# Sendmail SSL security vulnerability..........

## ewbish

Any ideas when the updated package will be available in portage?  Need to go to 8.14.4, the current is 8.14.0.

----------

## jmbsvicetto

Patrick bumped it a few days ago.

*sendmail-8.14.4 (04 Jan 2010)

  04 Jan 2010; Patrick Lauer <patrick@gentoo.org> +sendmail-8.14.4.ebuild:

  Bump

----------

## ewbish

 *jmbsvicetto wrote:*   

> Patrick bumped it a few days ago.
> 
> *sendmail-8.14.4 (04 Jan 2010)
> 
>   04 Jan 2010; Patrick Lauer <patrick@gentoo.org> +sendmail-8.14.4.ebuild:
> ...

 

I just sync'd, says latest available is 8.14.0

Thanks

----------

## jmbsvicetto

This is likely why:

```
grep KEYWORDS $(portageq portdir)/mail-mta/sendmail/sendmail-8.14.4.ebuild

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
```

In case you don't know about keywords, please take a look at the Mixing Software branches section of the Gentoo Handbook.

----------

## ewbish

Not sure what you're getting at?  The boxes at issue are servers running stable.   After syncing, 8.14.0 still shows as the latest version of sendmail.  Years ago, I would have simply queried the online package DB to see what it's status was.....

Maybe I should be more direct?

WHEN will Sendmail 8.14.4 be available in stable?  Sendmail has been getting version bumped for two years without being unmasked to stable, and at this point 8.14.4 is needed to fix a serious security issue....is it going to be unmasked or not?

----------

## Hu

I believe jmbsvicetto is getting at the fact that you can easily configure your machines to install =mail-mta/sendmail-8.14.4 now, without waiting for it to be marked stable.  It would certainly be nice to get it moved to stable quickly if it fixes a security vulnerability, but moving it to stable is not a prerequisite to installing it on your machines.  It appears that <mail-mta/sendmail-8.14.4 Multiple vulnerabilities (CVE-2009-4565) is tracking this effort.  Since the bug is already flagged with a CVE, the developers are aware of the security ramifications and do not require further encouragement to work quickly.

----------

## ewbish

 *Hu wrote:*   

> I believe jmbsvicetto is getting at the fact that you can easily configure your machines to install =mail-mta/sendmail-8.14.4 now, without waiting for it to be marked stable.  It would certainly be nice to get it moved to stable quickly if it fixes a security vulnerability, but moving it to stable is not a prerequisite to installing it on your machines.  It appears that <mail-mta/sendmail-8.14.4 Multiple vulnerabilities (CVE-2009-4565) is tracking this effort.  Since the bug is already flagged with a CVE, the developers are aware of the security ramifications and do not require further encouragement to work quickly.

 

Thank you for your imput Hu............but, if you look at my profile you may in fact surmise that after 5 years.........I've figured out package.keywords.  If, I in fact, wanted to mix stable and testing packages on my production servers.........I would in fact...........not be asking when it might possibly be available in the stable branch.  After all, those of us who run production servers rely on stable for just that............and when something remains marked as "testing" for two years............and in all archs..........one must conclude that there is a reason.   Admins who arbitrarily mix stable and testing on their production servers..........often find themselves with lots and lots of free time.

----------

## Hu

 *ewbish wrote:*   

> Thank you for your imput Hu............but, if you look at my profile you may in fact surmise that after 5 years.........I've figured out package.keywords.  If, I in fact, wanted to mix stable and testing packages on my production servers.........I would in fact...........not be asking when it might possibly be available in the stable branch.  After all, those of us who run production servers rely on stable for just that............and when something remains marked as "testing" for two years............and in all archs..........one must conclude that there is a reason.   Admins who arbitrarily mix stable and testing on their production servers..........often find themselves with lots and lots of free time.

 Given that you seemed not to understand the point jmbsvicetto raised, I did not surmise that you understood package.keywords, and so suggested it explicitly because it would resolve your immediate problem.  Careful combination of stable and testing branches works fine, especially in cases like this where the only thing you are awaiting is for someone to remove a tilde so that the package is considered stable.  Removing the unstable marker has no particular effect on the underlying code, and does not make it any more or less likely to destroy your server.  While I cannot say that mixing branches has left me with "lots and lots" of free time, it has in the past made my life easier, and thereby freed up some time on occasion.  Gentoo developers are sometimes less receptive of bug reports when mixing branches has caused the problem, so there is an expectation that anyone mixing branches have sufficient background to fend for themselves.

While I cannot comment on the reason why this particular package has had new versions confined to the testing branch for two years, I can repeat the reasons that most commonly explain packages spending an extended time on the testing branch.  Packages often remain in testing if they depend on packages which are themselves in testing; or if the source package is the subject of frequent new Gentoo bug reports; or if upstream is posting new releases so rapidly that release N cannot satisfy the stabilization criteria before release N+1 is out; or if no one posts a legitimate stable request.  Packages are not designated stable simply by virtue of time, but must instead exhibit a history from which one could reasonably infer correct function.  If no one posts advertising that they tried the new version and found it to be good, then the maintainer may leave it in testing to avoid unleashing a potentially bad package.

----------

## ewbish

 *Hu wrote:*   

>  *ewbish wrote:*   Thank you for your imput Hu............but, if you look at my profile you may in fact surmise that after 5 years.........I've figured out package.keywords.  If, I in fact, wanted to mix stable and testing packages on my production servers.........I would in fact...........not be asking when it might possibly be available in the stable branch.  After all, those of us who run production servers rely on stable for just that............and when something remains marked as "testing" for two years............and in all archs..........one must conclude that there is a reason.   Admins who arbitrarily mix stable and testing on their production servers..........often find themselves with lots and lots of free time. Given that you seemed not to understand the point jmbsvicetto raised, I did not surmise that you understood package.keywords, and so suggested it explicitly because it would resolve your immediate problem.  Careful combination of stable and testing branches works fine, especially in cases like this where the only thing you are awaiting is for someone to remove a tilde so that the package is considered stable.  Removing the unstable marker has no particular effect on the underlying code, and does not make it any more or less likely to destroy your server.  While I cannot say that mixing branches has left me with "lots and lots" of free time, it has in the past made my life easier, and thereby freed up some time on occasion.  Gentoo developers are sometimes less receptive of bug reports when mixing branches has caused the problem, so there is an expectation that anyone mixing branches have sufficient background to fend for themselves.
> 
> While I cannot comment on the reason why this particular package has had new versions confined to the testing branch for two years, I can repeat the reasons that most commonly explain packages spending an extended time on the testing branch.  Packages often remain in testing if they depend on packages which are themselves in testing; or if the source package is the subject of frequent new Gentoo bug reports; or if upstream is posting new releases so rapidly that release N cannot satisfy the stabilization criteria before release N+1 is out; or if no one posts a legitimate stable request.  Packages are not designated stable simply by virtue of time, but must instead exhibit a history from which one could reasonably infer correct function.  If no one posts advertising that they tried the new version and found it to be good, then the maintainer may leave it in testing to avoid unleashing a potentially bad package.

 

Uhhh, maybe you should reread your second paragraph to understand why we don't mix stable and testing on our production systems.  

Again, Hu, as I said, thanks for your input, as absolutely irrelevant as it was, and having nothing whatsoever to do with when the current package may be marked stable.

----------

## a3li

 *ewbish wrote:*   

> WHEN will Sendmail 8.14.4 be available in stable?  Sendmail has been getting version bumped for two years without being unmasked to stable, and at this point 8.14.4 is needed to fix a serious security issue....is it going to be unmasked or not?

 

Don't get too excited, the issue is nowhere near "serious". But as with every security update of course it will be made available in the stable distribution if it affects it. In fact, I called arches right now. CC yourself to the aforementioned bug to get status updates.

----------

## col

what about dovecot ? Security issues in 1.2.6 announced way back on the 20th of november 2009. Since then 1.2.7, 1.2.8 & 1.2.9 have been released yet we are are still stuck on 1.2.6 (x86)  ?

----------

## cach0rr0

again, the newer builds are in portage

they are ripe for the picking - they need only be unmasked 

the upstream code included in these packages will not arbitrarily change once Gentoo marks them stable

There seem to be some major misconceptions with regards to the risks of merging a single keyworded package, as well the only thing that seems to be suggested here is "hurry up"

It's a lose/lose situation; if this is hurried out and something breaks that would have been found if properly QA'd, users complain. 

If the package isn't marked stable quickly enough, users complain. 

Typically it is best to err on the side of caution. In this case the decision is left to the admin which course of action to take - they can either wait, or merge the package before it's marked stable - the upgrade path is there, it is up to the admin to prioritize - but a simple "hurry up" and "I demand satisfaction dammit, you will conduct business as I mandate!" from the user base serves very little functional purpose beyond pissing people off who might otherwise want to be helpful. The upgrade path is there, end of story, it will be marked stable when it's marked stable. 

Others who have tried to help in this thread have been greeted with abuse and venom. Frankly I'm surprised they kept cool heads and retained the professionalism they did, despite being greeted with "how dare you assume I not know something! You see my join date? Yeah buddy, 2005, so watch who you're talking to!"

Well if you've been around so long, you should know the bloody impact of running ~arch for one package when upstream has marked it stable is a big fat NULL. 

With this Sendmail issue especially, it might be prudent to actually LOOK at what the vulnerability is, and understand the potential impact. 

In this case the potential impact is negligible at best - yes it's a risk, but unless you use client certs the potential real world impact is nil. 

There is a correct tone to take when inquiring about a bug, and this is far from it. Nobody *owes* anyone a package released in a manner they deem adequately timely, and the likelihood of someone busting their hump to stabilize a package because a handful of users are being twats about it is exceptionally low. Nor should the people who are trying to proffer alternative paths in their free time, without any obligation, be castigated by someone who feels insulted that they not immediately recognise his prowess as the almighty Buddha of Gentoo. 

I mean really, want a comparably snarky answer? Use Postfix. Or better yet, demand all of the huge sums of money back that you paid everyone to give you the answers you demand in the time you demand, with a complementary reacharound to boot - since of course people owe you something. 

@ col:

Sorry to catch you in the middle of that rant. 

In the case of the dovecot vulnerability, it is locally exploitable only, and if you're running a serious production server there is no way in hell you give your users access to logon as a local user. If you've sync'd recently, it should be ~arch already. I have no idea when it will be stabilized, but with Dovecot's current frantic pace of putting out new releases, it's most likely you'll see all subsequent releases stabilized immediately once the devs are certain that's it for a while.

----------

## ewbish

 *cach0rr0 wrote:*   

> again, the newer builds are in portage
> 
> they are ripe for the picking - they need only be unmasked 
> 
> the upstream code included in these packages will not arbitrarily change once Gentoo marks them stable
> ...

 

The "venom" as you put it........was directed at the typical waffling answer that often passes for help around here.  For the record........it is NOT directed at jmbsvicetto, who I asked for clarification.  But at the little snotty kid who chimed in unasked.  The children don't seem to be capable of saying   "I don't know when it will be in stable", or "this is what we're doing" , or something to that effect.........you know like a3li's post..........you all want to play this little RTFM, we're holier than though game, and anybody who won't bend over to your condescending BS is just being "mean".

NOBODY came on here criticizing about speed, so don't throw that "user's complain blah blah blah" BS out there.......I simply asked for a time-line.........not a cocky asshat snide little remark.  

Based on your comments..........we should just do away with stable..........hell, we don't need it......after all, simply unmasking test packages willy nilly is perfectly fine for production systems..........

Jeez..............so typical of some of you prima donna's and kids............can't answer the question, then cry like a little girl when your BS is called out.    It's simple........if you don't know the answer, then STFU and don't post.........if you want to play the little "RTFM" game with me, then don't cry when you're called out.  You have a LOT of growing up to do and some of you need to realize that over the past decade that Gentoo has been around..........it has grown into a platform that many sys admins enjoy and rely on BECAUSE of the stable overlay and ability to quickly update security issues.   

When Gentoo's OWN social contract states the desire for it to become a legitimate stable server release...........then don't be offended when folks ask for time lines on security fixes.  If you can't handle that..........then find another profession.

----------

## cach0rr0

 *ewbish wrote:*   

> 
> 
> The "venom" as you put it........was directed at the typical waffling answer that often passes for help around here.  For the record........it is NOT directed at jmbsvicetto, who I asked for clarification.  But at the little snotty kid who chimed in unasked.  The children don't seem to be capable of saying   "I don't know when it will be in stable", or "this is what we're doing" , or something to that effect.........you know like a3li's post..........you all want to play this little RTFM, we're holier than though game, and anybody who won't bend over to your condescending BS is just being "mean".
> 
> 

 

Since you have been around from 2005 onwards, and only managed to rack up a few dozen posts, you may well not be a frequent visitor here. 

But if you're insinuating that Hu or anyone else who responded is a "snotty kid", you should really go back through and look at some of his other posts. 

He does absolutely nothing here but help, and is easily one of the most knowledgeable, professional, frequent contributors to these boards. Frankly I'm the first person in this thread who has responded to you in a less than professional manner, and it's for no reason other than this; you deserve it, you're behaving like a pissy little child who needs attention. 

If you interpreted anyone else's comments in this thread besides my own as being anything other than attempts to help, you would be well advised to fuck off to the Sanskrit forums or somewhere else that speaks whatever plague-ridden anti-social language it is you use to communicate. 

Based upon what exactly should someone assume that you're aware of what package.* means? By looking at your join date, REALLY? And what sort of juvenile troll immediately turns to point at their join date as some sort of accomplishment as though they're above the basic introductory responses because by golly, they've earned their join date through blood sweat and tears! This isn't 4chan, grow up, your join date and/or forum title mean absolutely nothing with regards to your knowledge. It is perfectly sensible for the assumption to be made that you aren't aware of how to handle ~arch, and to provide an explanation for doing so; and based upon your pissy rabid responses, it would seem this assessment is spot on. 

Simply put, you are a dick, you don't know what the hell ~arch means apparently, and it would please me greatly if the maintainers of the package left this ~arch indefinitely for the sole purpose of sending you into a frantic aspergers fit. 

What a brilliant way to ensure absolutely nobody wants to deal with your or cooperate with you in any way shape or form. I would hope that anyone who could potentially provide you with a timeline sees this thread first, as they'll no doubt decide your childishness and complete lack of professionalism doesn't warrant one.

----------

## desultory

 *ewbish wrote:*   

> Not sure what you're getting at?  The boxes at issue are servers running stable.   After syncing, 8.14.0 still shows as the latest version of sendmail.  Years ago, I would have simply queried the online package DB to see what it's status was.....

 Given that now you have your choice of various such sites, you still can.

 *ewbish wrote:*   

> Maybe I should be more direct?

 While you are reconsidering your posting strategy, please take the time to review the forum guidelines. While you will probably not be thanked for doing so, you will also probably not be banned for adhering to them.

 *ewbish wrote:*   

> WHEN will Sendmail 8.14.4 be available in stable?  Sendmail has been getting version bumped for two years without being unmasked to stable, and at this point 8.14.4 is needed to fix a serious security issue....is it going to be unmasked or not?

 Even though this was already answered by a developer, who you then berated for providing a fully correct and appropriate answer, I will provide a more explicit timetable: it will be done when it is ready.

Locked, having lived past its utility.

----------

## ewbish

To the package maintainer..thanks for getting it out there.  Much appreciated.......you don't know how much.    I understand the trivial nature of the issue......but it's a security notice, and I have a very hard time keeping my 'nix servers under the radar in the world I work in.....and outstanding alerts that show up on higher HQ scans have to be dealt with.

To the "RTFM" crowd...............I don't post much, because it's not neccesary most of the time.  And yes, several of you are snot nosed little kids who are still caught up in that holier than thou 'nix phase where you  feel the need to play word games and tell folks with questions "RTFM"................this forum has literally hundreds of threads complaining about such childish BS, and the attitudes of some on here are a large part of why, even though IMHO it's the best distro around, GENTOO has not been as widely adopted as other, lesser distros.    Some of you admins, and posters...should take five minutes and reread the GENTOO About page, and the Gentoo's contract with society.  You could learn a thing or two.

I asked a simple question, and instead got 4 replies about reading docs or "it will be done when it's done".  You could have simply said "I don't know".  

So.....you can kindly fuck off to your little girlfriendless dream world of D&D, Warcraft, and angry masturbation........while those of us in the real world get on with life and the management of our servers.

Have a nice day.

Merged after thread locked and banned ewbish for failure to abide by the forums guidelines, after the direct reference above - NeddySeagoon

----------

