Showing results for 
Search instead for 
Did you mean: 

Sendmail Vulnerability

Frequent Advisor

Sendmail Vulnerability

Hi, we have a HPUX11.31 server with SAP application running on it.

Issue details:
We are using Sendmail to receive incoming mails to SAP application. We have received Security Alert for sendmail from security team.

Alert: There is a bug in sendmail that can allow any body to send a crafted email with code that can give them root access.

we have sendmail version 8.13.34 loaded in 11.31.
)#what /usr/sbin/sendmail | grep version
Sendmail version 8.13.3 - Revision 1.003:: HP-UX11.31 - 8th December,2008

)#swlist -l product | grep -i send
Sendmail C. Mail Transfer Protocol daemons and utilities

Does this version still have this bug or do I need to update it to as per the reference given below

Kindly help me with your inputs...

Thanks in Advance.
Valued Contributor

Re: Sendmail Vulnerability

This vulnerability only applies if you have STARTTLS enabled. I'm sending you the document so you can see exactly what the vulnerability is and decide how best to handle it.

This should answer all of your questions.

Rita C Workman
Honored Contributor

Re: Sendmail Vulnerability

There was a fix done around mid-2010. Version
So anything from this version...on will have the fix.

Honored Contributor

Re: Sendmail Vulnerability

Always HAVE the latest SendMail version as best practice. WHatever your OS vendor provides as the latest should always be on your system.

Or if you BUILD your own Sendmail, always build from the latest Sendmail.Org sources.
Hakuna Matata

Favourite Toy:
AMD Athlon II X6 1090T 6-core, 16GB RAM, 12TB ZFS RAIDZ-2 Storage. Linux Centos 5.6 running KVM Hypervisor. Virtual Machines: Ubuntu, Mint, Solaris 10, Windows 7 Professional, Windows XP Pro, Windows Server 2008R2, DOS 6.22, OpenFiler
Frequent Advisor

Re: Sendmail Vulnerability

Hi Rick,
As per your suggestion the tests are sucessful. We shall decide on updating it to the latest version.