Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation.
It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! On OpenBSD: --- Binary patches are available through syspatch. Just run the syspatch command and make sure that your OpenSMTPD was restarted: $ doas syspatch On other systems --- I have released version 6.6.2p1 of OpenSMTPD which addresses the vulnerability. It is available from our website: https://www.opensmtpd.org/archives/opensmtpd-6.6.2p1.tar.gz https://www.opensmtpd.org/archives/opensmtpd-6.6.2p1.sum.sig It is also available from Github: https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.2p1/opensmtpd-6.6.2p1.tar.gz https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.2p1/opensmtpd-6.6.2p1.sum.sig Or using the `6.6.2p1` tag if you're building from source.
