A new race condition affecting versions of Sendmail prior to 8.13.6 has been announced. The risk is it could allow an attacker to execute code.

Links...
US-CERT posting
Sendmail patch
RedHat release
Vulnerability Note VU#834865
Sendmail contains a race condition
Overview
A race condition in Sendmail may allow a remote attacker to execute arbitrary code.
I. Description
Sendmail
Sendmail is a widely used mail transfer agent (MTA).

Mail Transfer Agents (MTA)

MTAs are responsible for sending an receiving email messages over the internet. They are also referred to as mail servers or SMTP servers.

The Problem

Sendmail contains a race condition caused by the improper handling of asynchronous signals. In particular, by forcing SMTP server to have an I/O timeout at exactly the correct instant, the attacker may be able to execute arbitrary code with the privileges of the Sendmail process.

More information is available in the Sendmail version 8.13.6 release page and the Sendmail MTA Security Vulnerability Advisory.

Considerations

Versions of Sendmail prior to 8.13.6 are affected.


II. Impact
A remote, unauthenticated attacker could execute arbitrary code with the privileges of the Sendmail process. If Sendmail is running as root, the attacker could take complete control of an affected system.
III. Solution
Upgrade
This issue is corrected in Sendmail version 8.13.6.

Patches to correct this issue in Sendmail versions 8.12.11 and 8.13.5 are also available