Subject: Re: New CERT advisory for sendmail pre 8.13.6
To: Ed Ravin <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 03/22/2006 15:41:17
On Wed, Mar 22, 2006 at 03:31:25PM -0500, Ed Ravin wrote:
> I presume that by now most of the folks on this list have heard of
> the CERT advisory on Sendmail.  According to the vulnerability notes:
> NetBSD is listed as "unknown".  Can anyone provide better information?

We ship sendmail in a configuration that does not listen on the network;
but we do, in fact, ship a version to which the advisory applies.  So the
answer is basically "yes, if you configure the sendmail we ship so that it
listens on the network; no, if not (which is how we ship it)".

> Did the NetBSD project or security officer get an early notice?

I don't know whether security-officer received an early notice; you'll
have to check with them.  The developers as a group were just discussing
what to do about this particular vulnerability, actually, based on the
ISS announcement, when the CERT advisory was released.

  Thor Lancelot Simon	                           

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart