From owner-freebsd-questions Tue Mar 4 7:11:39 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40E4637B401 for ; Tue, 4 Mar 2003 07:11:36 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27C6043FA3 for ; Tue, 4 Mar 2003 07:11:35 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) by smtp.infracaninophile.co.uk (8.12.8/8.12.8) with ESMTP id h24FBQDA015921; Tue, 4 Mar 2003 15:11:26 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.8/8.12.8/Submit) id h24FBPQf015916; Tue, 4 Mar 2003 15:11:25 GMT Date: Tue, 4 Mar 2003 15:11:25 +0000 From: Matthew Seaman To: Mike Loiterman Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Sendmail patch questions... Message-ID: <20030304151125.GD14952@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , Mike Loiterman , freebsd-questions@FreeBSD.ORG References: <20030304082026.GB6551@happy-idiot-talk.infracaninophi> <005f01c2e247$aa08e420$0301a8c0@mike> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8NvZYKFJsRX2Djef" Content-Disposition: inline In-Reply-To: <005f01c2e247$aa08e420$0301a8c0@mike> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.50 X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --8NvZYKFJsRX2Djef Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 04, 2003 at 06:14:49AM -0600, Mike Loiterman wrote: > =20 > On Tuesday, March 04, 2003 2:20 AM Matthew Seaman wrote: >=20 > > On Tue, Mar 04, 2003 at 04:22:49AM +0200, Giorgos Keramidas wrote: > >=20 > >> PS: You can always upgrade to RELENG_4. Gregory Neil Shapiro, the > >> maintainer of Sendmail on FreeBSD, has already merged the latest > >> Sendmail version (8.12.8) to the RELENG_4 branch. > >=20 > > Actually, according to what I can see in a quick trawl through cvsweb, > > he's MFC'd sendmail patches on all RELENG_x and RELENG_x_y branches > > back to and including RELENG_3: > >=20 > > =20 > > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/sendmail/src/?sortby= =3Ddate&only_with_tag=3DRELENG_3 > >=20 > > However, it seems that his modifications don't constitute a complete > > upgrade to sendmail-8.12.8 except on RELENG_4 and HEAD. Hence the > > confusion over the binary updates given in the original security > > alert. Your sendmail binary will be immune to this attack if you've > > built it out of a recently cvsup'd source tree or installed one of the > > binary patches so that: > >=20 > > -- you're running sendmail-8.12.8 or better > >=20 > > or > >=20 > > -- the string 'Dropped invalid comments from header address' > > appears in the sendmail binary. > >=20 > > Thanks to Claus Assmann for pointing out the second test. > >=20 > > Cheers, > >=20 > > Matthew >=20 > Thanks Matt. Few questions though: >=20 > 1. What is `BP'? If you're talking about CVS tags that stands for "Branch Point" -- ie. RELENG_4_7_BP marks the state of the sources at the point that the RELENG_4_7 branch was created out of the RELENG_4 sources. It's not a particularly rewarding place to look for a fixed version of sendmail though. > 2. I appllied the patch and now I'm building world with my exsisting 4.4= sources. Is this not `safe' as cvsuping and then buidling world? I'm not= sure I understand the implications of not cvsuping, especially since the p= atch has been applied to 8.11.6 in the 4.4 branch. There's different interpretations of "safe". If you're running production services on your machine and you can't afford the time to run through regression tests and the like which you should do when upgrading to a new OS version, then a conservative upgrade, like applying the patches from the advisory or cvsup'ing to the latest RELENG_4_4 sources sounds like a good idea. On the other hand, if this is a personal machine and you can cope with the sort of fallout you may encounter by doing a wholesale upgrade[*] then generally, running the latest available 4.x version will give you maximum benefit of all the development that's gone into the system over the last year or so with minimum teething problems due to untried code. Cheers, Matthew [*] Not that FreeBSD upgrades tend to generate that much in terms of fallout anyhow. I can't remember the last time I broke a system or a software package by attempting to upgrade. --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --8NvZYKFJsRX2Djef Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ZMIddtESqEQa7a0RApGlAJ9r/iqy/fFR6nzo2iePBtdKGthfpwCeN7HA l3wpWLjqWqc4/SUC9rsZ2VI= =5NiT -----END PGP SIGNATURE----- --8NvZYKFJsRX2Djef-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message