The Sendmail shipping with NetBSD 1.6.1 has a buffer overflow in the
address parsing that may be remotedly exploitable.¹ The fix seems to
have been committed to CVS on 18 September 2003. Shouldn't there be a
security advisory on this...?

(There is also a remote denial of service vulnerability in Postfix²
under non-default configuration shipping with 1.6.1. The vulnerability
has been fixed in CVS on 19 August 2003 but no advisory has been
issued.)


¹ http://www.cert.org/advisories/CA-2003-25.html
² http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0540