# sendmail vulnerability

## HaeMaker

sendmail.org has reported a vulnerability in sendmail versions prior to 8.12.8.  Latest emerge is 8.12.7.

Anyone know when we can expect the new package?

(Yes, I know it was just reported and it will take some time to have a package...  Just want to know when I should start looking for it...)

----------

## pjp

Bug 16766

----------

## puke

 *Quote:*   

> sendmail.org has reported a vulnerability in sendmail versions prior to 8.12.8. Latest emerge is 8.12.7. 
> 
> Anyone know when we can expect the new package? 
> 
> 

 

Meanwhile, there should be a way to have portage compile the 8.12.7 version after you have applied the source patch.  Is this possible?   :Confused: 

----------

## puke

 *Quote:*   

> Meanwhile, there should be a way to have portage compile the 8.12.7 version after you have applied the source patch. Is this possible?

 

There is a way, here.  https://forums.gentoo.org/viewtopic.php?t=5378

I'll post more when I try it out.

Meanwhile, where is the GLSA advisory?  Shouldn't there be one, even if the new emerge package hasn't been updated yet?

----------

## pjp

The GLSA advisories come out over the gentoo-announce mailing list.  I've not seen them until the portage fix is available.

----------

## puke

Here's the fix, I think, using the most recent ebuild and the patch from sendmail.org:

```
# /etc/init.d/sendmail stop

# ebuild /usr/portage/net-mail/sendmail/sendmail-8.12.7-r2.ebuild fetch

# ebuild /usr/portage/net-mail/sendmail/sendmail-8.12.7-r2.ebuild unpack

# cd /var/tmp/portage/sendmail-8.12.7-r2/work/sendmail-8.12.7

# patch -p0 < /PATH/TO/sendmail.8.12.security.cr.patch

# ebuild /usr/portage/net-mail/sendmail/sendmail-8.12.7-r2.ebuild compile

>>> md5 ;-) sendmail.8.12.7.tar.gz

>>> Checking sendmail.8.12.7.tar.gz's mtime...

>>> WORKDIR is up-to-date, keeping...

# ebuild /usr/portage/net-mail/sendmail/sendmail-8.12.7-r2.ebuild install

>>> md5 ;-) sendmail.8.12.7.tar.gz

>>> Checking sendmail.8.12.7.tar.gz's mtime...

>>> WORKDIR is up-to-date, keeping...

# ebuild /usr/portage/net-mail/sendmail/sendmail-8.12.7-r2.ebuild qmerge

# /etc/init.d/sendmail start
```

Must remember to replace sendmail with qmail..   :Crying or Very sad: 

----------

## kabutor

Well in bug list there is a fix:

 *Quote:*   

> Fix: upgrade to 8.12.8
> 
> There is already a bug (#16755) with an ebuild for 8.12.8

 

 :Sad: 

----------

## asimon

Here is an interesting reading about this sendmail bug in German:

http://www.heise.de/newsticker/data/jk-04.03.03-002/

The security company ISS informed the US National Infrastructure Protection Center (soon to be part of the Department of Homeland Security) about this sendmail security failure in mid January but the information was held closed by the US government (Directorate of Information Analysis and Infrastructure Protection) until a fix was done. It was a first test for the Department of Homeland Security.

Information age? Yeah ... right.

----------

## HaeMaker

emerge -u sendmail

Thanks for the quick response.

----------

