Hello misc@,

Qualys has found another critical vulnerability in OpenSMTPD.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

I can't comment yet as I was not involved in the bug fixing this time,
and didn't see the advisory, just the resulting bug fix diff.

I'll comment and do an analysis of the issue in a few days.

On OpenBSD:

Binary patches are available through syspatch.

Just run the syspatch command and make sure that your OpenSMTPD was restarted:

$ doas syspatch

On other systems

I have released version 6.6.4p1 of OpenSMTPD which addresses the vulnerability.

It is available from our website:


It is also available from Github:


Or using the `6.6.4p1` tag if you're building from source.

Reply via email to