Fluid Attacks Database

Description

The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access unintended high-numbered file descriptors via a custom mail-delivery program.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	sendmail	>=0 <8.14.4-6	8.14.4-6
debian 12	sendmail	>=0 <8.14.4-6	8.14.4-6
debian 14	sendmail	>=0 <8.14.4-6	8.14.4-6
debian 11	sendmail	>=0 <8.14.4-6	8.14.4-6
rpm rhel5	sendmail	-	-
rpm rhel6	sendmail	-	-
rpm rhel7	sendmail	-	-

Aliases

1. CVE-2014-39562. NVD-2014-39563. OSV-DEBIAN-2014-39564. OSV-2014-39565. SECURITY-TRACKER-CVE-2014-3956

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.