This page doesn't cover the continuing series of sendmail disasters after 1997.
Dan Stromberg, 19970611: ``The 5.x sendmail's are riddled with holes. You want 8.8.5... I wouldn't be terribly surprised if new security holes in sendmail are found less frequently now. It's undergone some stringent code reviews. IE, calling sendmail insecure now... It -may- have changed.''
8.8.3 (fixed 19961202): ``... under some circumstances, an attacker could get additional permissions by hard linking to files that were group writable by the attacker.'' Impact: Any local user can take over certain groups, depending on how the system is configured.
8.8.3 (fixed 19961202): [Only on systems configured to use the w option.] ``... it is possible to do a denial-of-service attack on MX hosts that rely on the use of the null MX list.'' Impact: Any local user can force bounces for messages sent to certain hosts.
8.8.2 (fixed 19961117): ``... possible to get a root shell by lying to sendmail about argv[0] and then sending it a signal.'' Impact: Any local user can take over the machine.
8.8.1 (fixed 19961018): [Only on systems using the (default) 9 flag.] ``... the previous patch changed the code but didn't fix the problem.'' Impact: Any user on the Internet can take over the machine.
8.8.0 (allegedly fixed 19961017): [Only on systems using the (default) 9 flag.] ``... an illegal 7-bit MIME-encoded text/plain message could overflow a buffer if it was converted back to 8 bits.'' Impact: Any user on the Internet can take over the machine.
8.8.0 (fixed 19961017): ``... environment variables that the resolver will examine during queue runs ...'' Impact: Any local user can steal mail addressed to unqualified domain names.
8.7.6 (fixed 19960926): ``The Timeout.* options are not safe ...'' Impact: Any local user can force a queued message to bounce.
8.7.5 (fixed 19960917): ``It is possible to force getpwuid to fail when writing the queue file, causing sendmail to fall back to running programs as the default user.'' Impact: Any local user can take over the daemon account.
8.7.5 (fixed 19960917): ``some buffer overruns; in at least one case this allows a local user to get root.'' Impact: Any local user can take over the machine.
Brad Knowles, 19960208: ``sendmail is actually one of the more secure processes on the machine. In fact, I understand that Eric has gotten a lot of complaints about his tightening security up too far, and breaking certain bits of functionality that used to work and that people liked.''
8.7.3: ``In some cases it was still possible for an attacker to insert newlines into a queue file, thus allowing access to any user (except root).'' Impact: Any user on the Internet can take over any non-root user.
8.6.12: ``... denial-of-service attacks possible by destroying the alias database file by setting resource limits low.'' Impact: Any local user can destroy sendmail's alias list.
8.6.12: ``... a bad guy can read your private files.'' Impact: Any local user can read almost any file on the machine.
8.6.12: `` In some cases it was still possible for an attacker to insert newlines into a queue file, thus allowing access to any user (except root).'' Impact: Any user on the Internet can take over any non-root user.
8.6.7: ``... it was possible to read any file as root using the E (error message) option.'' Impact: Any local user can read any file on the machine.
8.6.6: ``... it was possible to get root access by using weird values to the -d flag.'' Impact: Any local user can take over the machine.
8.6.5: [Only on some UNIX variants.] ``... the ability to give files away on System V-based systems proved dangerous -- don't run as the owner of a :include: file on a system that allows giveaways.'' Impact: Any local user can take over any non-root user.
8.6.5: ``... a glitch that snuck in that caused programs to be run as the sender instead of the recipient if the mail was from a local user to another local user.'' Impact: Any local user can take over any uid that sends him email.
8.6.4: ``... group ids were not completely set when programs were invoked.'' Impact: Any local user can take over the daemon group.
8.6.4: ``... root was not treated suspiciously enough when looking into subdirectories.'' Impact: Any local user can read world-readable files hidden in inaccessible directories.
8.8.6: [Only on some UNIX variants.] ``... race condition that could cause the body of a message to be lost (so only the header was delivered). This only occurs on systems that do not use flock(2), and only when a queue runner runs during a critical section in another message delivery.'' Impact: Random message destruction on heavily loaded systems.
8.8.6: [Only on systems using the (default) 9 flag.] ``In certain cases, 7->8 bit MIME decoding of Base64 text could leave an extra space at the beginning of some lines.'' Impact: Corruption of some messages.
8.8.5: ``... possible extra null byte generated during collection if errors occur at the beginning of the stream.'' Impact: Corruption of some messages.
8.8.5: ``... possible line truncation if a quoted-printable had an =00 escape in the body.'' Impact: Corruption of some messages.
8.8.3: ``If the fork() failed in a queue run, the queue runners would not be rescheduled (so queue runs would stop).'' Impact: Random termination of queue runs on heavily loaded systems, leaving messages stuck in the queue until the condition is manually corrected.
8.8.2: [Only on systems using the (default) 9 flag.] ``7 to 8 bit BASE64 MIME conversions could duplicate bits of text.'' Impact: Corruption of some messages.
8.8.0: ``If a Base64 encoded text/plain message has no trailing newline in the encoded text, conversion back to 8 bits will drop the final line.'' Impact: Destruction of some messages.
8.7.6: ``The IngoreDot (i) option didn't work for lines that were terminated with CRLF.'' Impact: Destruction of some messages.
8.7.2: ``... botch in name server timeout in RCPT code; this problem caused two responses in SMTP, which breaks things horribly.'' Impact: Random message loss.
8.7.1: ``... a locking race condition in ndbm, hash, and btree format database files on some (most non-4.4-BSD based) OS architectures.'' Impact: Random message bounces during alias-file rebuilds.
8.6.12: ``Fix possible core dump if malloc fails -- if the malloc in xalloc failed, it called syserr which called newstr which called xalloc....'' Impact: Random termination of the sendmail process on heavily loaded systems, leaving messages stuck in the queue until the condition is manually corrected.
8.6.12: [Only on systems configured to use $#error.] ``... problem when a mail address is resolved to a $#error mailer with a temporary failure indication; it works in SMTP, but when delivering locally the mail is silently discarded.'' Impact: Random message loss.
8.6.12: ``Fix problem that could cause multiple responses to DATA command on header syntax errors (e.g., lines beginning with colons).'' Impact: Random loss of valid messages sent in a multiple-message SMTP connection.
8.6.12: ``... null bytes in headers cause truncation of the rest of the header.'' Impact: Destruction of some messages.
8.6.12: ``... leading ``phrase:'' and trailing ``;'' as ...'' Impact: Corruption of the To lines in some messages.
8.6.9: ``... problem that would silently drop "too many hops" error messages if and only if you were sending to an alias.'' Impact: Loss of certain types of bounce messages.
8.6.8: ``... df* temporary file ... existing data in the file'' Impact: Random message corruption.
8.6.4: ``... bug that caused the last header line of messages that had no body and which were terminated with EOF instead of "." to be discarded.'' Impact: Destruction of some messages.
8.6.4: ``If the mailer returned EX_IOERR or EX_OSERR, sendmail did not return an error message and did not requeue the message.'' Impact: Random message loss.