Your message dated Thu, 05 Mar 2020 19:02:35 +0000 with message-id <e1j9vlt-000et2...@fasolo.debian.org> and subject line Bug#952453: fixed in opensmtpd 6.0.2p1-2+deb9u3 has caused the Debian Bug report #952453, regarding arbitrary command execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 952453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: opensmtpd Version: 6.6.2p1-1 Severity: critical Tags: upstream OpenBSD 6.6 errata 021, February 24, 2020: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages opensmtpd depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.73 ii ed 1.16-1 ii init-system-helpers 1.57 ii libasr0 1.0.2-2+b1 ii libc6 2.29-6 ii libcrypt1 1:4.4.10-7 ii libdb5.3 5.3.28+dfsg1-0.6 ii libevent-2.1-7 2.1.11-stable-1 ii libpam0g 1.3.1-5 ii libssl1.1 1.1.1d-2 ii lsb-base 11.1.0 ii zlib1g 1:1.2.11.dfsg-1.2 Versions of packages opensmtpd recommends: ii opensmtpd-extras 6.6.0-1 Versions of packages opensmtpd suggests: ii ca-certificates 20190110 -- Configuration Files: /etc/smtpd.conf changed [not included] -- debconf information excluded -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: opensmtpd Source-Version: 6.0.2p1-2+deb9u3 Done: Ryan Kavanagh <r...@debian.org> We believe that the bug you reported is fixed in the latest version of opensmtpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 952...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryan Kavanagh <r...@debian.org> (supplier of updated opensmtpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Feb 2020 12:09:37 -0500 Source: opensmtpd Architecture: source Version: 6.0.2p1-2+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Ryan Kavanagh <r...@debian.org> Changed-By: Ryan Kavanagh <r...@debian.org> Closes: 952453 Changes: opensmtpd (6.0.2p1-2+deb9u3) stretch-security; urgency=high . * Fix LPE and RCE vulnerability (Closes: #952453) (CVE-2020-8794) An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. OpenBSD 6.6 errata 021: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig Checksums-Sha1: c4153737387a170d20ac8a0af12e45e2ab817cf5 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc 386e1115c5cbe91f67ce0854594197846b4bb5d9 695513 opensmtpd_6.0.2p1.orig.tar.gz 25c6492cd4eb8849c2511d6df411af704b0f7d10 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz 0a88ba67746bb23ed7de17128723a504fa8d3210 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo Checksums-Sha256: b5e5ab580ae119d0184aeb84f234090b80ebe12be21efd5e0e2e9641e4a4727b 3096 opensmtpd_6.0.2p1-2+deb9u3.dsc 2af9b6d08784c7e546bf124bb61e311a6aa0c9835507710a76f5c242383190ac 695513 opensmtpd_6.0.2p1.orig.tar.gz 0ae9ac6d8bdb8cf821c90cc8d0a61334fa3ac6c064591045f70d2987f6069445 29012 opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz e7bb4601d53229a2feb09207dff887991d0458ef0ce3645ba5372ad4b036c301 8531 opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo Files: 72c58d808957d51f46ae02b9a3e94f14 3096 mail extra opensmtpd_6.0.2p1-2+deb9u3.dsc 1ebc232624f2e2e31010c810ea0a3b88 695513 mail extra opensmtpd_6.0.2p1.orig.tar.gz b042fe3883a8a8c052b97050367ac25a 29012 mail extra opensmtpd_6.0.2p1-2+deb9u3.debian.tar.xz 5956a013666e14829e2f4d4993c4a582 8531 mail extra opensmtpd_6.0.2p1-2+deb9u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5VizoPHHJha0BkZWJp YW4ub3JnAAoJEI97+PxKEcl6tG4n/jIHwPf4XiXOKq4qRmSLCZ01EwPWiy73H8pO xTbnZfdwiK8IipkRE6G5IpJkUI18CQmuX6UrjprJtTUufFtVuq0GJh2vejDTSh3/ Xm3HEuW8vE9ghbBA7b+pbg2DLTKlpH7gIeD6V0ymCKRCK/T9ftU6Vf6XJ5sbHOBf +8np/ZvGlK7/xfoOfgzwcRifb8HM6fVG8RIC5QW8fOMZVmcLikd5HCTFwxMBHxPt RnIlubD4TQL/QBRLTE+HOqn+qxwEOU8CHMhRewSQqT30EsB8PBAEdP47b4FVtRE7 6sVbdPYYVpsLAL6+SdFGlYL0QahNh1QqBSyFTWqd0YoOfTLJxJOva3u/fs8IkpLQ E73axpQw5AmIIZsdH/ekBhMbYXMNzqmvdcT4TwO6aD1ubU9A/lK/wcK5K0F/Sx36 TMhZR+6zCq5zWbv67xfQa8segnddw8sXDHRYXFMzDmHdaLcR3D3NghVDaIOPsQAj J6Zp7Gs/2QfyBzynWDrQ7EWLaTHvdgS46usba5omA6cexD9ruTa4t6Q12d7++X3W jTLfzXorfYUemj7lPWFghpXxuL5dk5zstzdjtJA05yPByUZTT/RHdlqOeHsOYOmJ 7uHNMTQvAZnMCoz2JVpRc2/PSq+If5RnNZkF6Z9BLDkSLH7XPeuuC9Zj7nzqJx0C B4Kq+yd2TLv6C3l/ivI9tHdBoSwI9HX5tseTtFypY6mfs4RCyaQutRLfSbgQbecl E/RTI333kGnxfJ5M/EpLsirH3NS5L5q9Czrxd6xcxtyOxLwkv8TqCabtyl9EXRP4 ZxPUizFrOmiIt682upA1kbvDMBBfHManHYmKg6OylsKiSHxkoNHKIDyvIyRkA5to Lak6XBCtAOl5feeAgNqz0AWSvXi4tSF2sVkSh66YXKArl0YuBvK39jptA70b3x3v BUnKA19ZQfFk7ltcKReQhu6wJE017yUa3vcCs8Xw1UjGzlW0BHllXwWrvCsR8SpT Uh1ZXaUlPP125U6cqDPjjs40XxX/gYwtnEVdNTxcD+t/5L4HehmWrPZ+3CKHOhc+ wHmMyWsZk66fyGq3UheOPK7YF/uEPYyf2rlTgda6mQp/S62rVgtlU+c2kGK7tz8e PBJDiO+rZ3TT+l0xVJY78ImydGm5aZ5jUCmPWI9UOvLPajJArpJLbTAOYhXTMFsq 15vhcfryts7LJ7xo7l9th9uVXJ4Lksir2ibjXeUYxSERjYs9EZDgsahuOBlukgQ5 xIrL8B6Djm6eGKuoRq28jaqHKgwnU3S+tgKim/wqcrOat5prRCtaajMqbvtsnjLj F8odHS76b5m/jVQ8IO/7/GcCEuvXgwaI9HGQZaIWZuc0uR7b6/vU/rxXrBt9y6ka p3pYp4U7SGkDivDsfXHmFHv5Nr+zebLccVdveikUPCE6a9Ys9dHPwIfDlp6FSgw7 UXx7ItOjAvEpRVbwsvM/IKTL2Gx6gWlawequJo4eMwtkuCvAJCVJeCCQStZ4CUhf WilpNSlD70XlsM0oTUbwuT9cZ9wHt6f3FFeI9JXnbaTqoDMVX9pdKR832jtePhOd C19H48Q4lhO6zCiBfkCcb2HX3Pz9RbXOMTLsUtqDsZ1MgIMByxHl83xl374PaOOU 2Yq4PjSn7IRDHGLbIZ4Kn1OtN36GBLeDkAMV9VlZCnwxLC14UAtNSZPTOJrtJ0dL zQjCOD++ =hV0e -----END PGP SIGNATURE-----
--- End Message ---
