Sendmail – 8.14.4

Posted by Phil Smith on 2 January, 2010

No comments yet

This item was filled under [ Releases ]

Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.14.4. This version fixes some problems:

some certificate authorities do not properly check the requests they are signing and hence allow spoofing via an embedded NUL in the CN entry. Some checks have been added to deal with “bogus” CNs (see below and doc/op/op.*).
a workaround for a Linux resolver problem has been added to avoid core dumps.
the value of headers, e.g., Precedence, Content-Type, et.al., was not extracted correctly thus preventing them from being recognized properly; leading spaces were not stripped (which was an unintended side effect of an earlier change) and hence comparing them with expected values (e.g., “first-class” for Precedence) did not work.
between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced.

For a full list of changes see the release notes down below.

Please send bug reports and general feedback to one of the usual addresses.

The version can be found at

or on a mirror near to you.

MD5 signatures:

1b23d5000c8e7bfe82ec1a27f2f5fdc5 sendmail.8.14.4.tar.gz

0986e83fefad74477e5473860eb7a3dc sendmail.8.14.4.tar.gz.sig

db975437af4b08ed3b88deaccec26f89 sendmail.8.14.4.tar.Z

8a5740dff8a85e0d5a8d754bf73c0b28 sendmail.8.14.4.tar.Z.sig

Since sendmail 8.11 and later includes hooks to cryptography, the following information from OpenSSL applies to sendmail as well.

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

SENDMAIL RELEASE NOTES

$Id: RELEASE_NOTES,v 8.1963 2009/12/23 04:43:46 ca Exp $

This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release.

8.14.4/8.14.4 2009/12/30
SECURITY:

Handle bogus certificates containing NUL characters in CNs by placing a string indicating a bad certificate in the {cn_subject} or {cn_issuer} macro.

Patch inspired by Matthias Andree’s changes for fetchmail. During the generation of a queue identifier an integer overflow could occur which might result in bogus characters being used. Based on patch from John Vannoy of Pepperdine University. The value of headers, e.g., Precedence, Content-Type, et.al., was not processed correctly.

Patch from Per Hedeland. Between 8.11.7 and 8.12.0 the length limitation on a return path was erroneously reduced from MAXNAME (256) to MAXSHORTSTR (203).

Patch from John Gardiner Myers of Proofpoint; the problem was also noted by Steve Hubert of University of Washington.

Prevent a crash when a hostname lookup returns a seemingly valid result which contains a NULL pointer (this seems to be happening on some Linux versions).

The process title was missing the current load average when the MTA was delaying connections due to DelayLA.

Patch from Dick St.Peters of NetHeaven. Do not reset the number of queue entries in shared memory if only some of them are processed.

Fix overflow of an internal array when parsing some replies from a milter. Problem found by Scott Rotondo of Sun Microsystems.

If STARTTLS is turned off in the server (via M=S) then it would not be initialized for use in the client either.

Patch from Kazuteru Okahashi of IIJ. If a Diffie-Hellman cipher is selected for STARTTLS, the handshake could fail with some TLS implementations because the prime used by the server is not long enough.

Note: the initialization of the DSA/DH parameters for the server can take a significant amount of time on slow machines.

This can be turned off by setting DHParameters to none or a file (see doc/op/op.me). Patch from Petr Lampa of the Brno University of Technology.

Fix handling of `b’ modifier for DaemonPortOptions on little endian machines for loopback address. Patch from John Beck of Sun Microsystems.

Fix a potential memory leak in libsmdb/smdb1.c found by parfait. Based on patch from Jonathan Gray of OpenBSD. If a milter sets the reply code to “421″ during the transfer of the body, the SMTP server will terminate the SMTP session with that error to match the behavior of the other callbacks. Return EX_IOERR (instead of 0) if a mail submission fails due to missing disk space in the mail queue. Based on patch from Martin Poole of RedHat.

CONFIG: Using FEATURE(`ldap_routing’)'s `nodomain’ argument would cause addresses not found in LDAP to be misparsed.

CONFIG: Using a CN restriction did not work for TLS_Clt as it referred to a wrong macro. Patch from John Gardiner Myers of Proofpoint.

CONFIG: The option relaytofulladdress of FEATURE(`access_db’) did not work if FEATURE(`relay_hosts_only’) is used too. Problem noted by Kristian Shaw.

CONFIG: The internal function lower() was broken and hence strcasecmp() did not work either, which could cause problems for some FEATURE()s if upper case arguments were used. Patch from Vesa-Matti J Kari of the University of Helsinki.

LIBMILTER: Fix internal check whether a milter application is compiled against the same version of libmilter as it is linked against (especially useful for dynamic libraries).

LIBMILTER: Fix memory leak that occurred when smfi_setsymlist() was used. Based on patch by Dan Lukes.

LIBMILTER: Document the effect of SMFIP_HDR_LEADSPC for filters which add, insert, or replace headers. From Benjamin Pineau.

LIBMILTER: Fix error messages which refer to “select()” to be correct if SM_CONF_POLL is used. Based on patch from John Nemeth.

LIBSM: Fix handling of LDAP search failures where the error is carried in the search result itself, such as seen with OpenLDAP proxy servers.

VACATION: Do not refer to a local variable outside its scope. Based on patch from Mark Costlow of Southwest Cyberport.

Portability: Enable HAVE_NANOSLEEP for SunOS 5.11.

Patch from John Beck of Sun Microsystems. Drop NISPLUS from default SunOS 5.11 map definitions.

Patch from John Beck of Sun Microsystems.

From: http://www.sendmail.org/releases/8.14.4

Tagged with: [ Sendmail ]

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

« WordPress 2.9.1 Release Candidate 1

VirtualBox 3.1.2 released »

Blog Subscription

Subscribe via RSS Feed stay updated with blog articles

Recent Posts

Tags

.uk 2.3 Apache Apache 1.3 Apache 2.2 Apache 2.3 CCleaner ClamAV Confirg DNS DNSSEC Error logs Firebug HTTP LINX Marketgrid MySQL MySQL 5.1 MySQL 5.5 MySQL Community Server MySQL Connect MySQL Connector MySql Connector/Net MySql Connector/Net 6.3.3 MySQL Workbench NDB Cluster Net-SNMP Network Nominet OpenSSH OpenSSL PHP phpBB Production Security Sendmail Server SSH Thunderbird VirtualBox Webserver logs WinSCP Wordpress Zend Zend Framework
Archives
January 2010

M T W T F S S

« Dec Feb »

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30 31
Categories
- Apache (9)
- DNS (5)
- Misc (2)
- MySQL (26)
- News (14)
- OpenSSH (2)
- OpenSSL (5)
- Releases (64)
- Tips (2)
- Tools (3)
- Uncategorized (1)
- Virtualbox (1)
- Wireshark (1)
- Zend/PHP (8)
Links

Cloud Testing
Website Archiving Service
Website History Service
The Browser Guru
UK Forces Discounts
Nursery Fresh Postal Flowers
Nursery Fresh Wholesale Flowers
Website-Archiving Blog
- Showing the differences in your daily archives August 27, 2010
  Our new screenshot compare tool has just been released. It allows you to view two screenshot archives and then fade them in / out using the slider making spotting differences in the pages easy. In this first view, with the slider at the top set to 25% we see more of the first captured screenshot. […]
- New SEC (Securities and Exchange Commission) Compliance website August 26, 2010
  We’ve just set-up a new website to help clients with teh difficulties of SEC (Securities and Exchange Commission) compliance – http://www.sec-compliance.net/. […]
- New feature to show when your archived pages have changed August 25, 2010
  We’ve just released another new feature that allows you to see at a glance when your archived pages have changed – see example below. For further information and features see the main Website-Archive website http://www.website-archive.com/ […]
- New re-branded archiving portal August 24, 2010
  We’re pleased to announce the new updated and re-branded archiving portal http://portal.website-archive.com/. The changes include incorporation of the Website Archive logo along with preparations for our upcoming new services which are currently in closed beta: RSS Archiving Document Archiving File Archiving You can view an on-line demo version of the servic […]
- Document and File Archiving August 23, 2010
  Our file and document archiving service is now in full beta. It allows subscribers to make daily archives of online files and documents, such as Word Doc, XLS, PDF etc. These files are stored in our secure data centres for compliance and record keeping purposes. The following websites will be used for providing more details […]
- FISMA Compliance August 20, 2010
  FISMA (Federal Information Security Management Act) is a United States federal law enacted in 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for […]
- Searching for content within your daily website archives August 19, 2010
  In addition to searching within the URL or page names, you can also search winthin your archives for particular content. The resulting search results show which of your archived pages contain the search term in the content and on which day(s): You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- RSS Feed Archiving Service now in beta August 17, 2010
  I’m pleased to announce that we’ve released our new archiving service for RSS feeds to selected beta testing customers. The service will allow subscribers to the service to have RSS feeds archived for compliance and record keeping purposes. This can be either a feed of your own blog, or news events, or information from other […]
- Authenticity signatures for your archives August 16, 2010
  We’ve just released another new feature for our Website Archiving service, which allows you to easily view the authenticity signatures for your archives. We capture, calculate and store a number of signatures to ensure the integrity of the archived information. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- New navigation for Website Archiving service August 15, 2010
  We’ve just released a new and updated navigation to allow easier access to your archived website screenshots. You can now easily click on one of the Daily, Weekly or Monthly links to view all the screenshots for a particular page. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
The Browser Guru
- Useful links for Cloud Testing and Archiving August 21, 2010
  Links: www.cloudtesting.com www.cloud-testing.com www.cloudtesting.co.uk www.cloudtesting.us www.cloudtesting.eu www.cloudloadtesting.com www.cloudloadtesting.co.uk www.cloudloadtest.com www.cloudloadtest.co.uk www.cloudwebtest.com www.themonitoringcloud.com www.themonitoringcloud.co.uk www.monitoringcloud.com www.loadtestingcloud.com www.cloudtesting.jp www […]
- 97% of Chrome users running the latest version August 7, 2010
  According to “Why Silent Updates Boost Security” (download PDF), 97% of Chrome users were running the latest version of the browser within 21 days of the last update’s release. By comparison, 85% of Firefox users were up-to-date in the same span, while only 53% Safari users could say the same. […]
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- FINRA Compliance July 11, 2010
  FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]
- Firefox 3.6.6 June 27, 2010
  Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. […]
- Firefox gets crash protection with release of version 3.6.4 June 23, 2010
  Firefox 3.6.4 has been released with crash protection for Adobe’s Flash Player, Apple ‘s QuickTime and Microsoft ‘s Silverlight plug-ins, and is available only in Firefox for Windows and Linux . Mozilla is still working on the “out of process plug-ins,” or OOPP feature, for the Mac version. The version also patches nine vulnerabilities, six […]
- Firefox 3.5.10 June 23, 2010
  Firefox 3.5.10 has been released – it patches nine vulnerabilities, six of them critical. […]
- Safari 5.0 June 10, 2010
  This update contains new features including: Safari Reader: Click on the new Reader icon to view articles on the web in a single, clutter-free page. Improved Performance: Safari 5 executes JavaScript up to 25% faster than Safari 4. Better page caching and DNS prefetching speed up browsing. Bing Search Option: New Bing search option for […]
- Firefox 3.6.2 March 20, 2010
  Mozilla yesterday released a beta version of the Firefox 3.6 browser to fix several stability and security issues. Firefox 3.6.2 has been released to Mozilla’s beta tester community, and includes several bug fixes such as crashes when using Adobe’s ClickMap add-on. Other problems reported by some users, such as there being no prompt to update […]
- Apple Safari 4.0.5 March 13, 2010
  Apple has released Safari 4.0.5 to address multiple vulnerabilities in ColorSync, ImageIO, PubSub, Safari, and WebKit. These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or bypass security restrictions. US-CERT encourages users and administrators to review Apple arti […]

January 2010
M	T	W	T	F	S	S
« Dec		Feb »
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Marketgrid on Twitter
- Marketgrid: Wireshark 1.4.0 - http://www.marketgrid.com/blog/2010/09/wireshark-1-4-0/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.2.4 - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-2-4/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.0.7 - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-0-7/ September 1, 2010
- Marketgrid: MySQL Connector/Net 6.1.5 released - http://www.marketgrid.com/blog/2010/08/mysql-connectornet-6-1-5/ August 30, 2010
- Marketgrid: OpenSSH 5.6 http://www.marketgrid.com/blog/2010/08/openssh-5-6/ August 23, 2010
- Marketgrid: RT @Website_Archive: Searching for content within your daily website archives http://www.website-archive.com/blog/?p=178 August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service - http://www.rss-archiving.com/ August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service for compliance - http://www.rsscompliance.com/ August 19, 2010
- Marketgrid: RT @cloud_links: New RSS Archiving service for compliance - http://www.rss-compliance.com/ August 19, 2010
- Marketgrid: RT @cloud_links: HIPAA compliance - http://www.hipaa-website-compliance.com/ August 19, 2010
Cloud Testing Blog
- Updated branding for CloudTesting and Website-Archive Portals August 24, 2010
  We’re pleased to announce the new updated and re-branded website testing and archiving portals at http://portal.cloudtesting.com/ and http://portal.website-archive.com/. The changes include incorporation of the Website Archive logo along with preparations for our upcoming new services which are currently in closed beta: RSS Archiving Document Archiving File […]
- Authenticity signatures for your archives August 18, 2010
  We’ve just released another new feature for our Website Archiving service, which allows you to easily view the authenticity signatures for your archives. We capture, calculate and store a number of signatures to ensure the integrity of the archived information. You can view an on-line demo version of the service at http://www.website-archive.com/. […]
- RSS Feed Archiving Service August 17, 2010
  We’re pleased to announce that we’ve released our new archiving service for RSS feeds to selected beta testing customers. The service will allow subscribers to the service to have RSS feeds archived for compliance and record keeping purposes. This can be either a feed of your own blog, or news events, or information from other […]
- Google releases Chrome 6 beta. August 12, 2010
  In this latest release is a 15 per cent speed improvement on the V8 and SunSpider javascript benchmarks, as well as a few of the new features including Autofill, a streamlined upper toolbar, made the Omnibox more approachable, and condensed all of the options into a single menu. […]
- Windows security updates applied to Cloud Testing Agents August 10, 2010
  All of the windows based agents have been updated with the following windows patches: Critical Security Bulletins Microsoft Security Bulletin MS10-049 - Affected Software: - Windows XP Service Pack 3 - Windows XP Professional x64 Edition Service Pack 2 - Windows Server 2003 Service Pack 2 - Windows Server 2003 x64 Edition Service Pack 2 […]
- Firefox 4.0 to be silently updated August 7, 2010
  Firefox is hoping to add an auto/silent update feature to Firefox 4.0, which will be enabled by default, but can be turned off. The major update dialog box will only be used for changes like version 4 to 4.5 or 5 according to Alex Faaborg on the “mozilla.dev.apps.firefox” forum. Users will still see the updating […]
- 97% of Chrome users running the latest version compared to 85% for Firefox and 53% for Safari August 7, 2010
  According to “Why Silent Updates Boost Security” (download PDF), 97% of Chrome users were running the latest version of the browser within 21 days of the last update’s release. By comparison, 85% of Firefox users were up-to-date in the same span, while only 53% Safari users could say the same. The Chrome browser is auto […]
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- Release of 1.9.0 Cloud Testing agent software July 23, 2010
  We’re pleased to announce the release of version 1.9.0 of the agent software. This has been deployed onto our Cloud Testing servers, and is available to Private Agent subscribers in the download area. New features include: Extra commands – see recent posting. Improved timeout handling (there is a 15 minute maximum run time for a […]
- New commands added July 21, 2010
  Following a request from a customer (Andrew from AMEE), we’ve added a number of new commands to our Functional and Cross Browser testing service. Our standard service always captures a screenshot after the following Selenium commands: Open Click and Wait Open Window Refresh Refresh and Wait Submit Submit and Wait Go Back Go Back and […]

Marketgrid Consulting Blog

Recent Posts

Apache HTTP Server 2.3.8-alpha

Wireshark 1.4.0

MySQL Connector/Net 6.2.4

MySQL Connector/Net 6.0.7

Browse by Tags

Sendmail – 8.14.4

MD5 signatures:

SENDMAIL RELEASE NOTES

Blog Subscription

Recent Posts

Archives

Categories

Links

Website-Archiving Blog

The Browser Guru

Marketgrid on Twitter

Cloud Testing Blog