Patching Sendmail
If you do not use
SendmailTM 8.12.9
then you must apply a security patch.
Notice: after you applied the appropriate patch as explained below,
you must recompile sendmail and install the new binary.
See the instructions for your sendmail versions how to do that.
We apologize for releasing this information today (2003-03-29) but
we were forced to do so by an e-mail on a public mailing list
which contains information about the security flaw.
Please note the following changes in the default operation:
Patch instructions:
-
Download the
patch
and the
PGP
signature.
Please don't use a program that converts the uuencoded file on the fly
when downloading it (e.g., Netscape).
The correct size of prescan.tar.gz.uu
is 3053 bytes.
-
Check the PGP signature, e.g.,
gpg --verify prescan.tar.gz.uu.asc prescan.tar.gz.uu
or
pgp prescan.tar.gz.uu.asc prescan.tar.gz.uu
-
Unpack the patches:
uudecode -p < prescan.tar.gz.uu | gunzip -c | tar -xf -
This will give you these files (explanation for each file is on
the left, only "prescan.VERSION.patch" are the files).
-
prescan.8.12.8.patch:
only for 8.12.8, changes version string to 8.12.8p1
-
prescan.8.12.patch:
for 8.12.0 - 8.12.7, does not change version string
-
prescan.8.11.6.patch:
only for 8.11.6, changes version string to 8.11.6p2
-
prescan.8.11.patch:
for 8.11.0 - 8.11.5 and 8.10.0 - 8.10.2, does not change version string
-
prescan.8.9.3.patch:
only for 8.9.3, changes version string to 8.9.3p2
-
prescan.8.9.patch:
for 8.9.0 - 8.9.2, does not change version string.
Note: the patch doesn't apply cleanly to these old version,
you have to ignore the error you get for
conf.c
.
-
Apply the appropriate patch to your version of the sendmail source
code (change the version number below to the right one!), e.g.,
cd sendmail-8.12.8/sendmail
patch < prescan.8.12.8.patch
-
If you didn't have sendmail 8.12.8 previously but an older version,
then make sure you have the previous
security patch
installed.
-
Recompile sendmail, and install the new binary.