Hello misc@, Qualys has found another critical vulnerability in OpenSMTPD.
It is very important that you upgrade your setups AS SOON AS POSSIBLE. I can't comment yet as I was not involved in the bug fixing this time, and didn't see the advisory, just the resulting bug fix diff. I'll comment and do an analysis of the issue in a few days. On OpenBSD: --- Binary patches are available through syspatch. Just run the syspatch command and make sure that your OpenSMTPD was restarted: $ doas syspatch On other systems --- I have released version 6.6.4p1 of OpenSMTPD which addresses the vulnerability. It is available from our website: https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.sum.sig It is also available from Github: https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.tar.gz https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.sum.sig Or using the `6.6.4p1` tag if you're building from source.
