Облом-с. Нету на ftp.freebsd.org этих патчей. Там вообще последний -
06:10 от 1 марта.
И на http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058 ничего
внятного не написано.
3APA3A wrote:
>
>--This is a forwarded message
>From: FreeBSD Security Advisories <security-advisories@xxxxxxxxxxx>
>To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
>Date: Wednesday, March 22, 2006, 7:11:31 PM
>Subject: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
>
>===8<==============Original message text===============
> =============================================================================
> FreeBSD-SA-06:13.sendmail Security
> Advisory
> The FreeBSD
> Project
>
> Topic: Race condition in sendmail
>
> Category: contrib
> Module: contrib_sendmail
> Announced: 2006-03-22
> Affects: All FreeBSD releases.
> Corrected: 2006-03-22 16:01:08 UTC (RELENG_6, 6.1-STABLE)
> 2006-03-22 16:01:38 UTC (RELENG_6_0, 6.0-RELEASE-p6)
> 2006-03-22 16:01:56 UTC (RELENG_5, 5.5-STABLE)
> 2006-03-22 16:02:17 UTC (RELENG_5_4, 5.4-RELEASE-p13)
> 2006-03-22 16:02:35 UTC (RELENG_5_3, 5.3-RELEASE-p28)
> 2006-03-22 16:02:49 UTC (RELENG_4, 4.11-STABLE)
> 2006-03-22 16:03:05 UTC (RELENG_4_11, 4.11-RELEASE-p16)
> 2006-03-22 16:03:25 UTC (RELENG_4_10, 4.10-RELEASE-p22)
> CVE Name: CVE-2006-0058
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:http://www.freebsd.org/security/>.
>
> NOTE: The issue discussed in this advisory was reported to the FreeBSD
> Security Team, and the patch which corrects it was supplied, by the
> Sendmail Consortium via CERT. Due to the limited information available
> concerning the nature of the vulnerability, the FreeBSD Security Team
> has not been able to evaluate the effectiveness of the fixes, nor the
> possibility of other workarounds.
>
> I. Background
>
> FreeBSD includes sendmail(8), a general purpose internetwork mail
> routing facility, as the default Mail Transfer Agent (MTA).
>
> II. Problem Description
>
> A race condition has been reported to exist in the handling by sendmail
> of asynchronous signals.
>
> III. Impact
>
> A remote attacker may be able to execute arbitrary code with the
> privileges of the user running sendmail, typically root.
>
> IV. Workaround
>
> There is no known workaround other than disabling sendmail.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
> or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
> RELENG_4_10 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 4.10,
> 4.11, 5.3, 5.4, and 6.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 4.10]
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail410.patch.asc
>
> [FreeBSD 4.11 and FreeBSD 5.3]
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail411.patch.asc
>
> [FreeBSD 5.4, and FreeBSD 6.x]
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch
> # fetch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:13/sendmail.patch.asc
>
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
>
> The latest revision of this advisory is available at
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.asc
===8<===========End of original message text===========
--
--
Alexander Dilevsky
mailto:dil@xxxxxx