Your message dated Thu, 30 Jan 2020 21:17:37 +0000
with message-id <[email protected]>
and subject line Bug#950121: fixed in opensmtpd 6.0.2p1-2+deb9u1
has caused the Debian Bug report #950121,
regarding opensmtpd: Major vulnerabilities in opensmtpd resulting in RCE and DOS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: opensmtpd
Version: 6.6.1p1-5~bpo10+1
Severity: critical
Tags: security upstream
Justification: root security hole
Dear Maintainer,
Opensmtpd 6.6.1 has 2 critical vulnerabilities, including one that results in a
remote root arbitray code execution
see https://www.mail-archive.com/[email protected]/msg04850.html
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages opensmtpd depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii ed 1.15-1
ii init-system-helpers 1.56+nmu1
ii libasr0 1.0.2-2
ii libc6 2.28-10
ii libdb5.3 5.3.28+dfsg1-0.5
ii libevent-2.1-6 2.1.8-stable-4
ii libpam0g 1.3.1-5
ii libssl1.1 1.1.1d-0+deb10u2
ii lsb-base 10.2019051400
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages opensmtpd recommends:
ii opensmtpd-extras 6.6.0-1~bpo10+1
Versions of packages opensmtpd suggests:
ii ca-certificates 20190110
-- Configuration Files:
/etc/smtpd.conf changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: opensmtpd
Source-Version: 6.0.2p1-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
opensmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Kavanagh <[email protected]> (supplier of updated opensmtpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Jan 2020 20:28:49 -0500
Source: opensmtpd
Architecture: source
Version: 6.0.2p1-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Ryan Kavanagh <[email protected]>
Changed-By: Ryan Kavanagh <[email protected]>
Closes: 950121
Changes:
opensmtpd (6.0.2p1-2+deb9u1) stretch-security; urgency=high
.
* Fix privilege escalation vulnerability, 019_smtpd_exec.patch.sig. An
incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary
commands as an unprivileged user. (Closes: #950121) (CVE-2020-7247)
Checksums-Sha1:
51f527617839cab9c8882ba7b86777091205a8f7 3096 opensmtpd_6.0.2p1-2+deb9u1.dsc
386e1115c5cbe91f67ce0854594197846b4bb5d9 695513 opensmtpd_6.0.2p1.orig.tar.gz
0e4c9798a3da01a4bec189103f75a76ab65f3c18 25616
opensmtpd_6.0.2p1-2+deb9u1.debian.tar.xz
dfb59917a7c2e2a0e9d4c48a8b72815346f934bf 8435
opensmtpd_6.0.2p1-2+deb9u1_source.buildinfo
Checksums-Sha256:
7447c82a4e136507629b3f526aa527085960a724153c531250d71c89e4b0623f 3096
opensmtpd_6.0.2p1-2+deb9u1.dsc
2af9b6d08784c7e546bf124bb61e311a6aa0c9835507710a76f5c242383190ac 695513
opensmtpd_6.0.2p1.orig.tar.gz
e490075d01dedeb555f11ade5b3a2edd89e214fdc8853112974fabb1d61c0f9d 25616
opensmtpd_6.0.2p1-2+deb9u1.debian.tar.xz
b59882a41cce18c212f8f9eb1b2525a87edd52d0a2530ba8cff070336de2aedb 8435
opensmtpd_6.0.2p1-2+deb9u1_source.buildinfo
Files:
5fcebb440cf89d61e978bacf9b302371 3096 mail extra opensmtpd_6.0.2p1-2+deb9u1.dsc
1ebc232624f2e2e31010c810ea0a3b88 695513 mail extra
opensmtpd_6.0.2p1.orig.tar.gz
80b7cca0a098437f602dbeed6f1109f9 25616 mail extra
opensmtpd_6.0.2p1-2+deb9u1.debian.tar.xz
d84cb7719750d2e9bcc56408811ba030 8435 mail extra
opensmtpd_6.0.2p1-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl4xoZIPHHJha0BkZWJp
YW4ub3JnAAoJEI97+PxKEcl6WmQn/3Fq78mJUMrOB0bFg4eiyiNdhEIzhZl1OvAo
D9uJaib4E52Z9EHCpR8Ig7XTE+wdx0u542Ir8Gm3Es11dG4cyFKB8RucVJGkFzOp
XUhImIfuPM/BWywUctjC0yxRy/CxG1zATcyXaf/LUsZLMV7qYbKeXWC2Rqxdg1n3
UOqjX50Z/r1zEGO0V65hTIALOrmTakgYVykieR+WQE0MXqsKDbx4tIPtnfQQiU2F
i4wnRz3l3YpvTaoyQG4kFJLvxyLaz6D61tFR9PVlfdhyZHpGQJLNvy9dMbihQsuL
X7+21bHf9G/BXnJgMii94mJrT/yCrAv2iFo2Fa8p5CAjPbw3nZ3S51V+bJqqByjm
qeVr0hzqmnCEyUT7TzhBcsky9ur/nQb71t/CtVsmgcEuvBMu5lJkwoPAfxdphHKZ
1PA75/Fzbw/5VqutLHaGHq0IJTLPwrRSB0A9lv5Uq2oVTp6S3P649tCv61ypxZAu
rQj790XXQK91DVkogF57y7zlvFDWm9CXPv9WWeK/km4TK0EnfPiJEiyJ4ymumiqC
I1zeXGcl6XsIo2veuWcHZ7rToonU5uSdRHI91LipssqRYqw/tmKksgm9JQ/G4zVW
ImY/Hnkr/JbReyiqZ7OhZqo2AYZ+nzKSZXC4YeBeIjQ4q21wwkcPaA494mCZ54No
UXDF2J9XE0J+GrvevuWjdYGAid7rLP4DGk6NUasjXom/YO1YLxsG0TUwqC6Du0pd
i+gxzbANC508pQVXdf+Du/TjRdRw0Q4EeHLl4LKPj9lqN246lKIQu9zMLTtoTi71
I5VRFAP2b2X/LWsCgLohGueDZAk5TDQz0sCVKvhH7YAPqz5kQnmUfk/R5bY0+w0C
565ZUwB5UBRVlPn3daI4UIuNZCUUbr24veU6VrXzgOtzUmEerKpZBLKxgteVPmYb
1PgIGK0gXX0jukH0DDmzaSs4oUauumj3TwG54MMl70CvcdI+2JQStzwT+VxFJS4v
kO8GINNvVnRocp6Xa7MqRLqgRGn1ecodXVgDhU1IHoFZYGAseHGO8TyZVM26OGUw
XmoMvwMx0sSGkE2NwRWqUtjUmZjc8M3ApK04nDiACN+Rcl2p8oY6FxiWmmR/bhtN
uQMHub07EMb+bmf1KN5dcu6iq5Y1coErWQwDiqwzim87SJQePRJSiaLFqfv4b6Tl
TkjDj0C74NJkeLWrnQ5Wj4XK0nXbbrShxK7XWc/YwvS0c3i1WfYFsWBmHoXzcc/p
ZlEpsndHDnBt4OZmlRH6B3noTfYDXzKg8Not/7AILfT+k3JYkJNyKPB+Qa/Pe4RA
4LoZUSoIaVXgsmG1imiIbBuu5wIoqBy5MCs4hBcRVN2RnQMck2GB3xIAtaTO5Ybb
le/xdTBuv9sSB1vW/3u/yHDD2BVe4H9eXqxXOJvpHjLiDXd5U25s8r5bziGEKHpt
qho+ecr+0YsLE44AUiyAd2EEGPmp6+9CJPRTX5qNEW5pKlMtU6KpPCCtraHURBik
UQB+G9oLhCUbBgwSMjaTjXSgaBUQZsAV0JirJ2DFT/yV2PdHwNv/+fEGAD+2xa5g
aroeFAuF8nGgaXIHaeQbytNro0aC61BmNdi8koZG3/WX3f7IU7oI2uP1uF8OV5/C
QDl5C1qMXtSI661Kakseq011xcwV3asGNkWRznt/0RAJE2Qp0D2GGyeAGrVR0Qlw
xKL5Jxo+
=BkTe
-----END PGP SIGNATURE-----
--- End Message ---
