Casper Dik <casper@Holland.Sun.COM> write: > The simple facts are: > - all sendmails are vulnerable > - it's a syslog() problem, not really a sendmail problem. Well, sort of. sendmail 8.6.12 jumps through all sorts of hoops to limit the size of its syslog() output. You're right, of course, that it really is a syslog() bug, and that's where the fix needs to be. The output-limiting stuff in 8.6.12 is a hack, but it *looks* as thought it would prevent this attack. For all the obvious reasons, it's still essential to fix syslog(). Still, it would have been more accurate to say: The simple facts are: - all sendmails are vulnerable, BUT some are much more vulnerable than others. Jim Shankland Flying Fox Computer Systems, Inc.