Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ad7c1211 by Salvatore Bonaccorso at 2023-12-24T09:28:28+01:00
Split up temporary SMTP smuggling attacker entry as per assigned CVEs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,11 +1,24 @@
CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might
allow r ...)
TODO: check
CVE-2023-51766 (Exim through 4.97 allows SMTP smuggling in certain
configurations. Rem ...)
- TODO: check
+ - exim4 <unfixed>
+ NOTE:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
+ NOTE: https://bugs.exim.org/show_bug.cgi?id=3063
+ NOTE: https://exim.org/static/doc/security/CVE-2023-51766.txt
CVE-2023-51765 (sendmail through at least 8.14.7 allows SMTP smuggling in
certain conf ...)
+ - sendmail <unfixed>
TODO: check
CVE-2023-51764 (Postfix through 3.8.4 allows SMTP smuggling unless configured
with smt ...)
- TODO: check
+ - postfix 3.8.4-1 (bug #1059230)
+ NOTE:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
+ NOTE: https://www.postfix.org/smtp-smuggling.html
+ NOTE:
https://www.mail-archive.com/[email protected]/msg100901.html
+ NOTE: Short-term Mitigation: smtpd_forbid_unauth_pipelining = yes
+ NOTE: Long-term fix with new (optional) feature that is disabled by
default:
+ NOTE: New setting: smtpd_forbid_bare_newline = yes
+ NOTE: https://www.openwall.com/lists/oss-security/2023/12/22/3
CVE-2023-51763 (csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0
allows C ...)
TODO: check
CVE-2023-7090 (A flaw was found in sudo in the handling of ipa_hostname, where
ipa_ho ...)
@@ -504,19 +517,6 @@ CVE-2023-32242 (Deserialization of Untrusted Data
vulnerability in xtemos WoodMa
NOT-FOR-US: WordPress plugin
CVE-2023-2487 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-XXXX [SMTP smuggling attack]
- - exim4 <unfixed>
- - postfix 3.8.4-1 (bug #1059230)
- NOTE:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
- NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6
- NOTE: Exim: https://bugs.exim.org/show_bug.cgi?id=3063
- NOTE: postfix: https://www.postfix.org/smtp-smuggling.html
- NOTE: postfix:
https://www.mail-archive.com/[email protected]/msg100901.html
- NOTE: postfix: Short-term Mitigation: smtpd_forbid_unauth_pipelining =
yes
- NOTE: postfix: Long-term fix with new (optional) feature that is
disabled by default:
- NOTE: New setting: smtpd_forbid_bare_newline = yes
- NOTE: https://www.openwall.com/lists/oss-security/2023/12/22/3
- TODO: track other major mailserver implementations
CVE-2023-48291 (Apache Airflow, in versions prior to 2.8.0, contains a
security vulner ...)
- airflow <itp> (bug #819700)
CVE-2023-47265 (Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS
vulnerab ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad7c12119422b8ad6e30ca253c361a590daa3088
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad7c12119422b8ad6e30ca253c361a590daa3088
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
