Deploying sendmail update - Security

This is a discussion on Deploying sendmail update - Security ; I'm fairly new to all this but about this Sendmail vuln: I have a whole bunch of boxes to update. I've downloaded and built the update from the sendmail site on one of the boxes OK. Can I just copy ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Deploying sendmail update

  1. Deploying sendmail update

    I'm fairly new to all this but about this Sendmail vuln:

    I have a whole bunch of boxes to update. I've downloaded and built the
    update from the sendmail site on one of the boxes OK.

    Can I just copy this binary to all the other boxes or does it need to
    be built individually on each and every box?

    Cheers, and apologies if this is a dumb question but I don't know
    anything about building software and dependencies and stuff I'm afraid.

    mark


  2. Re: Deploying sendmail update

    On 24 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1143194698.476264.295010@u72g2000cwu.googlegroups. com>, markvr wrote:

    >I have a whole bunch of boxes to update. I've downloaded and built the
    >update from the sendmail site on one of the boxes OK.


    No information about what kind of boxes these are, or what operating
    system they are running, or what version of what distribution... kinda
    missing some data there.

    >Can I just copy this binary to all the other boxes or does it need to
    >be built individually on each and every box?


    Let's make the assumption that all of these boxes are running the same
    Linux distribution - let's call it FooLinux Version 2.2. Like most
    distributions, it uses a package manager - not sure if it's 'apt',
    'rpm', 'upgradepkg' or 'yum' - but you could have gotten the pre-compiled
    binary in a package from the distributor, and installed that on all the
    boxes running FooLinux Version 2.2. If you _also_ have systems running
    BarLinux Version 1.2.3, it's not very likely that the FooLinux package
    would work there, but the one that BarLinux has made available for their
    distributions should pour right on to their systems. Now, how does this
    differ from what you are doing?

    >Cheers, and apologies if this is a dumb question but I don't know
    >anything about building software and dependencies and stuff I'm afraid.


    and it's also not really a security question, but hopefully it is answered.
    As long as all of your systems are running the same distribution and version,
    on the same type of hardware (i386 binaries don't work on the ppc or S/390),
    then there should be no problem. If the boxes differ, or the installed
    software differs, then all bets are off.

    Old guy

  3. Re: Deploying sendmail update

    In comp.os.linux.security markvr :
    > I'm fairly new to all this but about this Sendmail vuln:


    > I have a whole bunch of boxes to update. I've downloaded and built the
    > update from the sendmail site on one of the boxes OK.


    > Can I just copy this binary to all the other boxes or does it need to
    > be built individually on each and every box?


    > Cheers, and apologies if this is a dumb question but I don't know
    > anything about building software and dependencies and stuff I'm afraid.


    Firstly, most halfway recent distro sendmail in default
    configuration will only listen on localhost. So the problem can't
    be exploited remotely.

    You don't give any information about which distro you are
    running, it's usually a save bet to install distro updates with
    the package manager/update client your distro provides.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 237: Plate voltage too low on demodulator tube

  4. Re: Deploying sendmail update

    Michael Heiming writes:

    >In comp.os.linux.security markvr :
    >> I'm fairly new to all this but about this Sendmail vuln:


    >> I have a whole bunch of boxes to update. I've downloaded and built the
    >> update from the sendmail site on one of the boxes OK.


    If the boxes are similar machines, the binaries can simply be installed on
    eachof the boxes. The config files may need changing for each box.


    >> Can I just copy this binary to all the other boxes or does it need to
    >> be built individually on each and every box?


    Depends on the boxes. If one uses i386 chip and the other Motorola, then it
    has to be recompiled. If they are all Pentiums, then no.


    >> Cheers, and apologies if this is a dumb question but I don't know
    >> anything about building software and dependencies and stuff I'm afraid.


    >Firstly, most halfway recent distro sendmail in default
    >configuration will only listen on localhost. So the problem can't
    >be exploited remotely.


    >You don't give any information about which distro you are
    >running, it's usually a save bet to install distro updates with
    >the package manager/update client your distro provides.


    >--
    >Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    >mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    >#bofh excuse 237: Plate voltage too low on demodulator tube


  5. Re: Deploying sendmail update

    "Old Guy" suggested a RPM etc. If you have been able to compile the
    sendmail source on one machine and if the rest are similar you can make
    your own RPM or apt etc. and just run it on each system.
    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  6. Re: Deploying sendmail update

    In comp.os.linux.security Unruh :
    > Michael Heiming writes:


    >>In comp.os.linux.security markvr :
    >>> I'm fairly new to all this but about this Sendmail vuln:


    >>> I have a whole bunch of boxes to update. I've downloaded and built the
    >>> update from the sendmail site on one of the boxes OK.


    > If the boxes are similar machines, the binaries can simply be installed on
    > eachof the boxes. The config files may need changing for each box.


    Technical no problem, from an administrative point of view a
    nightmare, you want to use the package manager of your distro and
    perhaps additional tools. Of course the OP didn't mention which
    distro he's running, so one can't suggest anything further.

    My guess, there are lots of other updates, not only sendmail.


    >>Firstly, most halfway recent distro sendmail in default
    >>configuration will only listen on localhost. So the problem can't
    >>be exploited remotely.


    >>You don't give any information about which distro you are
    >>running, it's usually a save bet to install distro updates with
    >>the package manager/update client your distro provides.


    Seems someone mention that already. ;-)

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 84: Someone is standing on the ethernet cable,
    causing a kink in the cable

  7. Re: Deploying sendmail update

    Begin --> Michael Heiming shouted Hoy...

    [putolin]

    >>>> I have a whole bunch of boxes to update. I've downloaded and built the
    >>>> update from the sendmail site on one of the boxes OK.

    >
    >> If the boxes are similar machines, the binaries can simply be installed
    >> on eachof the boxes. The config files may need changing for each box.

    >
    > Technical no problem, from an administrative point of view a
    > nightmare, you want to use the package manager of your distro and
    > perhaps additional tools. Of course the OP didn't mention which
    > distro he's running, so one can't suggest anything further.



    There is another way to distribute your updates if you compile from a source
    tar ball

    Paco

    http://paco.sourceforge.net/

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy

  8. Re: Deploying sendmail update

    In comp.os.linux.security Baho Utot :
    > Begin --> Michael Heiming shouted Hoy...


    > [putolin]


    >>>>> I have a whole bunch of boxes to update. I've downloaded and built the
    >>>>> update from the sendmail site on one of the boxes OK.

    >>
    >>> If the boxes are similar machines, the binaries can simply be installed
    >>> on eachof the boxes. The config files may need changing for each box.

    >>
    >> Technical no problem, from an administrative point of view a
    >> nightmare, you want to use the package manager of your distro and
    >> perhaps additional tools. Of course the OP didn't mention which
    >> distro he's running, so one can't suggest anything further.



    > There is another way to distribute your updates if you compile from a source
    > tar ball


    > Paco


    > http://paco.sourceforge.net/


    This is intended for LFS systems, seems doubtable while not
    impossible the OP has one? With rpm based system you'd
    roll/rebuild your own rpm or if building from .spec doesn't work
    for you use checkinstall to ease things up.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 288: Hard drive sleeping. Let it wake up on
    it's own...

  9. Re: Deploying sendmail update

    Begin --> Michael Heiming shouted Hoy...

    >
    >
    > In comp.os.linux.security Baho Utot :
    >> Begin --> Michael Heiming shouted Hoy...

    >
    >> [putolin]

    >
    >>>>>> I have a whole bunch of boxes to update. I've downloaded and built
    >>>>>> the update from the sendmail site on one of the boxes OK.
    >>>
    >>>> If the boxes are similar machines, the binaries can simply be installed
    >>>> on eachof the boxes. The config files may need changing for each box.
    >>>
    >>> Technical no problem, from an administrative point of view a
    >>> nightmare, you want to use the package manager of your distro and
    >>> perhaps additional tools. Of course the OP didn't mention which
    >>> distro he's running, so one can't suggest anything further.

    >
    >
    >> There is another way to distribute your updates if you compile from a
    >> source tar ball

    >
    >> Paco

    >
    >> http://paco.sourceforge.net/

    >
    > This is intended for LFS systems, seems doubtable while not
    > impossible the OP has one? With rpm based system you'd
    > roll/rebuild your own rpm or if building from .spec doesn't work
    > for you use checkinstall to ease things up.
    >


    It is not just for LFS. You can use it on any system.
    You use it to track the files that a package installs and then use pacoball
    to create an archive (tarball) of the installed files. Then all you need
    to is to unpack on the other systems


    Paco

    NAME
    paco - a source code package organizer

    SYNOPSIS
    paco [OPTIONS]
    paco -l [OPTIONS]
    paco -q

    DESCRIPTION
    Paco is a program to aid package management when installing packages
    from source code.

    When installing a package, paco can be used in log mode
    (with option -l) to wrap the installation command (e.g. "make install"), and
    log the created files. By default thelog is stored in
    directory /var/log/paco’.

    Paco gets also some extended information about the package that is
    beeing installed (version, author, description, configure options...), and
    stores it into a log in directory ’/var/log/paco/_info’.

    Once some packages are installed and properly logged, paco can be
    used in list mode, which is the default, to display package information.
    Several options are provided to print the information in different
    formats.

    There are also options to remove packages, query for the owner of
    files, or maintain the package database.

    Mandatory arguments to long options are mandatory for short options
    too.


    PACOBALL

    NAME
    pacoball - Creates binary packages for installed (and logged by paco)
    packages.

    SYNOPSIS
    pacoball [OPTIONS]

    DESCRIPTION
    For each , pacoball creates a tarball (.tar.bz2
    or .tar.gz package) containing all the installed files.

    Leading slashes (’/’) are stripped from the filenames in the
    pacoballs. Thus they can be extracted using the -C tar option.

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy

  10. Re: Deploying sendmail update

    In comp.os.linux.security Baho Utot :
    > Begin --> Michael Heiming shouted Hoy...
    >>
    >> In comp.os.linux.security Baho Utot :
    >>> Begin --> Michael Heiming shouted Hoy...

    >>
    >>> [putolin]

    >>
    >>>>>>> I have a whole bunch of boxes to update. I've downloaded and built
    >>>>>>> the update from the sendmail site on one of the boxes OK.
    >>>>
    >>>>> If the boxes are similar machines, the binaries can simply be installed
    >>>>> on eachof the boxes. The config files may need changing for each box.
    >>>>
    >>>> Technical no problem, from an administrative point of view a
    >>>> nightmare, you want to use the package manager of your distro and
    >>>> perhaps additional tools. Of course the OP didn't mention which
    >>>> distro he's running, so one can't suggest anything further.

    >>
    >>
    >>> There is another way to distribute your updates if you compile from a
    >>> source tar ball

    >>
    >>> Paco

    >>
    >>> http://paco.sourceforge.net/

    >>
    >> This is intended for LFS systems, seems doubtable while not
    >> impossible the OP has one? With rpm based system you'd
    >> roll/rebuild your own rpm or if building from .spec doesn't work
    >> for you use checkinstall to ease things up.
    >>


    > It is not just for LFS. You can use it on any system.
    > You use it to track the files that a package installs and then use pacoball
    > to create an archive (tarball) of the installed files. Then all you need
    > to is to unpack on the other systems


    Sure you can, but why should you, if you have a rpm/apt based
    system? There's not much if any sense in using it.

    [..]

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 153: Big to little endian conversion error

  11. Re: Deploying sendmail update

    Hey, thanks for the answers.

    The boxes are running CentOS 4 and 3.5. There isn't an rpm or yum
    package for sendmail after 8.13.1 for CentOS 4. There is an rpm for
    Fedora Core, but if I try to install this it gives loads of dependency
    issues. eg:
    "Error: Missing Dependency: cracklib-dicts >= 2.8 is needed by package
    pam
    Error: Missing Dependency: python(abi) = 2.4 is needed by package
    ethereal
    Error: Missing Dependency: libpq.so.3 is needed by package dovecot
    Error: Missing Dependency: mkinitrd >= 4.2.15-1 is needed by package
    kernel
    ...."

    but there are about 50 of these lines for different packages.

    So as long as I build the sendmail binary on the same platform, it
    should be able to be copied into other systems without any problems?
    How are other people installing this update, or update software in
    general?

    Cheers!
    Mark


  12. Re: Deploying sendmail update

    In comp.os.linux.security markvr :
    > Hey, thanks for the answers.


    > The boxes are running CentOS 4 and 3.5. There isn't an rpm or yum
    > package for sendmail after 8.13.1 for CentOS 4. There is an rpm for


    There's no need! There's an update for RHEL/CentOS (3) available
    which fixes the problems. Patches have been back ported to the
    sendmail release RHEL 3 uses. Simply install the update via yum,
    dunno why you are over complicating things?

    Iirc just explained the same question in comp.mail.sendmail a few
    days ago, just take a look, if curious.

    According to /var/log/yum.log things were automatically updated
    during running yum from cron.daily:

    Mar 23 04:53:39 Updated: sendmail-devel 8.12.11-4.RHEL3.4.i386
    Mar 23 04:53:39 Updated: sendmail-cf 8.12.11-4.RHEL3.4.i386
    Mar 23 04:53:39 Updated: sendmail 8.12.11-4.RHEL3.4.i386

    > but there are about 50 of these lines for different packages.


    Don't use patches from another distribution.

    > So as long as I build the sendmail binary on the same platform, it
    > should be able to be copied into other systems without any problems?
    > How are other people installing this update, or update software in
    > general?


    Others simply enter 'yum update' or even run it from cron.

    Good luck

    BTW
    Please try below URL(s) before answering, most people aren't
    using a browser here to read/write, this is usenet.

    http://www.safalra.com/special/googlegroupsreply
    http://cfaj.freeshell.org/google

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 338: old inkjet cartridges emanate barium-based
    fumes

  13. Re: Deploying sendmail update

    I did do a
    >yum update sendmail

    as the 1st thing I tried and it said there were no updates to install
    so I took this to mean that CentOS were dragging their feet and hadn't
    updated the package.

    Hence grabbing at straws and trying the fedora core yum repo, and then
    building it from the source.

    After searching around the CentOS site, it seems that doing a
    >yum update sendmail/*

    has picked up the update. I wsa also slightly confused because they
    backport it (I know what that means now!!) so the version number
    doesn't change which I hadn't realised at first.

    I know this is now going off topic (apologies). If CentOS have got both
    the security patches, AND the latest version of sendmail in the repo,
    how would you update JUST the security patches, vs update the whole
    version to the latest?

    I'll go an have a look at the comp.mail.sendmail post as well.

    Cheers for the help!
    Mark

    Michael Heiming wrote:
    > In comp.os.linux.security markvr :
    > > Hey, thanks for the answers.

    >
    > > The boxes are running CentOS 4 and 3.5. There isn't an rpm or yum
    > > package for sendmail after 8.13.1 for CentOS 4. There is an rpm for

    >
    > There's no need! There's an update for RHEL/CentOS (3) available
    > which fixes the problems. Patches have been back ported to the
    > sendmail release RHEL 3 uses. Simply install the update via yum,
    > dunno why you are over complicating things?
    >
    > Iirc just explained the same question in comp.mail.sendmail a few
    > days ago, just take a look, if curious.
    >
    > According to /var/log/yum.log things were automatically updated
    > during running yum from cron.daily:
    >
    > Mar 23 04:53:39 Updated: sendmail-devel 8.12.11-4.RHEL3.4.i386
    > Mar 23 04:53:39 Updated: sendmail-cf 8.12.11-4.RHEL3.4.i386
    > Mar 23 04:53:39 Updated: sendmail 8.12.11-4.RHEL3.4.i386
    >
    > > but there are about 50 of these lines for different packages.

    >
    > Don't use patches from another distribution.
    >
    > > So as long as I build the sendmail binary on the same platform, it
    > > should be able to be copied into other systems without any problems?
    > > How are other people installing this update, or update software in
    > > general?

    >
    > Others simply enter 'yum update' or even run it from cron.
    >
    > Good luck
    >
    > BTW
    > Please try below URL(s) before answering, most people aren't
    > using a browser here to read/write, this is usenet.
    >
    > http://www.safalra.com/special/googlegroupsreply
    > http://cfaj.freeshell.org/google
    >
    > --
    > Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    > mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    > #bofh excuse 338: old inkjet cartridges emanate barium-based
    > fumes



  14. Re: Deploying sendmail update

    Begin --> Michael Heiming shouted Hoy...

    [putolin]

    >> It is not just for LFS. You can use it on any system.
    >> You use it to track the files that a package installs and then use
    >> pacoball
    >> to create an archive (tarball) of the installed files. Then all you need
    >> to is to unpack on the other systems

    >
    > Sure you can, but why should you, if you have a rpm/apt based
    > system? There's not much if any sense in using it.
    >
    > [..]
    >


    rpm gives me fits. I'd rather compile my own and not have the dependency
    problems.

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy

  15. Re: Deploying sendmail update

    On Tue, 28 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Baho Utot wrote:

    >rpm gives me fits. I'd rather compile my own and not have the dependency
    >problems.


    What color is the sun in the universe you live in? You will ALWAYS have
    dependencies - even in compiling "hello.c"

    >mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'


    That depends on having perl, though I can obviously use 'tr' and save
    six keystrokes.

    Old guy

  16. Re: Deploying sendmail update

    Begin --> Moe Trin shouted Hoy...

    >
    >
    > On Tue, 28 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in
    > article , Baho Utot wrote:
    >
    >>rpm gives me fits. I'd rather compile my own and not have the dependency
    >>problems.

    >
    > What color is the sun in the universe you live in? You will ALWAYS have
    > dependencies - even in compiling "hello.c"


    You misled my point.

    Anyway, I bet hello.c will compile just fine on my system,

    #include
    int main() { printf("hello.c"); return 0;}

    >
    >>mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'

    >
    > That depends on having perl, though I can obviously use 'tr' and save
    > six keystrokes.
    >
    > Old guy


    Your copy&paste not working?

    Old Fart

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy

  17. Re: Deploying sendmail update

    On Tue, 28 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <9tqof3-f8d.ln1@mindanao.kumusta.org>, Baho Utot wrote:

    >> What color is the sun in the universe you live in? You will ALWAYS have
    >> dependencies - even in compiling "hello.c"

    >
    >You misled my point.


    No.

    >Anyway, I bet hello.c will compile just fine on my system,


    That may be, but it won't compile on any of our servers, and 90+ percent
    of our workstations because they don't have a compiler installed, and that
    is intentional. Not everyone installs one by default.

    >> That depends on having perl, though I can obviously use 'tr' and save
    >> six keystrokes.


    >Your copy&paste not working?


    copy&paste isn't going to install /usr/bin/perl if it's not there, and
    we don't run X on our servers, so copy&paste isn't going to be very
    easy. On the other hand, most news tools EBG13 with a few keystrokes.

    Old guy

  18. Re: Deploying sendmail update

    Begin --> Moe Trin shouted Hoy...

    >
    >
    > On Tue, 28 Mar 2006, in the Usenet newsgroup comp.os.linux.security, in
    > article <9tqof3-f8d.ln1@mindanao.kumusta.org>, Baho Utot wrote:
    >
    >>> What color is the sun in the universe you live in? You will ALWAYS have
    >>> dependencies - even in compiling "hello.c"

    >>
    >>You misled my point.

    >
    > No.


    Yes you indeed did

    >
    >>Anyway, I bet hello.c will compile just fine on my system,

    >
    > That may be, but it won't compile on any of our servers, and 90+ percent
    > of our workstations because they don't have a compiler installed, and that
    > is intentional. Not everyone installs one by default.


    So, what's the point?
    I don't have gcc compilers installed on my servers either. That's why I use
    paco to build a tarball of the installed files and then unpack them on the
    server. I could have used rsync but a tarball is easier

    >
    >>> That depends on having perl, though I can obviously use 'tr' and save
    >>> six keystrokes.

    >
    >>Your copy&paste not working?

    >
    > copy&paste isn't going to install /usr/bin/perl if it's not there, and
    > we don't run X on our servers, so copy&paste isn't going to be very
    > easy. On the other hand, most news tools EBG13 with a few keystrokes.
    >


    What does X have to do with this????

    Why would you be using your server to view this????

    I believe perl *IS* on your desktop isn't it

    > Old guy


    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy

  19. Re: Deploying sendmail update

    Baho Utot wrote:

    > rpm gives me fits. I'd rather compile my own and not have the dependency
    > problems.


    This is a defensible[1] philosophy, but would be a bit anomalous in
    someone running CentOS, as is the querent.

    [1] Provided you trust to the security and quality control of the
    upstream maintainers, which is often a bad idea -- and don't need to
    spend time customising to suit your local distribution's way of doing
    things, which you often do. Those are some of the reasons distributions
    have package maintainers.

    --
    Cheers,
    Rick Moen Habetis bona deum.
    rick@linuxmafia.com

+ Reply to Thread