I'd go read this document:

The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.

The following files were modified to include the malicious code:


These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.

The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.

[ More ]


Before anyone rails on Open Source being such an informal thing that it allows this type of stuff to happen I'd point out the many, many security advisories from Microsoft alone this year.  Each approach has it's pros and cons and even Microsoft can have malicious staff members.  I'd also suspect that this event will force many Open Source staffers to crack down more on the build process.

And, in closing, I'd comment that Sendmail has had issues for a long time and perhaps it's time to look at Qmail.  Qmail is Open Source and just plain awesome although I'll admit it can be a prick to install and configure.  Once up though it's absolutely rock solid.  I got my buddy Apokalyptik to install and support it for me on a contract basis and it's been stellar.  Apparently it's also been more than a year (I think it's actually several years) without a security alert.  Recommended.