search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Sendmail fails to handle malformed multipart MIME messages

Vulnerability Note VU#146718

Original Release Date: 2006-06-15 | Last Revised: 2011-07-22

Overview

Sendmail does not properly handle malformed multipart MIME messages. This vulnerability may allow a remote, unauthenticated attacker to cause a denial-of-service condition.

Description

Sendmail

Sendmail is a widely used mail transfer agent (MTA).

Mail Transfer Agents (MTA)


MTAs are responsible for sending and receiving email messages over the internet. They are also referred to as mail servers or SMTP servers.

The Problem

Sendmail fails to properly handle malformed multipart MIME messages. This vulnerability may be triggered by sending a specially crafted message to a vulnerable Sendmail MTA.

Impact

This vulnerability will not cause the Sendmail server process to terminate. However, it may cause the Sendmail to consume a large amount of system resources. Specifically, if a system writes uniquely named core dump files, this vulnerability may cause available disk space to be filled with core dumps leading to a disruption of system operation resulting in a denial-of-service condition.
Additionally, this vulnerability may cause queue runs to abort; if this situation were to occur, processing and delivery of queued messages would be prevented.

Solution

Upgrade Sendmail
This issue is corrected in Sendmail version 8.13.7.


The following workarounds were provided by Sendmail:

Limit message size

Limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option) will mitigate this vulnerability.

Remove stack size limit

If your operating system limits stack size, remove that limit. This will make the attack more difficult to accomplish, as it will require a very large message. Also, by limiting the maximum message size accepted by your server (via the sendmail MaxMessageSize option), you can eliminate the attack completely.

Configure your MTA to avoid the negative impacts listed above:

    • Disable core dumps.
    • Enable the ForkEachJob option at the cost of lower queue run performance and potentially a high number of processes.
    • Set QueueSortOrder to random, which will randomize the order jobs are processed. Note that with random queue sorting, the bad message will still be processed and the queue run aborted every time, but at a different, random spot.

Vendor Information

146718
Expand all

FreeBSD, Inc.

Notified:  May 09, 2006 Updated:  June 14, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://security.freebsd.org/advisories/FreeBSD-SA-06:17.sendmail.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Notified:  May 09, 2006 Updated:  June 15, 2006

Statement Date:   June 15, 2006

Status

  Vulnerable

Vendor Statement

Gentoo Linux has this fixed in version 8.13.6-r1. For further details please see GLSA 200606-19 which will be issued shortly.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  May 09, 2006 Updated:  June 14, 2006

Statement Date:   June 14, 2006

Status

  Vulnerable

Vendor Statement

To obtain a copy of our security advisory for this issue, please visit:

https://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#146718. IBM has provided interim fixes that remove possible attack vectors for this vulnerability. These interim fixes should be installed as a precautionary measure.

The following APARs will be released to address this issue:


APAR number for AIX 5.2.0: IY85930 (available approx. 08/23/06)
APAR number for AIX 5.3.0: IY85415 (available approx. 08/09/06)

An interim fix is available from:

ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_vu146718.tar.Z

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  May 09, 2006 Updated:  June 15, 2006

Statement Date:   June 14, 2006

Status

  Vulnerable

Vendor Statement

In response to this and previous issues, Sendmail was removed entirely from the NetBSD-current base system on 2006-05-30. The default MTA has been switched to Postfix. These changes will be included in NetBSD 4.0 and later releases in order to minimise the risk and maintenance burden for any future sendmail issues.

Sendmail remains in the base distribution for the presently maintained release branches, NetBSD 2.* and 3.*, and fixes for this issue have been applied. Sendmail remains as a supported MTA for users of all NetBSD versions (and many other platforms) via pkgsrc.

Details of these fixes and further advice has been published in NetBSD Security Advisory 2006-017.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-017.txt.asc.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  May 09, 2006 Updated:  June 14, 2006

Statement Date:   June 14, 2006

Status

  Vulnerable

Vendor Statement

Red Hat distributes Sendmail in all Red Hat Enterprise Linux releases. By default on Red Hat Enterprise Linux, Sendmail is configured to only accept connections from the local host. Therefore, only users who have configured Sendmail to listen to remote hosts would be remotely vulnerable to this denial of service issue.

Updated Sendmail packages will shortly be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.

https://rhn.redhat.com/errata/RHSA-2006-0515.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sendmail Consortium

Notified:  May 08, 2006 Updated:  June 14, 2006

Statement Date:   June 12, 2006

Status

  Vulnerable

Vendor Statement

The Sendmail Consortium strongly recommends that Open Source sendmail users upgrade to 8.13.7 whenever possible. If that is not possible, source code patches are available for 8.12.11 and 8.13.6.

Further information is available at http://www.sendmail.org/.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sendmail, Inc.

Updated:  June 14, 2006

Statement Date:   June 12, 2006

Status

  Vulnerable

Vendor Statement

Sendmail, Inc. recommends patching commercial products incorporating the sendmail MTA (including all current versions of Sendmail Switch, Sendmail Multi-Switch, Sendmail Managed MTA, Intelligent Quarantine, and Sendmail Message Store/SAMS on all systems, as well as Sendmail Sentrion. Patch information is available at

http://www.sendmail.com/security/.

Further information is available at

http://www.sendmail.com/support/,

by email at customerservice@sendmail.com, or by telephone at +1-877-363-6245 (+1-87-SENDMAIL) (press 1) or +1-510-594-5401 (international).

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc.

Notified:  May 09, 2006 Updated:  June 14, 2006

Statement Date:   June 14, 2006

Status

  Vulnerable

Vendor Statement

Sun can confirm that Solaris 8, 9, and 10 are affected by the issue described in CERT advisory VU#146718.

Sun has published Sun Alert 102460 which includes details of the Solaris specific impact, contributing factors, workaround options and resolution information, and is available here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102460-1

The Sun Alert will be kept up to date regarding progress on this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

B.U.G., Inc

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Borderware Technologies

Notified:  May 09, 2006 Updated:  May 25, 2006

Statement Date:   May 25, 2006

Status

  Not Vulnerable

Vendor Statement

No Borderware products are affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Century Systems Inc.

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Software Technologies

Notified:  May 09, 2006 Updated:  June 27, 2006

Statement Date:   June 27, 2006

Status

  Not Vulnerable

Vendor Statement

Check Point products are not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  May 09, 2006 Updated:  May 15, 2006

Statement Date:   May 15, 2006

Status

  Not Vulnerable

Vendor Statement

F5 products are not vulnerable to this issue. Most F5 products do not contain sendmail, and those that do, do not run sendmail in mta mode.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Force10 Networks, Inc.

Notified:  May 09, 2006 Updated:  July 22, 2011

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks, Inc.

Notified:  May 09, 2006 Updated:  June 14, 2006

Statement Date:   June 14, 2006

Status

  Not Vulnerable

Vendor Statement

Foundry products do not utilize the sendmail function and are not vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  May 09, 2006 Updated:  June 15, 2006

Statement Date:   June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Global Technology Associates

Notified:  May 09, 2006 Updated:  June 26, 2006

Statement Date:   June 19, 2006

Status

  Not Vulnerable

Vendor Statement

Global Technology Associates' products are not vulnerable to this issue. GTA products do not contain sendmail.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  May 09, 2006 Updated:  June 15, 2006

Statement Date:   June 14, 2006

Status

  Not Vulnerable

Vendor Statement

HI-UX/WE2 is NOT Vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Initiative Japan

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intoto

Notified:  May 09, 2006 Updated:  May 10, 2006

Statement Date:   May 10, 2006

Status

  Not Vulnerable

Vendor Statement

Intoto does not use sendmail or its derivatives in its products, so Intoto products are not susceptible to the possible sendmail Denial-of-Service condition documented in this CERT vulnerability note.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Justsystem Corporation

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  May 09, 2006 Updated:  May 10, 2006

Statement Date:   May 10, 2006

Status

  Not Vulnerable

Vendor Statement

IBM Lotus Domino is not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint, Inc.

Notified:  May 09, 2006 Updated:  July 14, 2006

Statement Date:   July 14, 2006

Status

  Not Vulnerable

Vendor Statement

Mirapoint is not vulnerable to VU#146718

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  May 09, 2006 Updated:  June 15, 2006

Statement Date:   June 14, 2006

Status

  Not Vulnerable

Vendor Statement

NEC products are NOT susceptible to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance, Inc.

Notified:  May 09, 2006 Updated:  May 12, 2006

Statement Date:   May 11, 2006

Status

  Not Vulnerable

Vendor Statement

Network Appliance Inc products do not contain any sendmail code, we are therefore not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Notified:  May 09, 2006 Updated:  June 16, 2006

Statement Date:   June 16, 2006

Status

  Not Vulnerable

Vendor Statement

www.nortel.com/securityadvisories

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  May 09, 2006 Updated:  May 10, 2006

Statement Date:   May 09, 2006

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not affected. We use Postfix, not Sendmail.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  May 09, 2006 Updated:  May 16, 2006

Statement Date:   May 15, 2006

Status

  Not Vulnerable

Vendor Statement

Oracle does not ship sendmail with any of its products. Therefore, our products are not vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Redback Networks, Inc.

Notified:  May 09, 2006 Updated:  June 09, 2006

Statement Date:   June 08, 2006

Status

  Not Vulnerable

Vendor Statement

No products made by Redback Networks are affected by this sendmail issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Network Security Division

Notified:  May 09, 2006 Updated:  June 21, 2006

Statement Date:   June 21, 2006

Status

  Not Vulnerable

Vendor Statement

Sidewinder G2 Security Appliance

Not Vulnerable

The standard defensive coding and configuration practices used on the Sidewinder G2 Security Appliance preve
nt this attack from interrupting the flow of mail through the system. In a standard configuration, attack m
essages will be rejected as invalid without causing an abnormal termination of sendmail. Due to the defensi
ve design of the system, even if an attack message were able to cause an instance of sendmail to terminate,
it would not prevent other messages from being delivered.

As a matter of best practices and defense in depth, the sendmail update will be included in a future patch.

Cyberguard Classic & TSP

Not Vulnerable

Cyberguard Class and TSP do not make use of sendmail for mail delivery.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Syntegra

Notified:  May 09, 2006 Updated:  June 14, 2006

Statement Date:   June 14, 2006

Status

  Not Vulnerable

Vendor Statement

Syntegra is not effected by this problem and users should not encounter any problems.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Yamaha Corporation

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Yokogawa Electric Corporation

Updated:  June 13, 2006

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3com, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avici Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Charlotte's Web Networks

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Chiaro Networks, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data Connection, Ltd.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DragonFly BSD Project

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC, Inc. (formerly Data General Corporation)

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Secure Linux

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ericsson

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fortinet, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU netfilter

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hyperchip

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation (zseries)

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  May 09, 2006 Updated:  May 10, 2006

Statement Date:   May 10, 2006

Status

  Unknown

Vendor Statement

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to

https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to

http://app-06.www.ibm.com/servers/resourcelink

and follow the steps for registration.

All questions should be referred to servsec@us.ibm.com.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IP Filter

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix Communications, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Corporation

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Security Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Linksys (A division of Cisco Systems)

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Luminous Networks

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multinet (owned Process Software Corporation)

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multitech, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NextHop Technologies, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  June 07, 2006 Updated:  June 07, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QNX, Software Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Riverstone Networks, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secureworx, Inc.

Notified:  May 31, 2006 Updated:  May 31, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Silicon Graphics, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stonesoft

Notified:  May 12, 2006 Updated:  May 12, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group

Notified:  June 14, 2006 Updated:  June 14, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Unix)

Notified:  May 27, 2006 Updated:  May 27, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Turbolinux

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Notified:  May 09, 2006 Updated:  May 10, 2006

Statement Date:   May 10, 2006

Status

  Unknown

Vendor Statement

Ubuntu does not officially support sendmail (it resides in the 'universe' component of the archive). There will be no guarantee of a timely security update and no official Ubuntu Security Notification

will be issued. However, the issue will be fixed for the current development release; also it is very likely that the latest stable release Ubuntu 5.10 will get an unofficial update.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Watchguard Technologies, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

eSoft, Inc.

Notified:  May 09, 2006 Updated:  May 09, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by Sendmail.

This document was written by Jeff Gennari based on information from Sendmail.

Other Information

CVE IDs: CVE-2006-1173
Severity Metric: 13.51
Date Public: 2006-06-14
Date First Published: 2006-06-15
Date Last Updated: 2011-07-22 12:53 UTC
Document Revision: 42

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.