Affected Packages: sendmail, sendmail-wide Mark Dowd of ISS X-Force found a bug in the header parsing routines of sendmail: it could overflow a buffer overflow when encountering addresses with very long comments. Since sendmail also parses headers when forwarding emails this vulnerability can hit mail-servers which do not deliver the email as well.
This has been fixed in upstream release 8.12.8. Updated sendmail packages are available in version 8.12.3-5 for Debian 3.0 (woody) and version 8.9.3-25 for the Debian 2.2 (potato). Updated sendmail-wide packages are available in package version 8.9.3+3.2W-24 for Debian 2.2 (potato) and version 8.12.3+3.5Wbeta-5.2 for Debian 3.0 (woody). ...then just stick all the urls in the appropriate place. See zlib advisory (dsa 122) for a precedent for a large number of packages affected by a single security problem. Mike Stone
