Re: OpenSMTPD 6.6.4p1 released: addresses CRITICAL vulnerability
Oh, I see. They added an amendment to the end. Last-minute note: on February 9, 2020, opensmtpd-6.6.2p1-1.fc31 was released and correctly made smtpctl set-group-ID smtpq, instead of set-group-ID root. Rather strange that they haven't managed to update packages for two weeks before checking anything. On Wed, Feb 26, 2020 at 3:56 AM Denis Fateyev wrote: > Beside the real vulnerability, what is interesting that Qualys used an > outdated Fedora package to prepare the report: > > On Linux, this vulnerability is generally not exploitable because > /proc/sys/fs/protected_hardlinks prevents attackers from creating > hardlinks to files they do not own. On Fedora 31, however, smtpctl is > set-group-ID root, not set-group-ID smtpq: > > -- > -r-xr-sr-x. 1 root root 303368 Jul 26 2019 /usr/sbin/smtpctl > -- > > > The latest package (6.6.2, pushed to stable on Feb 09) contains a > different file: > > # ls -la /usr/sbin/smtpctl > -r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl > > That version that they tested was way back from 2019. > > I think I need to inform them separately, but just FYI. > > -- wbr, Denis.
Re: OpenSMTPD 6.6.4p1 released: addresses CRITICAL vulnerability
Beside the real vulnerability, what is interesting that Qualys used an outdated Fedora package to prepare the report: On Linux, this vulnerability is generally not exploitable because /proc/sys/fs/protected_hardlinks prevents attackers from creating hardlinks to files they do not own. On Fedora 31, however, smtpctl is set-group-ID root, not set-group-ID smtpq: -- -r-xr-sr-x. 1 root root 303368 Jul 26 2019 /usr/sbin/smtpctl -- The latest package (6.6.2, pushed to stable on Feb 09) contains a different file: # ls -la /usr/sbin/smtpctl -r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl That version that they tested was way back from 2019. I think I need to inform them separately, but just FYI.
OpenSMTPD 6.6.4p1 released: addresses CRITICAL vulnerability
Hello misc@, Qualys has found another critical vulnerability in OpenSMTPD. It is very important that you upgrade your setups AS SOON AS POSSIBLE. I can't comment yet as I was not involved in the bug fixing this time, and didn't see the advisory, just the resulting bug fix diff. I'll comment and do an analysis of the issue in a few days. On OpenBSD: --- Binary patches are available through syspatch. Just run the syspatch command and make sure that your OpenSMTPD was restarted: $ doas syspatch On other systems --- I have released version 6.6.4p1 of OpenSMTPD which addresses the vulnerability. It is available from our website: https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.tar.gz https://www.opensmtpd.org/archives/opensmtpd-6.6.4p1.sum.sig It is also available from Github: https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.tar.gz https://github.com/OpenSMTPD/OpenSMTPD/releases/download/6.6.4p1/opensmtpd-6.6.4p1.sum.sig Or using the `6.6.4p1` tag if you're building from source.