[Mimedefang] Sendmail 8.13.7 relased
Jan-Pieter Cornet
johnpc at xs4all.nl
Tue Jun 20 19:02:12 EDT 2006
On Thu, Jun 15, 2006 at 03:18:11PM +0200, Jan-Pieter Cornet wrote:
> Also: I have a patch against MIME::Parser to support a max_depth
> limit
I promised to get back on this. The patch is now available at:
http://www.xs4all.nl/~johnpc/MIME-tools-5.420-maxdepth.patch
This includes a test to test for both max_parts and max_depth.
max_parts was previously untested.
The patch adds a simple $parser->max_depth() method to the MIME::Parser
class, which can subsequently be invoked from MD. For example, a simple
patch (against MIMEDefang 2.57 :) is here:
http://www.xs4all.nl/~johnpc/mimedefang-maxmimedepth-2.57.patch
Note that this latter patch is pretty much untested, use at your
own risk. You'd at least need to set "$MaxMIMEDepth = 20;" in your
mimedefang-filter.
Based on code reviews of sendmail 8.13.6, 8.13.7 and the mime-nesting
milter release by sendmail, I believe that the above patches offer
you a suitable protection against the DoS attack for sendmail 8.13.6,
and very likely also for earlier versions.
However, there's no real replacement for upgrading to the latest and
greatest, of course. Also be aware that this patch is different from
the sendmail 8.13.7 behaviour. Sendmail 8.13.7 will pass deeply nested
MIME structures unaltered, while the proposed MIMEDefang and MIME-Tools
patches will reject such deeply nested messages.
--
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disc lamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
More information about the MIMEDefang
mailing list