On Wed, Mar 22, 2006 at 03:31:25PM -0500, Ed Ravin wrote:
> I presume that by now most of the folks on this list have heard of
> the CERT advisory on Sendmail.  According to the vulnerability notes:
> 
>    http://www.kb.cert.org/vuls/id/834865
> 
> NetBSD is listed as "unknown".  Can anyone provide better information?

We ship sendmail in a configuration that does not listen on the network;
but we do, in fact, ship a version to which the advisory applies.  So the
answer is basically "yes, if you configure the sendmail we ship so that it
listens on the network; no, if not (which is how we ship it)".

> Did the NetBSD project or security officer get an early notice?

I don't know whether security-officer received an early notice; you'll
have to check with them.  The developers as a group were just discussing
what to do about this particular vulnerability, actually, based on the
ISS announcement, when the CERT advisory was released.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart