Sendmail critical security problem

from sendmail.org

Quote:

---

Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.9. It contains a fix for a critical security problem discovered by Michal Zalewski whom we thank for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.9 or apply a patch for your sendmail version. Remember to check the PGP signatures of patches or releases obtained via FTP or HTTP (to check the correctness of the patches in this announcement please verify the PGP signature of it). For those not running the open source version, check with your vendor for a patch.

---

yes, this is a new version 3/29/03 to fix a different problem

also see CERT® Advisory CA-2003-12 Buffer Overflow in Sendmail

Unfortunately as of the time of writing, Redhat haven't yet released an updated package.

I am really getting pissed off with Sendmail as it has the most vulnerabilities of any package ever. In its long and proud history, it's hosted at least two worms (the first one in 1988) and countless remote exploits in the wild. There is no evidence that this trend is going to stop.

Sadly my production environment currently uses Sendmail, for no other reason than it's the stock Redhat MTA. In the few months I've been running this system, this is the second time a remote vulnerability has come out for Sendmail.

I have used Qmail and Exim in the past. I am now considering moving to one of those for my production systems.

might i suggest postfix, it's very easy to configure, since my install of 7.3 i have yet to have a problem nor have any huge bugs with it.