default on OpenBSD.
    
    Do most people need a;
    SMTP server?
    POP server?
    DNS server?
    Web server?
    FTP server?
    and the list can go on indefinately. No, most people do not need all that crap, but we can safely say that *most* people need remote access to the machine. Hence, the ability to remotely access a fresh OpenBSD install via the SSH server.
  6. By Anonymous Coward () on 2003-08-27 04:03
    
    If you switch the machine off then it is pretty secure.
By Anonymous Coward () on 2003-08-26 06:42

As far as I know OpenBSD has always used sendmail, right?

In recent version of OpenBSD sendmail is configured to only accept connections from the local host and to not accept connections on any external interfaces. Has this ALWAYS been the case?
Comments
1. By Z-Blocker () on 2003-08-26 07:18
  
  I don't thionk so if I remember it good.
  
  Z
2. By Anonymous Coward () on 2003-08-26 07:40
  
  Default behaviour since OpenBSD 3.0
  Comments
  1. By Anonymous Coward () on 2003-08-26 08:22
    
    Warning: This is NOT to start a flame, but simple to understand this!
    
    If older versions of OpenBSD than 3.0 have sendmail accepting connection from local host and external interfaces how can the quote on openbsd.org be true?
    
    Sendmail has had quite a few vulnerabilities. Its reputation isn't good.
    
    Does it only count for the latest release and/or stable branch? If so why not say it?
    
    If not then I should be able to install an OpenBSD 2.4 (or even an older release) and the only vulnerability in that OS should be the know OpenSSH bug (the one that made the quote say one remote hole).
    
    An OS from that time or older with an old sendmail accepting connections by default on external interfaces with only an OpenSSH
    vulnerability sounds too good.
    
    How can this be true with sendmails reputation?
    
    Comments
    
    By Wim () on 2003-08-26 11:18
    
    First of all, not too many holes in Sendmail that are in the *default config* of sendmail.
    
    Secondly, the counter on the OpenBSD website is from the point of view that you upgrade your OpenBSD version each release.
    
    There are various holes in older releases, in SSH for example, but if you would have upgraded your OpenBSD machine each time there is a release, you would have not been vulnerable because OpenSSH was upgraded.
    
    Comments
    
    By Anonymous Coward () on 2003-08-26 17:49
    
    "Secondly, the counter on the OpenBSD website is from the point of view that you upgrade your OpenBSD version each release."
    
    If this is in fact so why not modify the quote to say so? Or is this some marketing trick to sell more OpenBSD CD�s?
    
    Comments
    
    By Ulysses () on 2003-08-26 18:12
    
    yes! it is all a huge conspiracy!
    
    By Anonymous Coward () on 2003-08-27 00:56
    
    You work in the Microsoft Information Department, don't you?
    
    By Wim () on 2003-08-27 05:01
    
    Why would one have to modify the quote to say so? It's plain common sense to keep your machines up to date and upgrade when a newer version is available.
    
    Or did you read the quote as saying that you could
    install OpenBSD 2.4 and have it up and running without any patches and be safe?
    
    I would not advise running any production system like that ;-)
    
    Comments
    
    By Anonymous Coward () on 2003-08-27 07:13
    
    In fact yes (if I disable OpenSSH since it had a remote exploit)!
    
    Comments
    
    By tedu () on 2003-08-27 19:04
    
    openbsd 2.4 didn't come with ssh.
    
    By rabbit () rabbit@ulyssis.org on 2003-08-26 11:19 http://ace.ulyssis.org/rabbit
    
    The way I see this, is that, if you would've followed OpenBSD all the time (and kept up with the patches), there was only once an exploitable hole in the default install.
    
    So holes like this one don't qualify, as they've been fixed long before they're known, let alone an exploit for them exists.
    
    But why do people keep on staring on that one little sentence, instead of looking at what OpenBSD has achieved. Even if you don't agree with that sentence, you still can't deny that OpenBSD's security track record is superb.
    
    (now are we going to have this discussion over and over again every time a patch comes out? :( )
    
    Comments
    
    By Anonymous Coward () on 2003-08-26 15:48
    
    > (now are we going to have this discussion over and over again every time a patch comes out? :( )
    
    That's a given with the Linux community. :P
    
    By Anonymous Coward () on 2003-08-26 17:54
    
    Maybe because someone wants full disclosure? I think that this statement is misleading and confusing if in fact it requires that you update and apply patches. The patches aren�t in the default installation and therefore should NOT be necessary to apply them!
    
    To only way I can see that these discussions can end is by either specify exactly what is meant by that quote � requirements, hidden assumptions and stuff like that. Or change it to something more understandable.
    
    By tedu () on 2003-08-26 19:48
    
    if you are incapable of understanding that sendmail has never listened to outside connections in any version of openbsd as installed, maybe you should listen to the people who do.
    
    Comments
    
    By Anonymous Coward () on 2003-08-29 14:15
    
    Or choose an MTA that is easy to configure (and has the added benefit of not having monthly local holes).
By Anonymous Coward () on 2003-08-26 09:11

A fast check on errata shows that there were 8 differents security fix for sendmail since 2.6 !

More than anything else.

Sendmail deserves us ...

Is there absolutely no solution to expect ?
Comments
1. By Nate () on 2003-08-26 16:35
  
  Choose your destiny:
  
  1. Have the Open folk start a new MTA: OpenMTA, focusing on security and the BSD lisence (go to page 50).
  
  2. Create an Open controlled branch of sendmail, one that focuses on secuity (go to page 150).
  
  3. Try to get one of the other MTA's to go BSD (go to page 75).
By Chris () on 2003-09-01 14:41 http://unixfu.net

Seems like someone is stubborn. Why is sendmail still around in openbsd? Seems it would be better suited to use postfix.

KISS and sendmail are kinda ironic. I would like to see theo say otherwise with a straight face.

Are other developers besides Theo also interested in keeping sendmail (i mean the non-sheep-follow-him-around-like-he-is-jesus ones).

again, secure out the box is kinda easy with no services running. netbsd comes out the box with no services running, as do linux boxes i install. maybe netbsd and those of us that install systems that way should make a note of it in big red letters on the site. it seems to marketing-ish.

why not just put "we audit our code and care about correctness... and notice our tree compiles pretty much everyday of the year" in big red letters on the front page.

i think that is more important. hard to trust code that developers cant even test before committing. openbsd should stress this, instead of appealing the joe windows/redhat user with the x years no remote hole crap... and wonder why morons come to misc@ and stuff... hrm, almost like a moth to a flame.
By Anonymous Coward () on 2003-09-03 13:43

Sendmail needs to be redesigned. The configuration is ackward, and sendmail needs to be simplified internally from what I gather. The Unix Hater's Handbook[1] sums up Sendmail well. Basically Sendmail existed before the standards were complete, so the author(s) bent over backwards to support weird methods of using it. The horror stories from people using Sendmail are enough to scare one away from it.
1. Unix Hater's Handbook

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (9)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]