On Sun, 30 Jun 2024, Greg Wooledge wrote:
On Sun, Jun 30, 2024 at 23:08:01 +0100, Tim Woodall wrote:
According to this
https://support.trustwave.com/kb/KnowledgebaseArticle10016.aspx
bare CRs aren't allowed in emails but this has always worked.
I'm only likely to have cron generating emails like this.
Strange that this would have been changed in a stable release. It
doesn't seem to have been a security update.
It looks like it's coming from this change:
https://metadata.ftp-master.debian.org/changelogs//main/s/sendmail/sendmail_8.17.1.9-2+deb12u2_changelog
* Fix CVE-2023-51765 (Closes: #1059386):
sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation
technique to inject e-mail messages with a spoofed
MAIL FROM address, allowing bypass of an SPF protection
mechanism. This occurs because sendmail supports
<LF>.<CR><LF> but some other popular e-mail servers
do not. This is resolved with 'o' in srv_features.
I don't know the details of how this leads to a security hole.
It might be - but the wording suggested that this is blocking bare <LF>
which isn't my problem - and also I'd assume this is header related.
The thing I'm seeing is <CR> in the body of the email - I had no idea
this was illegal - and I'm surprised that tools like cron don't do
something to avoid sending "illegal" emails. Indeed, even mail will do
so happily.