https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271411#M609387 This vulnerability only applies if you have STARTTLS enabled. I'm sending you the document so you can see exactly what the vulnerability is and decide how best to handle it. <A href="http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860" target="_blank">http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860</A><BR /><BR />This should answer all of your questions.<BR /><BR />Rick Tue, 25 Jan 2011 14:13:02 GMT RickT_1 2011-01-25T14:13:02Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271410#M609386 Hi, we have a HPUX11.31 server with SAP application running on it.<BR /><BR />Issue details:<BR />We are using Sendmail to receive incoming mails to SAP application. We have received Security Alert for sendmail from security team.<BR /><BR />Alert: There is a bug in sendmail that can allow any body to send a crafted email with code that can give them root access.<BR /><BR />we have sendmail version 8.13.34 loaded in 11.31. <BR />)#what /usr/sbin/sendmail | grep version<BR /> Sendmail version 8.13.3 - Revision 1.003:: HP-UX11.31 - 8th December,2008<BR /><BR />)#swlist -l product | grep -i send<BR /> Sendmail C.8.13.3.4 Mail Transfer Protocol daemons and utilities<BR /><BR />Does this version still have this bug or do I need to update it to 8.13.3.5 as per the reference given below<BR /><BR /><A href="https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=SMAIL813" target="_blank">https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=SMAIL813</A><BR /><BR /><A href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813" target="_blank">https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SMAIL813</A><BR /><BR /><BR />Kindly help me with your inputs...<BR /><BR />Thanks in Advance. Tue, 25 Jan 2011 07:51:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271410#M609386 Venkatesan_5 2011-01-25T07:51:05Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271411#M609387 This vulnerability only applies if you have STARTTLS enabled. I'm sending you the document so you can see exactly what the vulnerability is and decide how best to handle it. <A href="http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860" target="_blank">http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02009860</A><BR /><BR />This should answer all of your questions.<BR /><BR />Rick Tue, 25 Jan 2011 14:13:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271411#M609387 RickT_1 2011-01-25T14:13:02Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271412#M609388 There was a fix done around mid-2010. Version 8.13.3.4.1.<BR />So anything from this version...on will have the fix.<BR /><BR />Regards,<BR />Rita Tue, 25 Jan 2011 14:13:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271412#M609388 Rita C Workman 2011-01-25T14:13:10Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271413#M609389 Always HAVE the latest SendMail version as best practice. WHatever your OS vendor provides as the latest should always be on your system.<BR /><BR />Or if you BUILD your own Sendmail, always build from the latest Sendmail.Org sources.<BR /> Tue, 25 Jan 2011 17:46:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271413#M609389 Zinky 2011-01-25T17:46:37Z https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271414#M609390 Hi Rick,<BR />As per your suggestion the tests are sucessful. We shall decide on updating it to the latest version. Fri, 28 Jan 2011 09:45:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/sendmail-vulnerability/m-p/5271414#M609390 Venkatesan_5 2011-01-28T09:45:09Z