Bugzilla – Bug 881284
VUL-0: CVE-2014-3956: sendmail: Not properly closing file descriptors before executing programs
Last modified: 2014-07-15 08:59:05 UTC
Upstream released version 8.14.9 of sendmail which fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. Possible patch: https://bugzilla.redhat.com/attachment.cgi?id=900848&action=diff References: http://www.sendmail.com/sm/open_source/download/8.14.9/?show_rs=1 https://bugzilla.redhat.com/show_bug.cgi?id=1102174
This is already part of openSUSE Factory and SLES-12 Beside this sendmail is not the default MTA ... AFAIK this is postfix.
sendmail-8.12.11 of sendmail.SUSE_SLE-9-SP3 is not affected as the function sm_close_on_exec() does not exist that is the code is done correct as normal code.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-07-02. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57687
Affected packages: SLE-11-SP3: sendmail SLE-10-SP3-TERADATA: sendmail SLE-9-SP3-TERADATA: sendmail
SLE-9-SP3-TERADATA: sendmail is *NOT* affected! SR #236230 -- 13.1 SR #236231 -- 12.3 SR #39009 -- SLE-10-SP3 SR #39010 -- SLE-11
This is an autogenerated message for OBS integration: This bug (881284) was mentioned in https://build.opensuse.org/request/show/236230 13.1 / sendmail https://build.opensuse.org/request/show/236231 12.3 / sendmail
bugbot adjusting priority
openSUSE-SU-2014:0805-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 881284 CVE References: CVE-2014-3956 Sources used: openSUSE 11.4 (src): sendmail-8.14.4-64.1
Update released for: rmail, sendmail, sendmail-debuginfo, sendmail-debugsource, sendmail-devel, uucp, uucp-debuginfo, uucp-debugsource Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: sendmail, sendmail-debuginfo, sendmail-devel, uucp Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: rmail, sendmail, sendmail-debuginfo, sendmail-debugsource, sendmail-devel, uucp, uucp-debuginfo, uucp-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0872-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 881284 CVE References: CVE-2014-3956 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): sendmail-8.14.3-50.24.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): sendmail-8.14.3-50.24.1 SUSE Linux Enterprise Server 11 SP3 (src): sendmail-8.14.3-50.24.1
fixed