Your message dated Thu, 30 Jan 2020 20:36:47 +0000
with message-id <[email protected]>
and subject line Bug#950121: fixed in opensmtpd 6.0.3p1-5+deb10u3
has caused the Debian Bug report #950121,
regarding opensmtpd: Major vulnerabilities in opensmtpd resulting in RCE and DOS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: opensmtpd
Version: 6.6.1p1-5~bpo10+1
Severity: critical
Tags: security upstream
Justification: root security hole
Dear Maintainer,
Opensmtpd 6.6.1 has 2 critical vulnerabilities, including one that results in a
remote root arbitray code execution
see https://www.mail-archive.com/[email protected]/msg04850.html
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages opensmtpd depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii ed 1.15-1
ii init-system-helpers 1.56+nmu1
ii libasr0 1.0.2-2
ii libc6 2.28-10
ii libdb5.3 5.3.28+dfsg1-0.5
ii libevent-2.1-6 2.1.8-stable-4
ii libpam0g 1.3.1-5
ii libssl1.1 1.1.1d-0+deb10u2
ii lsb-base 10.2019051400
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages opensmtpd recommends:
ii opensmtpd-extras 6.6.0-1~bpo10+1
Versions of packages opensmtpd suggests:
ii ca-certificates 20190110
-- Configuration Files:
/etc/smtpd.conf changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: opensmtpd
Source-Version: 6.0.3p1-5+deb10u3
We believe that the bug you reported is fixed in the latest version of
opensmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Kavanagh <[email protected]> (supplier of updated opensmtpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Jan 2020 19:44:11 -0500
Source: opensmtpd
Architecture: source
Version: 6.0.3p1-5+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Ryan Kavanagh <[email protected]>
Changed-By: Ryan Kavanagh <[email protected]>
Closes: 950121
Changes:
opensmtpd (6.0.3p1-5+deb10u3) buster-security; urgency=high
.
* Fix two major security bugs (Closes: #950121) (CVE-2020-7247)
1. smtpd can crash on opportunistic TLS downgrade, causing a denial of
service. OpenBSD 6.6 errata 018:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
2. Fix privilege escalation vulnerability: An incorrect check allows an
attacker to trick mbox delivery into executing arbitrary commands as
root and lmtp delivery into executing arbitrary commands as an
unprivileged user. OpenBSD 6.6 errata 019:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig
Checksums-Sha1:
b6499b0c2fc8520c135e08c9a6ffa79ff26b4e00 3082 opensmtpd_6.0.3p1-5+deb10u3.dsc
9aa89eeed7462902903f2e7304173899557aee65 699702 opensmtpd_6.0.3p1.orig.tar.gz
27936365726edbc06a3b7ba1afa9895f82f10425 30488
opensmtpd_6.0.3p1-5+deb10u3.debian.tar.xz
4bda6919e9114f73e347e95ee1da7fc27cd80bc7 8465
opensmtpd_6.0.3p1-5+deb10u3_source.buildinfo
Checksums-Sha256:
3f87713b1a762df4695bde879b651074a48cd5a8caa5df561543c901eb9e5688 3082
opensmtpd_6.0.3p1-5+deb10u3.dsc
291881862888655565e8bbe3cfb743310f5dc0edb6fd28a889a9a547ad767a81 699702
opensmtpd_6.0.3p1.orig.tar.gz
001686a5713417570335e78e38d34b6e48c5775cb1efdaa77b68dafa9d9fb188 30488
opensmtpd_6.0.3p1-5+deb10u3.debian.tar.xz
4a59567fc92d9b33a3fa9d4eced7337f13ddfc765607ee591bcce0edf3518b6d 8465
opensmtpd_6.0.3p1-5+deb10u3_source.buildinfo
Files:
2cddca39b119608a2eabbd4ab7467ad4 3082 mail optional
opensmtpd_6.0.3p1-5+deb10u3.dsc
66e496bb0f3303d660744f4fa2178765 699702 mail optional
opensmtpd_6.0.3p1.orig.tar.gz
25b4088bc57209a4039b7ebe581677bf 30488 mail optional
opensmtpd_6.0.3p1-5+deb10u3.debian.tar.xz
835e67514c1500cc49faee21b6dde461 8465 mail optional
opensmtpd_6.0.3p1-5+deb10u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl4xoTcPHHJha0BkZWJp
YW4ub3JnAAoJEI97+PxKEcl6X1koAJ1b+uORpBWIIJ/vyjXK9u7dDAYzutoSQ67A
Mn6jPR4Ck68jpekSpY2esdMYj9YWfiM3yyOk1joe0O9JafFRilso1i8cHfZA+acM
2UhdoJA8vv0N1r4V832gcaSHrgqww81Xx4DkrHSZ4Ra6Fq4D9A3r39BweUrGrYk0
pGO6Hw8FG3MkdGae4rphaIDD0/mKvmBMBJSuvzFPjBKlh6GZLxZkEdX5HrSNfLD6
5jS5rcbVDesjFmIieI1qiiUcBEBZiePXy7B3+FBmsUdnb+PLUVtDhJ3hV7KxMWcX
ThwgkxwZ+xAymC2Xc3pk1WUat5DsAh2yUDVyts3GcNyUaP37XBJo+YLpBFFDBe9q
2RjM8q6SZAC6u5xkr203uoy2wa1jk98defUmxU9irUgxnGeuq0/HGhaKYDtS+BgN
uTTJ3agXlZeuJ+r3Es0L7AXYoE3gtv2XHgRGRxMdoxXrOLMYJAW5r093cIj6PKms
9oYwFLrx1unUlj8yAioBIs3hOU5+gPFsQqTOMLtt9P2HqVgXQUeJi02J/hsmBlbb
JP4m92ubFFn/Ih+mv6ShI+RnEVO770eSlkSGblp7joY9EQyyIeYPX5cR5Mt2UKLk
zt5+paDmENwVCyxJSHchJtUg7gDnHzhVdu8IZyJtbOwRrKyn/qS3Dm76+dOAP2Wd
tOSEn1pKsMK/zw9n5VjUyxyh0/Ny/QSDPVzrwC29UQoUfQNIlr8DRy3tDBIin4JY
UazvxlXpH4GH/9lK+Q0J0Avz4aUKMAqW7v9JNV0NrD1nu7O76uLZCLKbcmurigz9
L5NhNOFzdxElCrx8WnBW3wQN/aHHaW7ZJDI36DqTwzpFGdXdTTxiUWswmteO6EVw
eaebxHt0KpIxO5DPkrf17G61CzcfL0jfbfTNiv+N6yrxIPWlFlxmVKj7HXmLL8O1
vTOB7//aVxRWh+QtYCTfbxvIty895cLa+yqaHc/x5LdmY76moJjPb96GbtBRWKWC
ing99iUc5kxsFr1ON3Dh6DJvZ6VQcu9TvEAtGTwThrS8mGtdndp7JhSVU+THgFYo
YPcr9mPSLz1Io858KcEr5cjQfGl5wYmUPLJKY1uoWVlY5q3fTmFDIJV17tYfbFqJ
L160qqTNt1gJC8uyil7e/nAYusQpRF6994smzzWM178TGIsKo2z9RkqGttDkhHiN
i6geUryLgMC8pTvlBVPSMSQAUzWjICm2RSuOaBci6+OTPzM5x7j3S5EC3KN30/jf
ui8pZvWSa904J1ntjKct0KudCxTBB9LzCkD/5oaTWc/r6sdrglwzZTTXtGda3gnb
MBoMAziSaGdGK6jvzYv34OY07DqZHoFkLeICJiE+62r/HSXPV5UqwWec2EoxPZ+e
rzVSjH7GGgeppMUif5iO5WzMxkNxTKW+2iMz2kSnUyaEy5vltwGRf9YFmSaM62J2
3eNY3btpuDTyz1nfgP2Oh5pqGCRTXzRHNTKNrg2cO1DaKT/eKyuNQOubDMCrXW3e
OnwHVGoFZP9yt9+yrAdk6N8DPdyMoaa/+/q3VvV54PbbcSRoANfd0vdzp1FuNa2Z
ps6d8es3qzCDzq8adb00DqOXeBePai8Sb7dVb4b6Xo6AKelCYbUzuHu0EjTIlQ0N
5Fu4up+45OCtirF+9atI74UmtLQPHtRpvP1lUyZFg5C0bhW2IsUwbH573kiI+hmC
4n0WWr6o
=J4zu
-----END PGP SIGNATURE-----
--- End Message ---
