Your message dated Mon, 24 Feb 2020 17:49:28 +0000 with message-id <e1j6hre-0003z8...@fasolo.debian.org> and subject line Bug#952453: fixed in opensmtpd 6.6.4p1-1 has caused the Debian Bug report #952453, regarding arbitrary command execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 952453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: opensmtpd Version: 6.6.2p1-1 Severity: critical Tags: upstream OpenBSD 6.6 errata 021, February 24, 2020: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages opensmtpd depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.73 ii ed 1.16-1 ii init-system-helpers 1.57 ii libasr0 1.0.2-2+b1 ii libc6 2.29-6 ii libcrypt1 1:4.4.10-7 ii libdb5.3 5.3.28+dfsg1-0.6 ii libevent-2.1-7 2.1.11-stable-1 ii libpam0g 1.3.1-5 ii libssl1.1 1.1.1d-2 ii lsb-base 11.1.0 ii zlib1g 1:1.2.11.dfsg-1.2 Versions of packages opensmtpd recommends: ii opensmtpd-extras 6.6.0-1 Versions of packages opensmtpd suggests: ii ca-certificates 20190110 -- Configuration Files: /etc/smtpd.conf changed [not included] -- debconf information excluded -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: opensmtpd Source-Version: 6.6.4p1-1 Done: Ryan Kavanagh <r...@debian.org> We believe that the bug you reported is fixed in the latest version of opensmtpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 952...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryan Kavanagh <r...@debian.org> (supplier of updated opensmtpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 24 Feb 2020 12:20:52 -0500 Source: opensmtpd Architecture: source Version: 6.6.4p1-1 Distribution: unstable Urgency: high Maintainer: Ryan Kavanagh <r...@debian.org> Changed-By: Ryan Kavanagh <r...@debian.org> Closes: 952453 Changes: opensmtpd (6.6.4p1-1) unstable; urgency=high . * New upstream release fixes critical security bug (Closes: #952453). Quoting from OpenBSD errata: . An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. . Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. . * Update copyright file with new copyright holders * Remove stale entries from Uploaders field Checksums-Sha1: d6f77f256bc4b99ba4f1565a8b534da268ccafc5 3007 opensmtpd_6.6.4p1-1.dsc 1763a76308c1645be036a6803d16d0e85241496f 790754 opensmtpd_6.6.4p1.orig.tar.gz 7008080c4dc3a492f273ee7276b80f7416e52980 26208 opensmtpd_6.6.4p1-1.debian.tar.xz 9e9fa943b165b55190f8ce188054fea0698bcd27 8529 opensmtpd_6.6.4p1-1_source.buildinfo Checksums-Sha256: f63089e921c53d552e9e6370c202c953c48fcff1c242e5277d5a1241a9e3626b 3007 opensmtpd_6.6.4p1-1.dsc e2f9962a6b99b3cc1572b63a10db648fdca4ad2b58079b680b4202cc7c82d7cf 790754 opensmtpd_6.6.4p1.orig.tar.gz 425d63c270d943609709af7eda16dd2b7da225ebe78e2ef8217dde9e0b8e7c06 26208 opensmtpd_6.6.4p1-1.debian.tar.xz aa75a0c7a5110eadf215c0cd6101bab84afec7a4e2877d41a4cd0b2e4a44ec3a 8529 opensmtpd_6.6.4p1-1_source.buildinfo Files: 4505939d45729aefb0d76abd94e114b4 3007 mail optional opensmtpd_6.6.4p1-1.dsc 4744943277f9a6dc942e7560dbdb5643 790754 mail optional opensmtpd_6.6.4p1.orig.tar.gz 6d6cd01a4ef29fe544858e64bd6a0599 26208 mail optional opensmtpd_6.6.4p1-1.debian.tar.xz 54bfabe54f58679c92e21347d8c35562 8529 mail optional opensmtpd_6.6.4p1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQVDBAEBCgAtFiEETkaVGe1ndzQmj72Vj3v4/EoRyXoFAl5UCJsPHHJha0BkZWJp YW4ub3JnAAoJEI97+PxKEcl6/Wwn/1Vn9A2IdfD1offw4RkAz1Nt8MmL807zOdJd kbMNyaDZ9ecDhOjOGelWl+rtz2XNcREBczM3tCyyX7ZU8sFIGhbUI+Rxl9P0tcrq 9wzU4flKgytwS78tDOFnwQTnyzvHkRkTsTSJZDcVx6X7suHrydeqXx/5joimL3XD dvcs6TferRXwcb/zCmV7ZSk3EFcDANK8YNBhGX6pPMq9bU0TCl7XSdEC5FW/j19y b8KAmchr0kAlASUyCVyCxGnMWWra8VBzUDAGrUlpCCsYGJo5btFI1mRychFGxORN eI/KoElU5mbC6CngncaAUA1kRI4IGQYB6Q9Rd42t7OjTfBHNVykUypuCya5YDDUG 0iDgmc0OJQ4rcHc2Xd2aKkrRU4DbUqJTbLrVz72gZx5rQtS10BR7HDhPcn56K8vy KpYAu8LctWmsK1gFNI49TBlxS9TOA36XPstmusMXecgcBqLjjqTRZnBsFnPeAIVM yBgO1O/YFZ4Ca1zxBwi8tK0sXJP+HEr7EVqj1huE/XARrlOnLUPnfXR7+fAUU8yV ZY45BXiSEh7DlszrebS0e+CqD7+7vafW+pZ11f9bBNrCTSJrvwWBB+HSck4zkgSo xB103rTYTC3G/cQdr65wSBhlz3K0iafgJd3ZAlWdaDIJsq/kPZJgHzCmIYmOBiKJ c+JtOjTR1qTTVUswWQ0bQbDPqnjBgZ+I+LHpjblJz13QuDE+4WkUlkAI56n2A+ru fSKc5fCD1WQ9KLohNn5Y3qXoj7D37q3PUnHLVpkndTfCkcJvtJ/vHLsqUG9sLccT MH8teQCzHDnIw4PhOo6Is5MlP+mIppxStP5jYVAt7Y938fapC9URQVSuREuGFZAF 1R+Cw1dKxVINYpF4AZwVW5rffT0qdgaw3rFM5ElmvvYMOcCdW4Cq3IjkfiwaP8Xj gDQay2jtD0UgdwILgY+8tiBqHLD+u7CogkjiWEhnQkYfkiPicbhenlnUdxUpb2a/ FWyePKYRDqQQOYCn2VW98kjm+AWZNQcyzAz6qxcldDI3tfZWpuFmaN7+CRiCc7gP ZnjYQDdJ5/wH4xwYNc9kSXaJz+blaTLELWOqTHU2cfsNfmCmq7dZlvYmE7JdVav3 4RsA4g9SJ8jPkCzhhm4Zn+/PCG4SjRIpWalIwWcvTEee2sQesMHkwy7fx6j8vKSw IXmErMVmaR0H5EmjdPdVuiWm3mPEedDp5lgI8bK19l1DKZ0H1Kc2uPEALb4zWOis nRPI8vUyYUSz8UPYMYyBvZi8jSi0BSSqD5oHRa4UoVU8DrhHtBhAhH1zUtLRhaWM pG9Nngq0SZ2G5CTYftrCGVbFotAGra9kh6NWOkr9iFTyQCBqR3nBQPVpRdh+jNo4 Ci95DpK34txNrOC41+9nMjeN+Zrl7qeCGmBaKM2wGuqpx39bdd7wyaZldrrnmnNu mFPqyf+w5iUs79qJQQh5UZb6eOh5Iq8R5D8vDzjfRhC7ctrgLEunIo2HnYlCoWSx xQUJVzBck+Ly1mP+xeWEqlJc4ddeC3PUbqFu5zysutch6ulqpT6wCMQtLIALMlzh AxJcuIBCR3XmiZNgE6OgUcjJQrUPbtdR8VAIdbuIXEjvLLmsqRHdySEESDSNZddC 0jrdeczqQmGCheXetCSmF7FW4i97pWyo8Lq3eoDXr7HgaoAiNR/0FksvURNw7KGr PkhI5qXI =c9cL -----END PGP SIGNATURE-----
--- End Message ---
