Sun definitely know about this bug and are dealing with it, though not very quickly. A patch will be announced in due course. If you wish to raise a bug report yourself simply email a copy of the program that was sent on bugtraq earlier containing a call to syslog() that creates a core dump. It is not necessary to reproduce the security hole in order to request a patch. Also, it is worth noting that the syslog fix will not fix all problems with sendmail as I have been able to core dump sendmail with several other stack overwrites even after disabling syslog() altogether. The hole has nothing at all to do with syslogd, so tell them where to go. Paul ps. If you want any further information, please let me know.