Bug#1070190: marked as done (sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 13 May 2024 16:49:55 +0000
with message-id <E1s6Ys7-0052dj-4r@fasolo.debian.org>
and subject line Bug#1070190: fixed in sendmail 8.18.1-3
has caused the Debian Bug report #1070190,
regarding sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1070190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070190
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>, Andreas Beckmann <anbe@debian.org>
• Subject: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
• From: Bastien Roucariès <rouca@debian.org>
• Date: Wed, 01 May 2024 14:14:21 +0000
• Message-id: <[🔎] 3601049.ORoNexUt0l@portable-bastien>

Package: sendmail-bin
Severity: important
Tags: security help
Forwarded: https://marc.info/?l=oss-security&m=171447187004229&w=2

Dear Maintainer,

CVE-2023-51765 is not fully fixed at least for forwarding bad mail.

We must reject NUL including mail as a stop gap method.

I have patched sendmail in order to enable O RejectNUL=True directive,
but I do not achieved the fact to enable it by default.

It will need a NEWS.debian entry I suppose

Andreas could you get a glimpse at how to render  RejectNUL a default ?

Bastien

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

• To: 1070190-close@bugs.debian.org
• Subject: Bug#1070190: fixed in sendmail 8.18.1-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 13 May 2024 16:49:55 +0000
• Message-id: <E1s6Ys7-0052dj-4r@fasolo.debian.org>
• Reply-to: Bastien Roucariès <rouca@debian.org>

Source: sendmail
Source-Version: 8.18.1-3
Done: Bastien Roucariès <rouca@debian.org>

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1070190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 May 2024 15:21:46 +0000
Source: sendmail
Architecture: source
Version: 8.18.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1070190
Changes:
 sendmail (8.18.1-3) unstable; urgency=medium
 .
   * QA upload
   * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that
     include NUL byte
   * By default enable rejecting mail that include NUL byte.
     set confREJECT_NUL to 'true' by default .
     User could disable by setting confREJECT_NUL to false.
     (Closes: #1070190). Close a variant of CVE-2023-51765
     aka SMTP smuggling.
Checksums-Sha1:
 444081ca4b1c34abb6da35e1fc66748593764e1a 2819 sendmail_8.18.1-3.dsc
 d47fb1a03ea6c9efecb09b591d3adffa12465639 248564 sendmail_8.18.1-3.debian.tar.xz
 b2edfff3185047689c9182ed4ad921b357b44247 10927 sendmail_8.18.1-3_amd64.buildinfo
Checksums-Sha256:
 2e5ca285cfd19a8ceaaf9b5645dbf5c9354eb4a07c828796e4435ccb4fd58d53 2819 sendmail_8.18.1-3.dsc
 e1ea385ea7c1c8547b9db7c361d452a903a7a6cdd4772bf84e5f95b84d818dd5 248564 sendmail_8.18.1-3.debian.tar.xz
 419049e8f58ff6d59f5528a1a8137de4ff54802540b6f32dc897719d6c3d1ce3 10927 sendmail_8.18.1-3_amd64.buildinfo
Files:
 63bc50103d86af43125676428e8137be 2819 mail optional sendmail_8.18.1-3.dsc
 e2e58f40fa796dd52516710cd8eafac9 248564 mail optional sendmail_8.18.1-3.debian.tar.xz
 4caf684c76b372c0ced82742bc220a7e 10927 mail optional sendmail_8.18.1-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZCQj8RHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF8NUxAAt5/Gqz/UAZnzeuhy0EghM4K4d6cigRng
7LTPFjr5o59ZkwtDtnnWkP80qfu+cKdnF5aFYxsJ7N3HQfXXoxkdH/70eL5gnWuk
SATtsGcn1jKXBh9+XFTzln3acoMgxLao9xD2b/I9DV7+tnjD0Q5RYwc8IaF8bHyd
QFrdWKd4iwS1lsGLz16cw6JYGIJhVRwntr/DVQFCJ18qrQxPcrM6ulhf/w23xZpP
tpnMDbtlc3n1IO4JfNht996oSsZvRBgS+lGqsduFbKpXoww0/K7zyEo1J6zRWcVC
8L+cIBStEDAST9G7joyRNkwzhkh8p+WSjL2Uhezo9eHXRjeX/qDj5lFi8ev3i+++
p4t8ucwE+LicAaNCmKm3FtYXDSOwt4pRGINHdgGzPMzsN0WOE/IKEKi3nbQ4/NP1
25gOuL2w0J8xfHDi5U/GoRfYIumIO91eI5kuOnGA6wQi4kXxJSVGqHVJuXbJlsrJ
QOh0rcyCoy4n+P++M8XFYWNrr0o1Zsno0vqlo6Ho7NgU/d0Uxh/sBwl27bAFcZ8h
ZZyLnAtY8fR/K40wjyD3FXxCgfWktK05ErsV4Fb8IEQ4xGjg6utFPpHzIzwPbbrf
ChYU4OePB/HZt9MZ5M+6q62FYpFq9CS08773jtUR27xQgkew9/jmj13KvtiuYaVS
tLs5a4wUY9Q=
=Ks4y
-----END PGP SIGNATURE-----

Attachment: pgpV6tAr3wknb.pgp
Description: PGP signature

--- End Message ---