Download Sendmail 8.12.9

Sendmail.org, distributor of the freeware version of Sendmail, announced version 8.12.9 of its software yesterday. The release falls, somewhat awkwardly, on a Saturday when information about the vulnerability patched in this version unexpectedly appeared on a newsgroup.

The exploit, discovered by Michal Zalewski, uses a buffer overflow that can occur when parsing an address. The leak has been labeled as critical; all sendmail users are advised to update immediately. The complete changelog looks like this:

• SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS.
• To provide partial protection to internal, unpatched sendmail MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101.
• To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.12.9 defaults, set MaxMimeHeaderLength to 0/0.
• Do not complain about -ba when submitting mail. Problem noted by Derek Wueppelmann.
• Fix compilation with Berkeley DB 1.85 on systems that do not have flock(2). Problem noted by Andy Harper of Kings College London.
• Properly initialize data structure for dns maps to avoid various errors, eg, looping processes. Problem noted by Maurice Makaay.
• CONFIG: Prevent multiple application of rule to add smart host. Patch from Andrzej Filip.
• CONFIG: Fix queue group declaration in MAILER(`usenet’).
• CONTRIB: buildvirtuser: New option -t builds the virtusertable text file instead of the database map.

[break]Download the new version of the program here or get here put on a patch.