Public bug reported: opensmtpd versions >= 6 have two vulnerabilities:
An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user. smtpd can crash on opportunistic TLS downgrade, causing a denial of service. ** Affects: opensmtpd (Ubuntu) Importance: Critical Status: Confirmed ** Affects: opensmtpd (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #950121 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121 ** Also affects: opensmtpd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861242 Title: Major vulnerabilities in opensmtpd resulting in RCE and DOS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensmtpd/+bug/1861242/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs