Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Jason, On 2020-01-29 14:33, Jason Barbier wrote: According to the CVE everything since the commit in May 2018 that established the new grammar. The EMail did not mention a CVE. I was very concerned that I had to upgrade my "old" hosts to the new smtpd.conf syntax, so this is good news. Thanx for your reply. Regards Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Gilles, On 2020-01-28 23:30, gil...@poolp.org wrote: Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! Which versions of opensmtpd are affected? Thanx for the quick fix. Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
On 29/01/2020 00:30, gil...@poolp.org wrote: Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! Thanks a lot for the heads up! Updated my CentOS 7 packages. Thanks, Reio
OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! On OpenBSD: --- Binary patches are available through syspatch. Just run the syspatch command and make sure that your OpenSMTPD was restarted: $ doas syspatch On other systems --- I have released version 6.6.2p1 of OpenSMTPD which addresses the vulnerability. It is available from our website: https://www.opensmtpd.org/archives/opensmtpd-6.6.2p1.tar.gz https://www.opensmtpd.org/archives/opensmtpd-6.6.2p1.sum.sig It is also available from Github: https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.2p1/opensmtpd-6.6.2p1.tar.gz https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.2p1/opensmtpd-6.6.2p1.sum.sig Or using the `6.6.2p1` tag if you're building from source.