UbuntuUpdates.org

Package "opensmtpd"

Name: opensmtpd

Description:

secure, reliable, lean, and easy-to configure SMTP server
Latest version: 6.0.3p1-1ubuntu0.2
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://www.opensmtpd.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "opensmtpd"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "opensmtpd" in Bionic

Repository Area Version
base universe 6.0.3p1-1build1
updates universe 6.0.3p1-1ubuntu0.2

Changelog

Version: 6.0.3p1-1ubuntu0.2 2020-03-02 18:06:24 UTC

  opensmtpd (6.0.3p1-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation, remote code execution
    - debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd
      allows an attacker to inject arbitrary commands into the envelope file
      which are then executed as root. Separately, missing privilege
      revocation in smtpctl allows arbitrary commands to be run with the
      _smtpq group.
    -CVE-2020-8793
    -CVE-2020-8794

 -- Mike Salvatore <email address hidden> Wed, 26 Feb 2020 10:40:28 -0500
Source diff to previous version
CVE-2020-8793 OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search
CVE-2020-8794 OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this

Version: 6.0.3p1-1ubuntu0.1 2020-02-05 15:06:54 UTC

  opensmtpd (6.0.3p1-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution as root
    - debian/patches/CVE-2020-7247.patch: Fix a security vulnerability
      discovered by Qualys which can lead to a privileges escalation on mbox
      deliveries and unprivileged code execution on lmtp deliveries, due to a
      logic issue causing a sanity check to be missed.
    - CVE-2020-7247

 -- Mike Salvatore <email address hidden> Tue, 04 Feb 2020 08:22:49 -0500
CVE-2020-7247 smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as


About   -   Send Feedback to @ubuntu_updates