Subject: Re: New CERT advisory for sendmail pre 8.13.6
To: Ed Ravin <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 03/22/2006 15:41:17
On Wed, Mar 22, 2006 at 03:31:25PM -0500, Ed Ravin wrote:
> I presume that by now most of the folks on this list have heard of
> the CERT advisory on Sendmail. According to the vulnerability notes:
> NetBSD is listed as "unknown". Can anyone provide better information?
We ship sendmail in a configuration that does not listen on the network;
but we do, in fact, ship a version to which the advisory applies. So the
answer is basically "yes, if you configure the sendmail we ship so that it
listens on the network; no, if not (which is how we ship it)".
> Did the NetBSD project or security officer get an early notice?
I don't know whether security-officer received an early notice; you'll
have to check with them. The developers as a group were just discussing
what to do about this particular vulnerability, actually, based on the
ISS announcement, when the CERT advisory was released.
Thor Lancelot Simon email@example.com
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart