Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-30 Thread Harald Dunkel

Hi Jason,

On 2020-01-29 14:33, Jason Barbier wrote:


According to the CVE everything since the commit in May 2018 that established 
the new grammar.



The EMail did not mention a CVE. I was very concerned that I had to upgrade
my "old" hosts to the new smtpd.conf syntax, so this is good news.

Thanx for your reply.


Regards
Harri



Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-29 Thread Harald Dunkel

Hi Gilles,

On 2020-01-28 23:30, gil...@poolp.org wrote:

Hello misc@,

Qualys has found a critical vulnerability leading to a possible privilege 
escalation.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

We'll provide more details when the advisory will be out and I'll take time to 
write
about how this bug was made possible, but in the meantime get your setups fixed 
!



Which versions of opensmtpd are affected?

Thanx for the quick fix.
Harri



Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-29 Thread Reio Remma

On 29/01/2020 00:30, gil...@poolp.org wrote:

Hello misc@,

Qualys has found a critical vulnerability leading to a possible privilege 
escalation.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

We'll provide more details when the advisory will be out and I'll take time to 
write
about how this bug was made possible, but in the meantime get your setups fixed 
!



Thanks a lot for the heads up! Updated my CentOS 7 packages.

Thanks,
Reio