Privacy and Legal Notice

CIAC INFORMATION BULLETIN

R-173: NetMail 3.52E Update

[Novell Document]

March 8, 2007 22:00 GMT
PROBLEM: A buffer overflow vulnerability exists in Novell NetMail.
PLATFORM: NetMail 3.52d
DAMAGE: May allow an attacker to execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
VULNERABILITY
ASSESSMENT:		 The risk is LOW. May allow an attacker to execute arbitrary code.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-173.shtml
  ORIGINAL BULLETIN: http://download.novell.com/Download?buildid=sMYRODW09pw
  CVE: CVE-2007-1350 
[***** Start Novell Document *****]

NetMail 3.52E Update

Patch Distribution Type:  Public

Name Size
license_agreement.txt 2.1 KB (2252)
netmail352e_lin.tgz 16.6 MB (17417212)
netmail352e_nw.zip 14.4 MB (15158134)
netmail352e_win.zip 14.5 MB (15236335)
readme.pdf 493.1 KB (504998)
readme_5002780.html 7.5 KB (7753)
Related Product(s) Patch Status for Product Superceded By
NetMail 3.5.2 Active

platforms

Windows 2000 Server/2003/2003 Server Standard Edition, SUSE LINUX Enterprise Server 10/9, NetWare 6.5

localizations

English

Readme

TID# 5002780
Revision: 1

Created: 2007-02-01 12:12:06
Distribution: Public

Details:

Overview:
NetMail 3.52e is a free update for NetMail 3.52. It contains fixes for software defects and configuration problems. This is a cumulative patch containing all the fixes in previous patches including NetMail 3.52e FTF 1 and FTF 2. You do not need to install any other NetMail 3.52 patch before installing NetMail 3.52e.

Installation:
Please refer to the included readme.pdf for platform specific installation instructions.

Known Problems and Limitations:
The webadmin binary distributed with this patch is incompatible with the old Nsure Audit webadmin plug-in. Please use the administration tool recommended by Nsure Audit to administer Nsure Audit. This webadmin binary is only intended to be used with NetMail plug-ins.

Security Fixes:

Fixed buffer overruns. These include issues identified in the following security alerts:
ZDI-CAN-133
ZDI-CAN-085
ZDI-CAN-086
ZDI-CAN-082
IDEF1651,
IDEF1792
ZDI-CAN-076

Change Log:

Changes since 3.52D
1. Fixed buffer overruns. These include issues identified in the following security alerts:
ZDI-CAN-133, ZDI-CAN-085, ZDI-CAN-086, ZDI-CAN-082, IDEF1651,
IDEF1792
Affected Binaries: nmapd, imapd, webadmin

2. Fixed buffer overruns in Windows version. See ZDI-CAN-076.

3. Fixed page fault by updating the openssl libraries from version 0.9.6 to 0.9.8.
Affected Binaries: imapd, pop3d, modwebd, smtpd

4. Fixed issue where attendee status information may not be updated in the organizers calendar.
Affected Binaries: mwcal, cal

5. Fixed issue where under high load conditions new messages received be inappropriately delayed for delivery.
Affected Binaries: nmapd

6. Fixed page faults
Affected Binaries: imapd, modwebd

7. Fixed CleanQ to have better performance and to better recover from errors.
Affected Platforms: Linux

8. Fix issue that could cause random errors during IP reads.
Affected Platforms: Linux

9. Added log events for tracking activity of the proxy agent.
Affected Binaries: msgproxy

10. Added additional log events for tracking messages in the queue.
Affected Binaries: nmapd

11. Fixed syntax error in the Nsure Audit schema file (netmail.lsc) that prevented it from being imported. The Nsure Audit administration tool should be used it import this file.

12. Fix queue agents to use configured email address instead of userid@defaultdomain for the from field when creating new messages in behalf of a user.
Affected Binaries: rulesrv, forward

13. Fixed issue that prevented newer versions of the Firefox browsers from uploading attachments.
Affected Binaries: modwebd

14. Fixed issue that prevented some browsers from recognizing MIME types when when downloading attachments.
Affected Binaries: modwebd

15. Reduce the chance of two messages being assigned the same UIDL, a condition that would confuse POP clients.
Affected Binaries: nmapd

16. Disable Nagel's algorithm for store connections:
Affected Binaries: nmapd

File Contents

Files Included Size Date
netmail352e_lin.tgz 16.6 MB (17417212) 2007-01-03 16:26:06
netmail352e_nw.zip 14.4 MB (15158134) 2007-02-01 10:00:07
netmail352e_win.zip 14.5 MB (15236335) 2007-01-03 16:26:04
readme.pdf 493.1 KB (504998) 2007-01-03 15:33:06
readme_5002780.html N/A 2007-02-01 12:12:06

Superceded Patches

File Product Patch Status
nm352a_alias.exe NetMail 3.5.2 NetMail Post-352A Alias Agent for Windows Active
nm352a_alias.zip NetMail 3.5.2 NetMail Post-352A Alias Agent for NetWare Active
nm352a_alias.tgz NetMail 3.5.2 NetMail Post-352A Alias Agent for Linux Active
nm352e_ftf1_lx.tgz NetMail 3.5.2 NetMail 3.52e FTF 1 for Linux Active
nm352e_ftf1_nw.zip NetMail 3.5.2 NetMail 3.52e FTF 1 for NetWare Active
nm352e_ftf1_win.zip NetMail 3.5.2 NetMail 3.52e FTF 1 for Windows Active
nm352e_ftf2_nw.zip NetMail 3.5.2 NetMail 3.52e FTF 2 for NetWare Active
nm352e_ftf2_win.zip NetMail 3.5.2 NetMail 3.52e FTF 2 for Windows Active
nm352e_ftf2_lx.tgz NetMail 3.5.2 NetMail 3.52e FTF 2 for Linux Active 



[***** End Novell Document *****]
CIAC wishes to acknowledge the contributions of Novell for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/