Oh, I see. They added an amendment to the end.
Last-minute note: on February 9, 2020, opensmtpd-6.6.2p1-1.fc31 was
released and correctly made smtpctl set-group-ID smtpq, instead of
set-group-ID root.
Rather strange that they haven't managed to update packages for two
weeks before checking anythi
Beside the real vulnerability, what is interesting that Qualys used an
outdated Fedora package to prepare the report:
On Linux, this vulnerability is generally not exploitable because
/proc/sys/fs/protected_hardlinks prevents attackers from creating
hardlinks to files they do not own. On Fedora 31
Hello misc@,
Qualys has found another critical vulnerability in OpenSMTPD.
It is very important that you upgrade your setups AS SOON AS POSSIBLE.
I can't comment yet as I was not involved in the bug fixing this time,
and didn't see the advisory, just the resulting bug fix diff.
I'll comment and