Package: sendmail Version: 8.7.5-4 See the recent CERT Advisory CA-96.20 for more information. It says that Debian is not vulnerable because it uses smail, but that's not completely true, smail is the default but sendmail is also available, and I'm not convinced that smail has no bugs - it's just that it is not as widely used and reviewed as sendmail...
The recommended fix is to upgrade to sendmail 8.7.6. Because I needed it and it is not available yet as a Debian package, I packaged it myself (using the Debian 8.7.5-4 diff; the only change was the new version number in debian.rules). Until the "real" release, the package is temporarily available from ftp://ftp.ists.pwr.wroc.pl/pub/linux/debian-local/ 5e9de8e223c9c4f833697684d97b7b2d sendmail-8.7.6-1.deb 01daf0115f3da981c2ecd25e699bcf94 sendmail-8.7.6-1.diff.gz 0f9ef40205226e7f56a17b9cdd3f87ed sendmail-8.7.6-1.tar.gz Note that I am not the official maintainer, and this package is not supported by me in any way. When the official package is available, I think it should go into the "stable" tree. While we are at it: the CERT advisory recommends using smrsh (sendmail restricted shell) which is part of the sendmail source distribution - it is not part of the binary package, maybe it should? Marek
