Patching Sendmail

If you do not use Sendmail^TM 8.12.9 then you must apply a security patch. Notice: after you applied the appropriate patch as explained below, you must recompile sendmail and install the new binary. See the instructions for your sendmail versions how to do that.

We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list which contains information about the security flaw.

Please note the following changes in the default operation:

To provide protection for internal MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101 when invoking sendmail.
To provide some protection for internal, unpatched MTAs that may be performing 7 to 8 or 8 to 7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to the defaults that were active before these patches, set MaxMimeHeaderLength to 0/0, i.e., in your mc file:
```
define(`confMAX_MIME_HEADER_LENGTH', `0/0');
```
Note: 0/0 doesn't work in 8.12.9 or earlier, use -1/-1 instead or apply a patch.
Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS.

Patch instructions:

Download the patch and the PGP signature.
Please don't use a program that converts the uuencoded file on the fly when downloading it (e.g., Netscape). The correct size of prescan.tar.gz.uu is 3053 bytes.

Check the PGP signature, e.g.,

gpg --verify prescan.tar.gz.uu.asc prescan.tar.gz.uu

pgp prescan.tar.gz.uu.asc prescan.tar.gz.uu

Unpack the patches:
```
uudecode -p < prescan.tar.gz.uu | gunzip -c | tar -xf -
```
This will give you these files (explanation for each file is on the left, only "prescan.VERSION.patch" are the files).
- prescan.8.12.8.patch: only for 8.12.8, changes version string to 8.12.8p1
- prescan.8.12.patch: for 8.12.0 - 8.12.7, does not change version string
- prescan.8.11.6.patch: only for 8.11.6, changes version string to 8.11.6p2
- prescan.8.11.patch: for 8.11.0 - 8.11.5 and 8.10.0 - 8.10.2, does not change version string
- prescan.8.9.3.patch: only for 8.9.3, changes version string to 8.9.3p2
- prescan.8.9.patch: for 8.9.0 - 8.9.2, does not change version string. Note: the patch doesn't apply cleanly to these old version, you have to ignore the error you get for conf.c.
Apply the appropriate patch to your version of the sendmail source code (change the version number below to the right one!), e.g.,
```
cd sendmail-8.12.8/sendmail
patch < prescan.8.12.8.patch
```
If you didn't have sendmail 8.12.8 previously but an older version, then make sure you have the previous security patch installed.
Recompile sendmail, and install the new binary.