Control: tag -1 confirmed On Fri, Jun 14, 2024 at 09:01:06PM +0000, Bastien Roucariès wrote: > diff -Nru sendmail-8.15.2/debian/NEWS.Debian > sendmail-8.15.2/debian/NEWS.Debian > --- sendmail-8.15.2/debian/NEWS.Debian 1970-01-01 00:00:00.000000000 > +0000 > +++ sendmail-8.15.2/debian/NEWS.Debian 2024-05-13 18:44:56.000000000 > +0000 > @@ -0,0 +1,19 @@ > +sendmail (8.18.1-3) unstable; urgency=medium > + > + Sendmail was affected by SMTP smurgling (CVE-2023-51765). ^ "smuggling"
> + Remote attackers can use a published exploitation technique > + to inject e-mail messages with a spoofed MAIL FROM address, > + allowing bypass of an SPF protection mechanism. > + This occurs because sendmail supports some combinaison of > + <CR><LF><NUL>. > + . > + This particular injection vulnerability has been closed, > + unfortunatly full closure need to reject mail that > + contain NUL. > + . > + This is slighly non conformant with RFC and could > + be opt-out by setting confREJECT_NUL to 'false' > + in sendmail.mc file. > + > + -- Bastien Roucariès <ro...@debian.org> Sun, 12 May 2024 19:38:09 +0000 > + Is "slightly non-conformant" really good justification for a pop-up news item on upgrades? I don't recall the other MTAs doing this. It's up to you, either way please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1