A race condition exists in sendmail's handling of asynchronous signals.
A remote attacker may be able to execute arbitrary source code with the
privileges of the user running sendmail, typically root.
The fixes have been applied to the 3.7-stable, 3.8-stable and 3.9-stable
branches, and are also available as patches. 3.9-current has been
updated to the new sendmail version which has this addressed as well.
Patches for the respective releases: