Your message dated Thu, 05 Mar 2020 18:47:10 +0000 with message-id <e1j9vwy-000cxy...@fasolo.debian.org> and subject line Bug#952453: fixed in opensmtpd 6.0.3p1-5+deb10u4 has caused the Debian Bug report #952453, regarding arbitrary command execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 952453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: opensmtpd Version: 6.6.2p1-1 Severity: critical Tags: upstream OpenBSD 6.6 errata 021, February 24, 2020: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages opensmtpd depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.73 ii ed 1.16-1 ii init-system-helpers 1.57 ii libasr0 1.0.2-2+b1 ii libc6 2.29-6 ii libcrypt1 1:4.4.10-7 ii libdb5.3 5.3.28+dfsg1-0.6 ii libevent-2.1-7 2.1.11-stable-1 ii libpam0g 1.3.1-5 ii libssl1.1 1.1.1d-2 ii lsb-base 11.1.0 ii zlib1g 1:1.2.11.dfsg-1.2 Versions of packages opensmtpd recommends: ii opensmtpd-extras 6.6.0-1 Versions of packages opensmtpd suggests: ii ca-certificates 20190110 -- Configuration Files: /etc/smtpd.conf changed [not included] -- debconf information excluded -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: opensmtpd Source-Version: 6.0.3p1-5+deb10u4 Done: Ryan Kavanagh <r...@debian.org> We believe that the bug you reported is fixed in the latest version of opensmtpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 952...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryan Kavanagh <r...@debian.org> (supplier of updated opensmtpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Feb 2020 11:12:06 -0500 Source: opensmtpd Architecture: source Version: 6.0.3p1-5+deb10u4 Distribution: buster-security Urgency: high Maintainer: Ryan Kavanagh <r...@debian.org> Changed-By: Ryan Kavanagh <r...@debian.org> Closes: 952453 Changes: opensmtpd (6.0.3p1-5+deb10u4) buster-security; urgency=high . * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig Checksums-Sha1: 46d2973b2e55a3b6f35e41306352fbb55f934b5b 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc 9aa89eeed7462902903f2e7304173899557aee65 699702 opensmtpd_6.0.3p1.orig.tar.gz 4efdab03aa9afee92b6c4efc1af9d7828a2344e2 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz b36850596006e83590f17b2fd6fcdb3e28484908 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo Checksums-Sha256: af4b8a14da37ab2dd0fdfa90dd5e0bd0323eac7e039dda6515f61b6b19366b01 3082 opensmtpd_6.0.3p1-5+deb10u4.dsc 291881862888655565e8bbe3cfb743310f5dc0edb6fd28a889a9a547ad767a81 699702 opensmtpd_6.0.3p1.orig.tar.gz ea5dd103a8e4ab0087813273eb7395df3f8b102cc2ad3f7c95c7ceac260645b5 32696 opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz 091235753df594059bf6a4b0be491232bd01346536a68017ff34af572fa2676a 8561 opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo Files: 5d011c1ef3918e2b95311f86584ead27 3082 mail optional opensmtpd_6.0.3p1-5+deb10u4.dsc 66e496bb0f3303d660744f4fa2178765 699702 mail optional opensmtpd_6.0.3p1.orig.tar.gz fb0fe30dc84bf24c38ca8eed7885142c 32696 mail optional opensmtpd_6.0.3p1-5+deb10u4.debian.tar.xz 2a711f83dcce76d1d7e51c05987354c9 8561 mail optional opensmtpd_6.0.3p1-5+deb10u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5Vi7UPHHJha0BkZWJp YW4ub3JnAAoJEI97+PxKEcl6ni8n/0/Ca/chs/24T7iYltyncJ1aXspOSZBn2skK G/eCAZVFp77CRwRfm+thhEuvuD992nURyuIUG3d6pQAUKkxyhHk6VFxNmLeE0oUB hVYj3pGGzLlmrT6e3w64SMrsXvayNIFCDttYzoT5sJTGNOrOcQSRxoAlh5PRFjEu Nzl0rWvYAQuAP2XCzK3E4KE2/AV78sEwzlC5DtI4LwazLHe/bJ455uN/7AG/ytk+ s2wbyonjA/8y9m8PE9+/zAOjjtmIEk9P6B8qqldhoJ2Fj2rtGT9dq/78Fs7UHcEO bnUZuVMQL6YdFGjKuPIYlM11WlldLrZdLcNrmgZGCQS3UyMHqyZ/mn8XCqdPLcdl oJPgt10EIl57a26c/uOUmWE35HC+4lEhAmEjOF61Tn+ESd1cl93POehxQG+jaWpB SkXIqjZ2N3c3XdpUAub7BQEEt0xNUmIbASP9Wb6d9ZDmSk60nxoTqXUJ1sGY1MjS gvJO2AXZdMHMJDdIWVvpbqljXf/47EZeaNs+1+Fu7pdBzLtn5tKUqDPcXjhXh98p T00Qy0FYQ8ouAN6z+3TziJfUPBZctaOnSZZ7UM00fy1k2gsdh1/I4QTL7icH57w1 tRi+1SlzT924GsHXmSLiVIRs29XGkZJUMy5KBaG8Kxm7r79eOUvtTfipUntnjDhp Pn0QIs2vyrpmTSwkTZFNEHspVcvB8V8k79X5kSXQd7dsqGq8G3bY+LIW9tp2yA1K 0J/jVUkQenBb6wuFvjN6WS+nfUrKcwAb2Toodd8ok5qs0wrvmZMgUm4aSHMegao9 c3W/ogctTVFRbTjWe/k5kxhYaUY6c1eFMMnYHjV86tk5fohdhKRS5wBDrjwWAow1 wz9adURSwd35jlbXa/eSu8Jm8rW1XC7Y7N1GZhwc+u98oD8XTsena9Pv+HBxJ8A9 3NlB650zEXMnogJH6LsLgXlKPJGXt2wOhIZAl1rZ6zzZMSaUVwOAggZU3rvKj3UI DnvWBJci06cvOzKijpUIBG+gje7fvgKjxV1V2FxUWiyjZs6aVWFIp7QuvUH7ZZEH pLrS+B0rsLv5gzrqXo2Bplf6WmtFG4xeXKBxEsU2LlxnoN11xFrtt9T4nwhiqPKM OBl83WPb0/QCEwpM4vT/fySubhn2bjROkuB0cJIAqNkW++svVJKGL9NwzoDJIN5g Uoou+fS7s/MiX8lljW+R4fIr/i9Dtww+PzCHwEGKi1KTgdB79LfEnZN7qCWnlNGl +JqdmgjTxXR7k+nqrQsL5NoPAWj1zcAD4wmXf7G4UGAJ5tZEG2cLe4LtGGllHM9m YwCN5+ZQz5J+f75y4yd3oAtAYuXYvoiHUSg7IUs/K1oRkLU6GPg+T3r6RIaIdh6v oy6tBUCuXLPj9sP8DxKuO5BdRWrblOPJeCR7yCHiGmWdrdcX6WDUUq8KdNSkHfOB JIx0n8zukvfV7huuDmzadLIj+wPpz6+h6DqdBBn2TLRmBy8TM45jQceBD/tyYzLB x2YhYVeJKzybl6s448y0nLxejI3sVWUs6fEwi/9mOM8A+3WE8GEAMWb6PTbmQObL QMyHbeLTEASm2Rxzx/GC/UUZSKdSnxtrh73NGL60kPmwjJZDTyevrqFqdzR2J27O 6IeigstpDlmQyWOUuNx2uDWygTaHrzckkuDXSoftT/t9chVUyUHocnZ5K4cPXOwv 1On4b94T =p6yW -----END PGP SIGNATURE-----
--- End Message ---
