-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3829-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès June 15, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : sendmail Version : 8.15.2-14~deb10u2 CVE ID : CVE-2023-51765 Debian Bug : 1059386 sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This particular injection vulnerability has been closed, unfortunatly full closure need to reject mail that contain NUL (0x00 byte). This is slighly non conformant with RFC and could be opt-out by setting confREJECT_NUL to 'false' in sendmail.mc file. For Debian 10 buster, this problem has been fixed in version 8.15.2-14~deb10u2. We recommend that you upgrade your sendmail packages. For the detailed security status of sendmail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sendmail Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZtUbARHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF+HvA/+Mw7PEDlB2ZKWnJiKoJU7nVNuWyyBUSqV bRVo4+FmMKiuBb9MvdWn10u2mydnZYDtzb9+d32axvOb9h1PAfQvPPnorpKQ08oa Xy6tBakLRScnfp1sm2mFR3lpO0ySrF3uOT7dKGuSCF9qlcPvRQnjaFb2mTEo2TAF 20dNjhVgr5+BJ4RWGVJ/JsZRFvq+5kKJgdoz80LAByXrzOjrQ9K6Z9mXP1RjKXiw qjNg7hV/YU9UDC8FOFjSMLp0qwIZVM1YaAyXdBR56nkqVNfWo3jrdcsEo6l4R7sQ HbBBqTB3LhZXTIMBAbyiOFAtKfFo6Ah44HRrrXgs7dWOGBHzk1v/2rExCd7PbO2k Lizt8W4ozev/e//vhe63U5rgZLeKzRZJvLuhRvgf63UW6G5joblIZJ0BZTNe/q8t PTEPoGpVfazIkl5vEljK9IJkKidYI0V1BIyAhfuAeE/n0/5F7/6UktqiWwMwMzhg ko54PB6NyV8oY8NseXpuV+qz4CpcL17Oa1gJeN8aSRUm8R8Fi0TSSLjJwXg/Mh7+ 90fnip7XUAbDvVfg4MMESuaJuqGRnFGbbBgD0QTW0HgjO8DVDMyAY4D53G8Ucxti KeS2vo7pbG+g+M2h2Ec/ExicDd5DuVLfLeEWzGycQooVyltn15hP7zmSflQCZ8FC EZ3V+hBc8yc= =KBz+ -----END PGP SIGNATURE-----
