If you're as security conscious as I am then you're probably on the CERT mailing list. If so then you likely received an e-mail alert regarding a sendmail vulnerability, one which could affect a vast number of servers. It has some rather nasty potential as it lives in headers, not the body content or attachments. I was vulnerable according to the alert so I shut down my sendmail and fetchmail processes and attempted to apply the fix.
And here's where it gets a bit gnarly. I run a mutated version of Red Hat Linux, combining elements as needed to support various applications. It started off as a 5.2 system but was subsequently upgraded to 6.2 with other bits and pieces as required. I've saved all of my RPMs so I'll be able to restore the system back to the current state but it's not exactly a "default configuration" any more. My customizations are fairly typical but these are all backed-up as well.
I went to the Red Hat site identified in the CERT alert and downloaded the sendmail RPM (Red Hat Package Manager) for 6.2. Trying to install the upgrade failed the prerequisites test. I'm used to this, sometimes having to track down and install half a dozen dependencies just to be able to get to the point where the desired package will install. So I chose to go with the source RPM (SRPM) instead. This approach utilizes the resources already installed on the system instead of requiring upgrades of all sorts of unrelated packages which might end up breaking some of my existing applications. I then applied the patch, which is simply a matter of typing the following command at the shell prompt:
$ patch -p0 < sendmail.8.11.6.security.cr.patch
With that installed it was a matter of more digging through the sendmail documentation to figure out that I needed a configuration file in the devtools/Site subdirectory called site.config.m4. Here are the contents of the file:
define(`confMAPDEF', `-DNEWDB') define(`confINCDIRS', `-I/usr/local/BerkeleyDB.4.1/include') define(`confLIBDIRS', `-L/usr/local/BerkeleyDB.4.1/lib') define(`confLIBS', `-ldb-4.1')
$ sh Build -c -f `pwd`/devtools/Site/site.config.m4
libsmdb/smdb2.c: 530a531,533 > #if DB_VERSION_MAJOR > 3 > result = (*db)->open(*db, NULL, db_name, NULL, db_type, db_flags, 0644); > #else 531a535 > #endif sendmail/map.c: 1634a1635,1638 > #if DB_VERSION_MAJOR > 3 > ret = db->open(db, NULL, buf, NULL, dbtype, flags, > DBMMODE); > #else 1635a1640 > #endif sendmail/udb.c: 1005a1006,1014 > #if DB_VERSION_MAJOR > 3 > ret = up->udb_dbp->open(up->udb_dbp, > NULL, > up->udb_dbname, > NULL, > DB_BTREE, > flags, > 0644); > #else 1011a1021 > #endif
# sh Build install
# LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/BerkeleyDB.4.1/lib # export LD_LIBRARY_PATH # /etc/rc.d/rc3.d/S80sendmail start
Total elapsed time: about four hours. That included downloading the source RPM, the Berkeley DB source package and the patch. I then had to build the DB package, figure out the configuration file (lots of README files in the sendmail source distribution) and compile and install sendmail. So if you're trying to secure your system and don't want to reinvent the wheel, follow along and you should be up and running in less than an hour. Cheers!
March 3rd, 2003