OpenSMTPD 6.0.2 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and Linux.

The archives are now available from the main site at www.OpenSMTPD.org

We would like to thank the OpenSMTPD community for their help in testing
the snapshots, reporting bugs, contributing code and packaging for other
systems.

This is a minor release with a reliability fix.

Changes in this release (since 6.0.1):
======================================

- A bug in the smtp session logic can lead to hanging sessions. [1]
- A bug in portable OpenSMTPD can lead to a server crash if PAM
  support is disabled and an attacker send a mail to an account
  that has been disabled by setting password to a value that is
  causing the crypt() call to fail. [2]

[1] found and reported by James Pole
[2] found and reported by Patrick Seeburger (CVE-2016-8594)


Checksums:
==========

  SHA256 (opensmtpd-6.0.2.tar.gz) =
  86a9f53b1508ffd11a4453f3653b78e4d81b9cf50ed30ae35164ae3942140287

  SHA256 (opensmtpd-6.0.2p1.tar.gz) =
  2af9b6d08784c7e546bf124bb61e311a6aa0c9835507710a76f5c242383190ac


Verify:
=======

Starting with version 5.7.1, releases are signed with signify(1).

You can obtain the public key from our website, check with our community
that it has not been altered on its way to your machine.

Once you are confident the key is correct, you can verify the release as
described below:

1- download both release tarball and matching signature file to same directory:

   for OpenBSD version:
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.0.2.sum.sig
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.0.2.tar.gz

   for portable version:
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.0.2p1.sum.sig
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.0.2p1.tar.gz


2- use `signify` to verify that signature file is properly signed and that the
   checksum matches the release tarball you downloaded:

   for OpenBSD version:
   $ signify -C -e -p opensmtpd.pub -x opensmtpd-6.0.2.sum.sig
   Signature Verified
   opensmtpd-6.0.2.tar.gz: OK

   for portable version:
   $ signify -C -e -p opensmtpd.pub -x opensmtpd-6.0.2p1.sum.sig
   Signature Verified
   opensmtpd-6.0.2p1.tar.gz: OK


If you don't get an OK message, then something is not right and you should not
install without first understanding why it failed.


Support:
========

You are encouraged to register to our general purpose mailing-list:
    http://www.opensmtpd.org/list.html

The "Official" IRC channel for the project is at:
    #OpenSMTPD @ irc.freenode.net


Reporting Bugs:
===============

Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to secur...@opensmtpd.org
Other bugs may be reported to b...@opensmtpd.org

OpenSMTPD is brought to you by Gilles Chehade, Eric Faurot and
Sunil Nimmagadda.

-- 
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Reply via email to