Add EN-15:08.sendmail.

This commit is contained in:
Xin LI 2015-06-18 05:43:44 +00:00
parent ea499f03a8
commit 0981bd3448
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46837
4 changed files with 206 additions and 0 deletions

View file

@ -0,0 +1,157 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:08.sendmail Errata Notice
The FreeBSD Project
Topic: sendmail TLS/DH Interoperability Improvement
Category: contrib
Module: sendmail
Announced: 2015-06-18
Credits: Frank Seltzer, Gregory Shapiro
Affects: All supported versions of FreeBSD.
Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE)
2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13)
2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE)
2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17)
2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE)
2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
sendmail supports STARTTLS encrypted connections using DHE_EXPORT
ciphers. As part of that support, by default, sendmail employs 1024-bit
DH parameters for server connections and 512-bit DH parameters for
client connections.
II. Problem Description
In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and
other encryption packages have begun rejecting 512-bit and lower DH
parameters during negotiation, thereby reducing interoperability.
III. Impact
In its default configuration, client connections from sendmail to other
SMTP servers will not be able to negotiate a STARTTLS encrypted session
with SMTP servers which reject 512-bit DH parameters. This may cause
mail deliverability issues for outbound mail.
IV. Workaround
To work around this interoperability, sendmail can be configured to use
a 1024 or 2048 bit DH parameter using these steps:
1. Edit /etc/mail/`hostname`.mc
2. If a setting for confDH_PARAMETERS does not exist or
exists and is set to a string beginning with '5',
replace it with '1' for 1024-bit or '2' for 2048-bit.
3. If a setting for confDH_PARAMETERS exists and is set to
a file path, create a new file with:
openssl dhparam -out /path/to/file 2048
for 2048-bit or:
openssl dhparam -out /path/to/file 1024
for 1024-bit.
4. If you have modified your MSP submission configuration
file to enable STARTTLS (not enabled by default), repeat
the above steps for /etc/mail/`hostname`.submit.mc.
5. Rebuild the .cf file(s):
cd /etc/mail/; make; make install
6. Restart sendmail:
cd /etc/mail/; make restart
Systems that do not use sendmail are not affected.
V. Solution
A change to the raise the default for sendmail client connections to
1024-bit DH parameters has been committed.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc
# gpg --verify sendmail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the sendmail daemon(s), or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r284491
releng/8.4/ r284536
stable/9/ r284488
releng/9.3/ r284536
stable/10/ r284485
releng/10.1/ r284536
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.5 (FreeBSD)
iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In
CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T
peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf
T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd
9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh
wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB
pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV
3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO
eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum
YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b
9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY
snl4x6f2t36abWYgneaP
=mvxv
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,24 @@
Index: contrib/sendmail/src/tls.c
===================================================================
--- contrib/sendmail/src/tls.c
+++ contrib/sendmail/src/tls.c
@@ -650,7 +650,7 @@
** 1024 generate 1024 bit parameters
** 2048 generate 2048 bit parameters
** /file/name read parameters from /file/name
- ** default is: 1024 for server, 512 for client (OK? XXX)
+ ** default is: 1024
*/
if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "1";
+ req |= TLS_I_DH1024;
}
else if (*dhparam == '/')
{

View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.5 (FreeBSD)
iQIcBAABCgAGBQJVglliAAoJEO1n7NZdz2rnAyoQAOEh0lpi5EEM5AkIOapisUzc
Rzd74KDnoPSe7o4WED5neaVpiaf5Z+erWUtXAZ2hcuDQqJi0YRSHJB9YrQxaSI0D
6IopQpsJqslC41Z4WKp13sGzfbANTYvmeKvrxOsz4q+YrzZpHKZYWwozjY0ZXQEK
QjnTNM+CBTZtvp4n+Avs9pPUfOXBqk/d7KDADnOOlai3NANBG3eZnfRSGNcyONBB
ogV8JPqDoubdwk/poNqXsu3aeWOzAAGnvtwhm7a03pxp+1iThmiGw/WRNQaADJq/
ZDMQhtlCSpyApunesf8qw5LW1KhNU4w2hepVruakUNjHpthTmSLy5NcU8Vw1nZiw
JB6XOT0TGoUhu7zR1uGsKRe1WlBKwSbHk5GNgU2ND4GM1RpViZ3O3dwjAXUXWlFg
WX2LaUt/VO6YM0+Q+PlpKaHHk5c5/vzKNb0SXhPbUzLuBhdo3OID+g5s0QVjE3+E
p34YLwqsL0+oGH7m1+ki62x9oA7PXHn4Y9ye+MSqcK40eTB16Jwx+7pFdIt7zdn8
20i1KaBK+zEkYaMpuhKECRBUFtb3sFMnvGj7li3LaRmcubB57J8Brs4mbrZb6spo
vkoBr2ntBPXhOeqzIa1eUgS+5DXsayjm7vn055AznzNqMe7wyA9MTEjZvMYcLAF6
tQxxZbHkTZ7xsFDp5gaU
=7zXU
-----END PGP SIGNATURE-----

View file

@ -10,6 +10,14 @@
<month>
<name>6</name>
<day>
<name>18</name>
<notice>
<name>FreeBSD-EN-15:08.sendmail</name>
</notice>
</day>
<day>
<name>9</name>