Vulnerabilities > CVE-2009-4565 - Cryptographic Issues vulnerability in Sendmail
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family AIX Local Security Checks NASL id AIX_IZ72837.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63813 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63813 title AIX 5.3 TL 11 : sendmail (IZ72837) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201206-30.NASL description The remote host is affected by the vulnerability described in GLSA-201206-30 (sendmail: X.509 NULL spoofing vulnerability) A vulnerability has been discovered in sendmail. Please review the CVE identifier referenced below for details. Impact : A remote attacker might employ a specially crafted certificate to conduct man-in-the-middle attacks on SSL connections made using sendmail. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 59703 published 2012-06-26 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59703 title GLSA-201206-30 : sendmail: X.509 NULL spoofing vulnerability NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1985.NASL description It was discovered that sendmail, a Mail Transport Agent, does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 44849 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44849 title Debian DSA-1985-1 : sendmail - insufficient input validation NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0262.NASL description From Red Hat Security Advisory 2011:0262 : Updated sendmail packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565) The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration. This update also fixes the following bugs : * Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450) * When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted. This update may not correct this issue for every situation and configuration. Refer to the Solution section for further information. (BZ#434645) * Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters. With this update, the MAXHOSTNAMELEN limit has been changed to 255. (BZ#485380) All sendmail users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, sendmail will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 68203 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68203 title Oracle Linux 4 : sendmail (ELSA-2011-0262) NASL family SuSE Local Security Checks NASL id SUSE_11_0_RMAIL-100218.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44930 published 2010-03-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44930 title openSUSE Security Update : rmail (rmail-2012) NASL family SuSE Local Security Checks NASL id SUSE_SENDMAIL-6859.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44935 published 2010-03-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44935 title SuSE 10 Security Update : sendmail (ZYPP Patch Number 6859) NASL family SuSE Local Security Checks NASL id SUSE_SENDMAIL-6860.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 49924 published 2010-10-11 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49924 title SuSE 10 Security Update : sendmail (ZYPP Patch Number 6860) NASL family AIX Local Security Checks NASL id AIX_IZ70637.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63799 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63799 title AIX 6.1 TL 4 : sendmail (IZ70637) NASL family SuSE Local Security Checks NASL id SUSE_11_2_RMAIL-100218.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44932 published 2010-03-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44932 title openSUSE Security Update : rmail (rmail-2012) NASL family Scientific Linux Local Security Checks NASL id SL_20100330_SENDMAIL_ON_SL5_X.NASL description The configuration of sendmail in Scientific Linux was found to not reject the last seen 2020-06-01 modified 2020-06-02 plugin id 60774 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60774 title Scientific Linux Security Update : sendmail on SL5.x i386/x86_64 NASL family AIX Local Security Checks NASL id AIX_IZ72834.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63810 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63810 title AIX 5.3 TL 8 : sendmail (IZ72834) NASL family AIX Local Security Checks NASL id AIX_IZ72528.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63809 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63809 title AIX 6.1 TL 1 : sendmail (IZ72528) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0262.NASL description Updated sendmail packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Sendmail is a Mail Transport Agent (MTA) used to send mail between machines. A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565) The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration. This update also fixes the following bugs : * Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450) * When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted. This update may not correct this issue for every situation and configuration. Refer to the Solution section for further information. (BZ#434645) * Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters. With this update, the MAXHOSTNAMELEN limit has been changed to 255. (BZ#485380) All sendmail users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, sendmail will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 53535 published 2011-04-22 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53535 title RHEL 4 : sendmail (RHSA-2011:0262) NASL family AIX Local Security Checks NASL id AIX_IZ72515.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63808 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63808 title AIX 6.1 TL 2 : sendmail (IZ72515) NASL family SuSE Local Security Checks NASL id SUSE_11_1_RMAIL-100218.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44931 published 2010-03-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44931 title openSUSE Security Update : rmail (rmail-2012) NASL family Fedora Local Security Checks NASL id FEDORA_2010-5470.NASL description This new version of sendmail fixes security bug - handling of bogus certificates with NULLs in CNs. Also many other bugs have been fixed, for complete list please see: http://www.sendmail.org/releases/8.14.4 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47389 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47389 title Fedora 12 : sendmail-8.14.4-3.fc12 (2010-5470) NASL family SuSE Local Security Checks NASL id SUSE9_12590.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44958 published 2010-03-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44958 title SuSE9 Security Update : sendmail (YOU Patch Number 12590) NASL family SuSE Local Security Checks NASL id SUSE_11_RMAIL-100218.NASL description This update of sendmail improves the handling of special-characters in the SSL certificate. (CVE-2009-4565: CVSS v2 Base Score: 7.5) last seen 2020-06-01 modified 2020-06-02 plugin id 44933 published 2010-03-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44933 title SuSE 11 Security Update : sendmail (SAT Patch Number 2021) NASL family SMTP problems NASL id SENDMAIL_8_14_4.NASL description The remote mail server is running a version of Sendmail earlier than 8.14.4. Such versions are reportedly affected by a flaw that may allow an attacker to spoof SSL certificates by using a NULL character in certain certificate fields. A remote attacker may exploit this to perform a man-in-the-middle attack. last seen 2020-06-01 modified 2020-06-02 plugin id 43637 published 2010-01-05 reporter This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43637 title Sendmail < 8.14.4 SSL Certificate NULL Character Spoofing NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-003.NASL description A security vulnerability has been identified and fixed in sendmail : sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 43867 published 2010-01-13 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43867 title Mandriva Linux Security Advisory : sendmail (MDVSA-2010:003) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0237.NASL description Updated sendmail packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Sendmail is a very widely used Mail Transport Agent (MTA). MTAs deliver mail from one machine to another. Sendmail is not a client program, but rather a behind-the-scenes daemon that moves email over networks or the Internet to its final destination. The configuration of sendmail in Red Hat Enterprise Linux was found to not reject the last seen 2020-06-01 modified 2020-06-02 plugin id 46286 published 2010-05-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46286 title RHEL 5 : sendmail (RHSA-2010:0237) NASL family AIX Local Security Checks NASL id AIX_IZ72510.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63807 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63807 title AIX 6.1 TL 3 : sendmail (IZ72510) NASL family Fedora Local Security Checks NASL id FEDORA_2010-5399.NASL description This new version of sendmail fixes security bug - handling of bogus certificates with NULLs in CNs. Also many other bugs have been fixed, for complete list please see: http://www.sendmail.org/releases/8.14.4 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47387 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47387 title Fedora 11 : sendmail-8.14.4-3.fc11 (2010-5399) NASL family Scientific Linux Local Security Checks NASL id SL_20110216_SENDMAIL_ON_SL4_X.NASL description A flaw was found in the way sendmail handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick sendmail into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack or bypass intended client certificate authentication. (CVE-2009-4565) The CVE-2009-4565 issue only affected configurations using TLS with certificate verification and CommonName checking enabled, which is not a typical configuration. This update also fixes the following bugs : - Previously, sendmail did not correctly handle mail messages that had a long first header line. A line with more than 2048 characters was split, causing the part of the line exceeding the limit, as well as all of the following mail headers, to be incorrectly handled as the message body. (BZ#499450) - When an SMTP-sender is sending mail data to sendmail, it may spool that data to a file in the mail queue. It was found that, if the SMTP-sender stopped sending data and a timeout occurred, the file may have been left stalled in the mail queue, instead of being deleted. This update may not correct this issue for every situation and configuration. Refer to the Notes section for further information. (BZ#434645) - Previously, the sendmail macro MAXHOSTNAMELEN used 64 characters as the limit for the hostname length. However, in some cases, it was used against an FQDN length, which has a maximum length of 255 characters. With this update, the MAXHOSTNAMELEN limit has been changed to 255. (BZ#485380) After installing this update, sendmail will be restarted automatically. Notes: As part of the fix for BZ#434645, a script called purge-mqueue is shipped with this update. It is located in the /usr/share/sendmail/ directory. The primary purpose of this script is a one-time clean up of the mqueue from stalled files that were created before the installation of this update. By default, the script removes all files from /var/spool/mqueue/ that have an atime older than one month. It requires the tmpwatch package to be installed. If you have stalled files in your mqueue you can run this script or clean them manually. It is also possible to use this script as a cron job (for example, by copying it to /etc/cron.daily/), but it should not be needed in most cases, because this update should prevent the creation of new stalled files. last seen 2020-06-01 modified 2020-06-02 plugin id 60962 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60962 title Scientific Linux Security Update : sendmail on SL4.x i386/x86_64 NASL family AIX Local Security Checks NASL id AIX_IZ72835.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63811 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63811 title AIX 5.3 TL 9 : sendmail (IZ72835) NASL family AIX Local Security Checks NASL id AIX_IZ72836.NASL description 'sendmail before 8.14.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 63812 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63812 title AIX 5.3 TL 10 : sendmail (IZ72836)
Oval
accepted 2013-04-29T04:04:04.004-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. family unix id oval:org.mitre.oval:def:10255 status accepted submitted 2010-07-09T03:56:16-04:00 title sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. version 18 accepted 2015-04-20T04:00:10.363-04:00 class vulnerability contributors name Varun Narula organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation
description sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. family unix id oval:org.mitre.oval:def:11822 status accepted submitted 2010-10-08T14:03:58.000-05:00 title HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access. version 48
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 37543 CVE ID: CVE-2009-4565 Sendmail是很多大型站点都在使用的邮件传输代理(MTA)。 Sendmail没有正确地验证X.509证书主题的通用名称(CN)字段的域名中的空字符(\0),在处理包含有空字符的证书字段时错误地将空字符处理为截止字符,因此只会验证空字符前的部分。例如,对于类似于以下的名称: example.com\0.haxx.se 证书是发布给haxx.se的,但Sendmail错误的验证给example.com,这允许攻击者通过合法CA所发布的特制服务器证书伪造成为任意基于SSL的Sendmail服务器执行中间人攻击,或绕过预期的客户端-主机名限制。 Sendmail Consortium Sendmail < 8.14.4 厂商补丁: Sendmail Consortium ------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.sendmail.org/releases/8.14.4 |
| id | SSV:15208 |
| last seen | 2017-11-19 |
| modified | 2010-01-08 |
| published | 2010-01-08 |
| reporter | Root |
| title | Sendmail CA SSL证书验证漏洞 |
Statements
| contributor | Tomas Hoger |
| lastmodified | 2010-01-21 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-4565 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. |
References
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://marc.info/?l=bugtraq&m=126953289726317&w=2
- http://secunia.com/advisories/37998
- http://secunia.com/advisories/38314
- http://secunia.com/advisories/38915
- http://secunia.com/advisories/39088
- http://secunia.com/advisories/40109
- http://secunia.com/advisories/43366
- http://security.gentoo.org/glsa/glsa-201206-30.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021797.1-1
- http://www.debian.org/security/2010/dsa-1985
- http://www.redhat.com/support/errata/RHSA-2011-0262.html
- http://www.securityfocus.com/bid/37543
- http://www.sendmail.org/releases/8.14.4
- http://www.vupen.com/english/advisories/2009/3661
- http://www.vupen.com/english/advisories/2010/0719
- http://www.vupen.com/english/advisories/2010/1386
- http://www.vupen.com/english/advisories/2011/0415
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10255
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11822