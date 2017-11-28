-----BEGIN PGP SIGNED MESSAGE-----

=====================================================================

Red Hat Security Advisory



Synopsis: Important: procmail security update

Advisory ID: RHSA-2017:3269-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2017:3269

Issue date: 2017-11-28

CVE Names: CVE-2017-16844

=====================================================================



1. Summary:



An update for procmail is now available for Red Hat Enterprise Linux 7.



Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) -

aarch64, ppc64le



3. Description:



The procmail packages contain a mail processing tool that can be used to

create mail servers, mailing lists, sort incoming mail into separate

folders or files, preprocess mail, start any program upon mail arrival, or

automatically forward selected incoming mail.



Security Fix(es):



* A heap-based buffer overflow flaw was found in procmail's formail

utility. A remote attacker could send a specially crafted email that, when

processed by formail, could cause formail to crash or, possibly, execute

arbitrary code as the user running formail. (CVE-2017-16844)



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



5. Bugs fixed (https://bugzilla.redhat.com/):



1500070 - CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf

function in formisc.c



6. Package List:



Red Hat Enterprise Linux Client Optional (v. 7):



Source:

procmail-3.22-36.el7_4.1.src.rpm



x86_64:

procmail-3.22-36.el7_4.1.x86_64.rpm

procmail-debuginfo-3.22-36.el7_4.1.x86_64.rpm



Red Hat Enterprise Linux Server (v. 7):



Source:

procmail-3.22-36.el7_4.1.src.rpm



ppc64:

procmail-3.22-36.el7_4.1.ppc64.rpm

procmail-debuginfo-3.22-36.el7_4.1.ppc64.rpm



ppc64le:

procmail-3.22-36.el7_4.1.ppc64le.rpm

procmail-debuginfo-3.22-36.el7_4.1.ppc64le.rpm



s390x:

procmail-3.22-36.el7_4.1.s390x.rpm

procmail-debuginfo-3.22-36.el7_4.1.s390x.rpm



x86_64:

procmail-3.22-36.el7_4.1.x86_64.rpm

procmail-debuginfo-3.22-36.el7_4.1.x86_64.rpm



Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):



Source:

procmail-3.22-36.el7_4.1.src.rpm



aarch64:

procmail-3.22-36.el7_4.1.aarch64.rpm

procmail-debuginfo-3.22-36.el7_4.1.aarch64.rpm



ppc64le:

procmail-3.22-36.el7_4.1.ppc64le.rpm

procmail-debuginfo-3.22-36.el7_4.1.ppc64le.rpm



Red Hat Enterprise Linux Workstation (v. 7):



Source:

procmail-3.22-36.el7_4.1.src.rpm



x86_64:

procmail-3.22-36.el7_4.1.x86_64.rpm

procmail-debuginfo-3.22-36.el7_4.1.x86_64.rpm



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2017-16844

https://access.redhat.com/security/updates/classification/#important



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2017 Red Hat, Inc.

