Hello misc@,

Qualys has found another critical vulnerability in OpenSMTPD.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

I can't comment yet as I was not involved in the bug fixing this time,
and didn't see the advisory, just the resulting bug fix diff.

I'll comment and do an analysis of the issue in a few days.


On OpenBSD:
---

Binary patches are available through syspatch.

Just run the syspatch command and make sure that your OpenSMTPD was restarted:

$ doas syspatch

On other systems
---

I have released version 6.6.4p1 of OpenSMTPD which addresses the vulnerability.

It is available from our website:

https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz
https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.sum.sig

It is also available from Github:

https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.tar.gz
https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.sum.sig

Or using the `6.6.4p1` tag if you're building from source.

Reply via email to