Add EN-15:08.sendmail.
This commit is contained in:
parent
ea499f03a8
commit
0981bd3448
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46837
4 changed files with 206 additions and 0 deletions
157
share/security/advisories/FreeBSD-EN-15:08.sendmail.asc
Normal file
157
share/security/advisories/FreeBSD-EN-15:08.sendmail.asc
Normal file
|
@ -0,0 +1,157 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-EN-15:08.sendmail Errata Notice
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: sendmail TLS/DH Interoperability Improvement
|
||||
|
||||
Category: contrib
|
||||
Module: sendmail
|
||||
Announced: 2015-06-18
|
||||
Credits: Frank Seltzer, Gregory Shapiro
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2015-06-17 02:39:10 UTC (stable/10, 10.1-STABLE)
|
||||
2015-06-18 05:36:45 UTC (releng/10.1, 10.1-RELEASE-p13)
|
||||
2015-06-17 03:11:25 UTC (stable/9, 9.3-STABLE)
|
||||
2015-06-18 05:36:45 UTC (releng/9.3, 9.3-RELEASE-p17)
|
||||
2015-06-17 03:22:18 UTC (stable/8, 8.4-STABLE)
|
||||
2015-06-18 05:36:45 UTC (releng/8.4, 8.4-RELEASE-p31)
|
||||
|
||||
For general information regarding FreeBSD Errata Notices and Security
|
||||
Advisories, including descriptions of the fields above, security
|
||||
branches, and the following sections, please visit
|
||||
<URL:https://security.freebsd.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
sendmail supports STARTTLS encrypted connections using DHE_EXPORT
|
||||
ciphers. As part of that support, by default, sendmail employs 1024-bit
|
||||
DH parameters for server connections and 512-bit DH parameters for
|
||||
client connections.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
In response to CVE-2015-4000 ("Logjam TLS vulnerability"), OpenSSL and
|
||||
other encryption packages have begun rejecting 512-bit and lower DH
|
||||
parameters during negotiation, thereby reducing interoperability.
|
||||
|
||||
III. Impact
|
||||
|
||||
In its default configuration, client connections from sendmail to other
|
||||
SMTP servers will not be able to negotiate a STARTTLS encrypted session
|
||||
with SMTP servers which reject 512-bit DH parameters. This may cause
|
||||
mail deliverability issues for outbound mail.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
To work around this interoperability, sendmail can be configured to use
|
||||
a 1024 or 2048 bit DH parameter using these steps:
|
||||
|
||||
1. Edit /etc/mail/`hostname`.mc
|
||||
2. If a setting for confDH_PARAMETERS does not exist or
|
||||
exists and is set to a string beginning with '5',
|
||||
replace it with '1' for 1024-bit or '2' for 2048-bit.
|
||||
3. If a setting for confDH_PARAMETERS exists and is set to
|
||||
a file path, create a new file with:
|
||||
openssl dhparam -out /path/to/file 2048
|
||||
for 2048-bit or:
|
||||
openssl dhparam -out /path/to/file 1024
|
||||
for 1024-bit.
|
||||
4. If you have modified your MSP submission configuration
|
||||
file to enable STARTTLS (not enabled by default), repeat
|
||||
the above steps for /etc/mail/`hostname`.submit.mc.
|
||||
5. Rebuild the .cf file(s):
|
||||
cd /etc/mail/; make; make install
|
||||
6. Restart sendmail:
|
||||
cd /etc/mail/; make restart
|
||||
|
||||
Systems that do not use sendmail are not affected.
|
||||
|
||||
V. Solution
|
||||
|
||||
A change to the raise the default for sendmail client connections to
|
||||
1024-bit DH parameters has been committed.
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your system to a supported FreeBSD stable or release / security
|
||||
branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your present system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
3) To update your present system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch
|
||||
# fetch https://security.FreeBSD.org/patches/EN-15:08/sendmail.patch.asc
|
||||
# gpg --verify sendmail.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the sendmail daemon(s), or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r284491
|
||||
releng/8.4/ r284536
|
||||
stable/9/ r284488
|
||||
releng/9.3/ r284536
|
||||
stable/10/ r284485
|
||||
releng/10.1/ r284536
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
The latest revision of this Errata Notice is available at
|
||||
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:08.sendmail.asc
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.5 (FreeBSD)
|
||||
|
||||
iQIcBAEBCgAGBQJVgllYAAoJEO1n7NZdz2rnsY0QAIKcqNxRed97fvmxvL9kX1In
|
||||
CpdKO0Cso8EhCDOKJzmSYR49QZc6CNtPflbgbK2wktiHptmK87R+xODyIWBR1q8T
|
||||
peMoevr942gCUZzrA259cLaWJGC7MZer5G9SIsB7cnMJox/QcHmQysDONfu1PRjf
|
||||
T8T3/q24230PnBBJpR1SNDMOPAc1YLMetEZ3ue72ToG9pd6gAXN8I9N1ZUPY/6dd
|
||||
9/urhdQnxlX5RB3JnqujueJvCrcstInZ8grtKOmTfPSUcWGL++dwu6YH34ORwKDh
|
||||
wiI8U+qyg1Lq5vGx6srDOkGAhiSbYi177PV1RCNTxY28yGVvhiiSnLSsIesZBcoB
|
||||
pVYcefBJeqcXNuQC5jsGKHEbti9X3bhHnThOaOBOvrooEGcc7/DuP02BZiNOWDvV
|
||||
3axT+iFzJdZ1sZktdUQl65zqVBSDASTFz5uG/nTUFASj0W4+vVEghy6FAxlf3aBO
|
||||
eV9tqxeUozt0nSb/44n2u2GHRplWWS1KEE3N+skN5IT4RfZaNvTVtZ0s1fRv6Jum
|
||||
YNut6TGiVIyTACP0JjS2TkGC3kdPrqweZSQ6xnfrgOSCS+3w2nR1aqaGJ3aCIm/b
|
||||
9ixFFIW03LhBH2fl4Y68+CbAlIgGd0zigbRds1IGxRSUxR8AKBngqC+KQUFCOSnY
|
||||
snl4x6f2t36abWYgneaP
|
||||
=mvxv
|
||||
-----END PGP SIGNATURE-----
|
24
share/security/patches/EN-15:08/sendmail.patch
Normal file
24
share/security/patches/EN-15:08/sendmail.patch
Normal file
|
@ -0,0 +1,24 @@
|
|||
Index: contrib/sendmail/src/tls.c
|
||||
===================================================================
|
||||
--- contrib/sendmail/src/tls.c
|
||||
+++ contrib/sendmail/src/tls.c
|
||||
@@ -650,7 +650,7 @@
|
||||
** 1024 generate 1024 bit parameters
|
||||
** 2048 generate 2048 bit parameters
|
||||
** /file/name read parameters from /file/name
|
||||
- ** default is: 1024 for server, 512 for client (OK? XXX)
|
||||
+ ** default is: 1024
|
||||
*/
|
||||
|
||||
if (bitset(TLS_I_TRY_DH, req))
|
||||
@@ -676,8 +676,8 @@
|
||||
}
|
||||
if (dhparam == NULL)
|
||||
{
|
||||
- dhparam = srv ? "1" : "5";
|
||||
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
|
||||
+ dhparam = "1";
|
||||
+ req |= TLS_I_DH1024;
|
||||
}
|
||||
else if (*dhparam == '/')
|
||||
{
|
17
share/security/patches/EN-15:08/sendmail.patch.asc
Normal file
17
share/security/patches/EN-15:08/sendmail.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.5 (FreeBSD)
|
||||
|
||||
iQIcBAABCgAGBQJVglliAAoJEO1n7NZdz2rnAyoQAOEh0lpi5EEM5AkIOapisUzc
|
||||
Rzd74KDnoPSe7o4WED5neaVpiaf5Z+erWUtXAZ2hcuDQqJi0YRSHJB9YrQxaSI0D
|
||||
6IopQpsJqslC41Z4WKp13sGzfbANTYvmeKvrxOsz4q+YrzZpHKZYWwozjY0ZXQEK
|
||||
QjnTNM+CBTZtvp4n+Avs9pPUfOXBqk/d7KDADnOOlai3NANBG3eZnfRSGNcyONBB
|
||||
ogV8JPqDoubdwk/poNqXsu3aeWOzAAGnvtwhm7a03pxp+1iThmiGw/WRNQaADJq/
|
||||
ZDMQhtlCSpyApunesf8qw5LW1KhNU4w2hepVruakUNjHpthTmSLy5NcU8Vw1nZiw
|
||||
JB6XOT0TGoUhu7zR1uGsKRe1WlBKwSbHk5GNgU2ND4GM1RpViZ3O3dwjAXUXWlFg
|
||||
WX2LaUt/VO6YM0+Q+PlpKaHHk5c5/vzKNb0SXhPbUzLuBhdo3OID+g5s0QVjE3+E
|
||||
p34YLwqsL0+oGH7m1+ki62x9oA7PXHn4Y9ye+MSqcK40eTB16Jwx+7pFdIt7zdn8
|
||||
20i1KaBK+zEkYaMpuhKECRBUFtb3sFMnvGj7li3LaRmcubB57J8Brs4mbrZb6spo
|
||||
vkoBr2ntBPXhOeqzIa1eUgS+5DXsayjm7vn055AznzNqMe7wyA9MTEjZvMYcLAF6
|
||||
tQxxZbHkTZ7xsFDp5gaU
|
||||
=7zXU
|
||||
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,14 @@
|
|||
<month>
|
||||
<name>6</name>
|
||||
|
||||
<day>
|
||||
<name>18</name>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-15:08.sendmail</name>
|
||||
</notice>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>9</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue