These instructions show you how to install the sendmail patch on NeXT and Intel-based computers running NEXTSTEP‰ Release 3.1 or Release 3.2. The patch is distributed in an Installer package file named SendmailPatch.pkg .

Installing Update 1 of the Sendmail Patch for NEXTSTEP Release 3.1 & 3.2

Download the patch from:

ftp://ftp.info.apple.com/Apple_Support_Area/Apple_Software_Updates/MultiCountry/Enterprise/nextstep/patches/3.2/SendmailPatch.compressed

Two versions of sendmail are provided with NEXTSTEP Release 3.1 and 3.2: sendmail (version 5.67) and sendmail.old (version 5.52). Late last year, the Computer Emergency Response Team (CERT) identified a handful of security problems with NeXT's versions of sendmail . These problems are described in CERT Advisories CA-93: 16 and CA-93: 16A. SendmailPatch.pkg contains copies of sendmail and sendmail.old that fix these security problems.

1. If you received the SendmailPatch.pkg file via NeXTmail‰ or another electronic source, place a copy of the file in a location where you can access it when you log in as root .
2. Log in as root .
Only the superuser, root , can install the package. If you're not sure how to log in as root , see your system administrator.
3. If you received the SendmailPatch.pkg file on a floppy disk, insert the disk in the floppy disk drive and choose Check for Disks from the Workspace Manager‰ application's Disk menu. When the disk icon appears in the File Viewer, double-click it to open it.
4. Double-click the SendmailPatch.pkg file.
5. Click the Install button in the Installer package window. When the panel asks you what kinds of computers you want to install the software for, select the kind of computer you're using and click Install. Then click Continue in the panel that warns you you're about to overwrite existing files.
6. When the installation is complete, choose Quit from the Installer menu.
7. Choose Log Out from the Workspace menu and then click the Restart button in the Login window.

Note: You must restart your computer after installing the package.
The next time you start up your computer, it will take advantage of the new versions of sendmail .

For more information about CERT advisories, contact CERT. Past advisories, information about FIRST representatives, and other information related to computer security are available by anonymous FTP from info.cert.org . You can also contact CERT at:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.org
Telephone: (412) 268-7090 (24-hour hotline).
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours.

For information about logging in and out, the Workspace Manager application, and the Installer application, see the NEXTSTEP User's Guide . For more information about sendmail , see the NEXTSTEP Network and System Administration book.

ADDENDU M :

The sendmail patch NeXT recently made available does not update the entire sendmail subsystem. In the original system software release, the files /usr/bin/mailq and /usr/bin/newaliases are *hard links: to the same file (i-node) as /usr/lib/sendmail . The patch replaces only the file called /usr/lib/sendmail , and does not affect the other two links. This leaves a system with the patch installed still open to some of the vulnerabilities addressed by the patch.

( /usr/bin/mailq provides a summary of the messages in the message queue, and /usr/bin/newaliases regenerates the flat-file aliases database, which is referenced by sendmail .)

To close the vulnerabilities, follow the steps below.

1. Either log in as root and run the Terminal application, or, in a Terminal window, su to root .

2. Run the following commands (you type what's in boldface ):
rhino-6# cd /usr/bin
rhino-7# rm mailq newaliases
rhino-8# ln -s ../lib/sendmail mailq
rhino-9# ln -s ../lib/sendmail newaliases

3. It is not necessary to reboot the computer, nor to restart the sendmail daemon.

The result of this procedure is to replace the old mailq and newaliases with relative symbolic links to the new sendmail .

This procedure should be performed on all NEXTSTEP computers on which the sendmail patch has been installed. Failure to complete the installation according to these instructions can result in your system remaining open to some of the vulnerabilities which the sendmail patch addresses.

Copyright © 2000 Apple Computer, Inc. All rights reserved.