FreeBSD Users: Time To Patch Sendmail Again

Barrett Lyon writes "The FreeBSD Project just submitted this security advisory out to the masses: "FreeBSD-SA-03:07.sendmail, a second sendmail header parsing buffer overflow." It seems that the overflow is not limited to FreeBSD and that there is currently no workaround "other than not using sendmail." Yet another good reason to run Qmail!"

This is the SAME HOLE as yesterday's story

[dhunley]

Doesn't anyone on the /. team read before posting? This is the same hole that made the front page yesterday concerning the char to int conversion. Just cause one of the BSDs finally acknowleged the issue, it deserves *another* front page story? Jeez... upgrade to sendmail 8.12.9 and get on w/ your life...

Same hole as yesterday, fixed in Sendmail 8.12.9

[Phaid]

Just in case anyone's wondering, this is the same hole reported on Slashdot yesterday and reported in this CERT advisory.

I mention this because the FreeBSD posting doesn't explicitly mention which version of Sendmail this affects, but it does link to the CERT article.

Re:Why?

[RLiegh]

And yet FreeBSD can run Linux apps under Linux emulation faster than Linux can. I find that pretty funny.

I'll be amused when OpenBSD can run Linux apps in FreeBSD compatibility mode faster than FreeBSD can.

Exim

[phaze3000]

For those out there looking to replace sendmail, I suggest Exim.
It's extremely stable (we've been running it on our mail cluster for 326 days now with 0 seconds of downtime) and unlike sendmail it doesn't have a config file that looks like line noise.