Package: sendmail Version: 8.17.1.9-2+deb12u2 Followup-For: Bug #1086178 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Updated patch from Claus Aßmann. This bug turned out to be known by upstream and will be fixed in 8.18.2. Bjørn -----BEGIN PGP SIGNATURE----- iGwEARECACwWIQR3fjfc8EF8nPbC0aDXSuqSjBsiyQUCZyHyNQ4cYmpvcm5AbW9y ay5ubwAKCRDXSuqSjBsiySB6AJwMr4U7LmyYtRPEZv6s44cg9rLWPACghkekM2Wr dCE/wHDJepryeF37Skg= =rQ+7 -----END PGP SIGNATURE-----
From d63509c8464e4edbc9e0ac657a00df7195b18109 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Claus=20A=C3=9Fmann?= <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> Date: Tue, 29 Oct 2024 13:32:07 +0100 Subject: [PATCH] Fix matching of wildcard SANs in MTA-STS feature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 8.18.2/8.18.2 202x/xx/xx Fix matching of wildcard SANs in the experimental support for SMTP MTA Strict Transport Security (MTA-STS). Problem reported by Dilyan Palauzo. Link: https://www.novabbs.com/computers/article-flat.php?id=1125&group=comp.mail.sendmail#1125 Signed-off-by: Bjørn Mork <bj...@mork.no> --- cf/m4/proto.m4 | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4 index ff7eb0bedc2a..2e079be59b92 100644 --- a/cf/m4/proto.m4 +++ b/cf/m4/proto.m4 @@ -2745,13 +2745,15 @@ dnl check SAN for STS SSTS_SAN ifdef(`_STS_SAN', `dnl R$* $: $&{server_name} +# {server_name} does not have a trailing dot +# R$+. $1 dnl exact match R$={cert_altnames} $@ ok -# strip only one level (no recursion!) -R$-.$+ $: $2 -dnl wildcard: *. or just .? -R *.$={cert_altnames} $@ ok -dnl R .$={cert_altnames} $@ ok +# strip one level up to first dot +R$~. . $+ .$2 +dnl wildcard: *. not just . +R.$+ $: *.$1 +R $={cert_altnames} $@ ok dnl always temporary error? make it an option (of the feature)? R$* $#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl') -- 2.39.5
