ECO NUMBER: OSFSENDMAIL_E01032 ----------- PRODUCT: DEC OSF/1 Operating System -------- UPDATED PRODUCT: DEC OSF/1 Operating System V2.0 thru V3.2 ---------------- APPRX BLCK SIZE: 860160 bytes ---------------- Digital Equipment Corporation TITLE: Potential Security Vulnerability Sendmail V5.65 DEC OSF/1 V2.0, V3.0 V3.0b, V3.2 IMPACT: URGENT A potential security vulnerability has been discovered where under certain circumstances authorized users may gain unauthorized privileges. The potential vulnerability has been recently published in various advisories distributed across Internet, to various media and mail distributions. ACTION: Upgrade to at least DEC OSF/1 V2.0 and install this kit. Versions of DEC OSF/1 to which this kit may be applied: DEC OSF/1 V2.0, V2.0B, V2.1, V2.1B, V3.0, V3.0b, V3.2 Files patched or replaced: /usr/sbin/sendmail Problems addressed in this kit: o A potential security vulnerability has been discovered where under certain circumstances authorized users may gain unauthorized privileges. This patch fixes cert # 0295. o sendmail would get a segmentation violation if it received an address that was not in compliance with RFC822. It has been fixed to reject the bad address. o sendmail is currently shipped with fuzzy-name matching enabled and with no convenient way to disable it. This patch provides for the enabling/disabling of fuzzy-name matching. When sendmail determines that it cannot find the user in passwd, if fuzzy-name is enabled, sendmail will search other fields in passwd for a match. It will also match on the first part of the last name. For example, mail to ada could go to adams. sendmail will now be shipped with fuzzy-name disabled. To enable this feature edit /var/adm/sendmail/sendmail.cf and add: OG Installation instructions: This kit provides 4 images, each for a different version(s) of DEC OSF/1. When the tar file is unpacked the following files will be available: sendmail.v20 (may be applied to V2.0, V2.0B, V2.1, V2.1B) sendmail.v30 sendmail.v30b sendmail.v32 o Become super-user o Choose the image appropriate for your system and verify the checksum Image Checksum ---------------------------------- sendmail.v20 57303 200 sendmail.v30 36607 208 sendmail.v30b 64212 208 sendmail.v32 39833 208 o Copy the appropriate file for your system to /usr/sbin/sendmail and set its ownership and mode as follows: -rwsr-xr-x 4 root bin /usr/sbin/sendmail o Restart the sendmail demon /sbin/init.d/sendmail restart As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. Copyright Digital Equipment Corporation 1995. All Rights reserved. This software is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Digital makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.