Control: retitle -1 postfix: CVE-2023-51764: SMTP Smuggling attack Hi
On Thu, Dec 21, 2023 at 01:03:20PM -0500, Scott Kitterman wrote: > On Thursday, December 21, 2023 11:57:21 AM EST Salvatore Bonaccorso wrote: > > Source: postfix > > Version: 3.8.2-1 > > Severity: important > > Tags: security upstream > > Forwarded: > > https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> Control: found -1 3.7.6-0+deb12u2 > > Control: found -1 3.5.18-0+deb11u1 > > Control: found -1 3.4.23-0+deb10u1 > > > > Hi > > > > There was a SMTP smuggling vulerability reported, for which in some > > Postfix versions at least already exists short term mitiations in form > > of "smtpd_forbid_unauth_pipelining = yes". > > > > Details via: > > > > https://www.mail-archive.com/postfix-users@postfix.org/msg100901.html > > https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwid > > e/ > > See https://www.postfix.org/smtp-smuggling.html for the most recent > information. > > The mitigation is available for stable, but not yet oldstable. Right, that was the better reference to following the status. A CVE has been assigned in meanwhile for the issue in postfix: CVE-2023-51764. Regards, Salvatore