UbuntuUpdates.org

Package "opensmtpd"

Name: opensmtpd

Description:

secure, reliable, lean, and easy-to configure SMTP server

Latest version: 6.0.3p1-1ubuntu0.2
Release: bionic (18.04)
Level: updates
Repository: universe
Homepage: https://www.opensmtpd.org/

Links


Download "opensmtpd"


Other versions of "opensmtpd" in Bionic

Repository Area Version
base universe 6.0.3p1-1build1
security universe 6.0.3p1-1ubuntu0.2

Changelog

Version: 6.0.3p1-1ubuntu0.2 2020-03-02 20:06:45 UTC

  opensmtpd (6.0.3p1-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation, remote code execution
    - debian/patches/CVE-2020-8793_8794.patch: An out of bounds read in smtpd
      allows an attacker to inject arbitrary commands into the envelope file
      which are then executed as root. Separately, missing privilege
      revocation in smtpctl allows arbitrary commands to be run with the
      _smtpq group.
    -CVE-2020-8793
    -CVE-2020-8794

 -- Mike Salvatore <email address hidden> Wed, 26 Feb 2020 10:40:28 -0500

Source diff to previous version
CVE-2020-8793 OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search
CVE-2020-8794 OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this

Version: 6.0.3p1-1ubuntu0.1 2020-02-05 15:06:55 UTC

  opensmtpd (6.0.3p1-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution as root
    - debian/patches/CVE-2020-7247.patch: Fix a security vulnerability
      discovered by Qualys which can lead to a privileges escalation on mbox
      deliveries and unprivileged code execution on lmtp deliveries, due to a
      logic issue causing a sanity check to be missed.
    - CVE-2020-7247

 -- Mike Salvatore <email address hidden> Tue, 04 Feb 2020 08:22:49 -0500

CVE-2020-7247 smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as



About   -   Send Feedback to @ubuntu_updates