Public bug reported:
opensmtpd versions >= 6 have two vulnerabilities:
An incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary commands
as an unprivileged user.
smtpd can crash on opportunistic TLS downgrade, causing a denial of
service.
** Affects: opensmtpd (Ubuntu)
Importance: Critical
Status: Confirmed
** Affects: opensmtpd (Debian)
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #950121
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121
** Also affects: opensmtpd (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950121
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861242
Title:
Major vulnerabilities in opensmtpd resulting in RCE and DOS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensmtpd/+bug/1861242/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
