Control: tag -1 confirmed
On Fri, Jun 14, 2024 at 09:01:06PM +0000, Bastien Roucariès wrote:
> diff -Nru sendmail-8.15.2/debian/NEWS.Debian
> sendmail-8.15.2/debian/NEWS.Debian
> --- sendmail-8.15.2/debian/NEWS.Debian 1970-01-01 00:00:00.000000000
> +0000
> +++ sendmail-8.15.2/debian/NEWS.Debian 2024-05-13 18:44:56.000000000
> +0000
> @@ -0,0 +1,19 @@
> +sendmail (8.18.1-3) unstable; urgency=medium
> +
> + Sendmail was affected by SMTP smurgling (CVE-2023-51765).
^
"smuggling"
> + Remote attackers can use a published exploitation technique
> + to inject e-mail messages with a spoofed MAIL FROM address,
> + allowing bypass of an SPF protection mechanism.
> + This occurs because sendmail supports some combinaison of
> + <CR><LF><NUL>.
> + .
> + This particular injection vulnerability has been closed,
> + unfortunatly full closure need to reject mail that
> + contain NUL.
> + .
> + This is slighly non conformant with RFC and could
> + be opt-out by setting confREJECT_NUL to 'false'
> + in sendmail.mc file.
> +
> + -- Bastien Roucariès <ro...@debian.org> Sun, 12 May 2024 19:38:09 +0000
> +
Is "slightly non-conformant" really good justification for a pop-up news
item on upgrades? I don't recall the other MTAs doing this.
It's up to you, either way please go ahead.
Thanks,
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
