The List has returned!

[Gerald Combs]

On Thu, 31 Jul 2003, Frank Wiles wrote:

> On Thu, 31 Jul 2003 12:52:28 -0500 (CDT)
> Gerald Combs <gerald at ethereal.com> wrote:
> 
> > On Thu, 31 Jul 2003, Frank Wiles wrote:
> > 
> > >   Also, the days when Sendmail was a big security risk are pretty
> > >   much gone.  Yes I will admit it has had a checkered past, but
> > >   honestly how many Sendmail specific security holes have there been
> > >   in the last year? 
> > 
> > According to cve.mitre.org, there have been several:
> > 
> >   http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
> > 
> > Granted, most of these are specific to a particular OS or distribution
> > but at least one (CAN-2002-1337) features a remote buffer overflow.
> > 
> 
>   I see three listed for 2003. Two of which appear to be distribution/OS
>   specific. The one is a DoS with a possible execute arbitrary commands.

Your initial query specified "within the last year."  CAN-2002-1337 (a
remote buffer overflow) was assigned by CVE in December 2002.  Sendmail
8.12.8, which fixes this bug, was released in March 2003.  Does this not
qualify?

>   Personally, I don't see this warranting the continued bad reputation
>   Sendmail has.  I've been running Sendmail in real world production
>   environments for years without any trouble. 

Congratulations.  You're fortunate to have something that works for you.  
My experience with Sendmail was quite the opposite.  I spent a good part
of the 90's having to write my own .cf rules and upgrading during early
morning maintenance periods to cover security holes.  It sucked out loud,
and it's precious time I'll never get back.

I run Postfix now.