An elapsed time of 11 days to release a fix to protect customers from a remote root compromise is unusual and a matter of concern. This is SCO's comment on the issue:
Starting with this release, SCO Linux Server 4.0 uses the SCO Linux Update Service as the mechanism for delivering security and other updates.
This sendmail update was delayed because we are in the process of testing out a new handoff process for patches as part of the SCO Update Service. Because the process is new, we encountered some delays and these resulted in the patch for sendmail not being available until last Friday [March 14, 2003—Ed.]. We do not expect delays to be a normal part of the process.
You should also note that the default MTA on SCO Linux 4 is not sendmail but Postfix, so the majority of SCO Linux servers will not be vulnerable to this security issue.
Another remote root exploint for sendmail was published on March 29; SCO had a fix on April 4, six days later.
—Don Marti