Public bug reported:
According to testssl sendmail is vulnerable to "Secure Client-Initiated
Renegotiation" DoS according to testssl, and there seems to be no
obvious way to change this using configuration:
testssl@xl:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
1) testssl@xl:~$ lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
testssl@xl:~$ apt-cache policy sendmail
sendmail:
Installed: 8.14.4-4.1ubuntu1
Candidate: 8.14.4-4.1ubuntu1
Version table:
*** 8.14.4-4.1ubuntu1 0
500 http://be.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
100 /var/lib/dpkg/status
3) What I expected to happen
Sendmail should either be resilient to this out of the box, or there
should be a config option to make it so
4) What happened instead
Sendmail is vulnerable to this condition, without an obvious way to
change this using configuration
** Affects: sendmail (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1591705
Title:
sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS
according to testssl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sendmail/+bug/1591705/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
