Description of problem: Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.13.7. It fixes a potential denial of service problem caused by excessive recursion which leads to stack exhaustion when attempting delivery of a malformed MIME message. Therefore, the function mime8to7() has been modified to limit the recursion level at (the compile time constant) MAXMIMENESTING. Note: This denial of service attack only affects delivery of mail from the queue and delivery of a malformed message. Other incoming mail is still accepted and delivered. However, mail messages in the queue may not be reattempted if a malformed MIME message exists. Version-Release number of selected component (if applicable): sendmail-8.13.6-1 Actual/expected results: Upgrade to 8.13.7, updated Patch7 is attached. Additional info: Bug #195006 and #192850 should be also fixed before building the new version.
Created attachment 130888 [details] Patch7: sendmail-8.13.7-pid.patch
Created attachment 130893 [details] Updated Patch7: sendmail-8.13.7-pid.patch (as partial fix of bug #176679)
We need to bump this to priority high. This is a security issue, for a denial of service....and a general rule of thumb is if you can DOS it, you can eventually hack it.
No, we don't really need. This bug was filed against Fedora Core devel (that means Rawhide) which shouldn't be used on production machines anyway. For RHEL this issue is already resolved by RHSA-2006:0515-01. But to make you happy...
Fixed in rawhide in rpm sendmail-8.13.7-1 or newer.