Re: Sendmail news for non RFC conformant change

To: debian-l10n-english@lists.debian.org
Cc: Bastien Roucariès <rouca@debian.org>, Andreas Beckmann <anbe@debian.org>
Subject: Re: Sendmail news for non RFC conformant change
From: Justin B Rye <justin.byam.rye@gmail.com>
Date: Mon, 13 May 2024 05:40:09 +0100
Message-id: <[🔎] ZkGZqYMKzP_rsgOy@jbr.me.uk>
Mail-followup-to: debian-l10n-english@lists.debian.org, Bastien Roucariès <rouca@debian.org>, Andreas Beckmann <anbe@debian.org>
In-reply-to: <[🔎] 2228819.PG5y0xxraL@portable-bastien>
References: <[🔎] 2228819.PG5y0xxraL@portable-bastien>

Bastien Roucariès wrote:
> Could you review the following item (please cc i am not subscribed) 
> 
>   Sendmail was affected by SMTP smurgling (CVE-2023-51765).

Spelling: smuggling.  SMTP smurgling would be something else.

I was going to call "was" a tense/aspect error, but if this is in the
NEWS for a fixed version then this is fair enough (and we might even
switch the "can" in the next line to a matching "could").

>   Remote attackers can use a published exploitation technique

I don't think we need to expand "exploit", but it doesn't hurt.

>   to inject e-mail messages with a spoofed MAIL FROM address,
>   allowing bypass of an SPF protection mechanism.

A case where an explicit passive verb is *more* natural:

    allowing an SPF protection mechanism to be bypassed.

Or if I'm allowed to throw out the useless use of "allow":

    bypassing SPF protection.

>   This occurs because sendmail supports some combinaison of

Spelling: combination.  And I think you mean "any combination".

>   <CR><LF><NUL>.
>   .
>   This particular injection vulnerability has been closed,

Strictly speaking this comma needs a conjunction (or maybe just an
upgrade to a semicolon).

>   unfortunatly full closure need to reject mail that

Spelling: unfortunately.

>   contain NUL.

A recurring grammatical agreement problem (it needS to reject stuff
that containS this) but I'd also rephrase it, since the closure isn't
the thing that needs to reject mail.  Also, we just claimed that it
has already been closed, so why are we still struggling to close it?
I'd suggest:

    but unfortunately, a complete fix requires mail to be rejected
    if it contains NUL.

>   .
>   This is slighly non conformant with RFC and could

Either "nonconformant with the RFCs" or "non-RFC-conformant".

>   be opt-out by setting confREJECT_NUL to 'false' 

A broken passive construction.  I think this gets easier (and a more
natural progression of ideas) if you move the break and make the last
paragraph just

    Users can opt out by setting confREJECT_NUL to 'false'.

So putting it all together:

 Sendmail was affected by SMTP smuggling (CVE-2023-51765). Remote
 attackers can use a published exploitation technique to inject
 e-mail messages with a spoofed MAIL FROM address, bypassing SPF
 protection. This occurs because sendmail supports any combination
 of <CR><LF><NUL>.
 .
 This particular injection vulnerability has been closed, but
 unfortunately, a complete fix requires mail to be rejected if it
 contains NUL. This is slightly non-RFC-conformant.
 .
 Users can opt out by setting confREJECT_NUL to 'false'.

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to:

Follow-Ups:
- Re: Sendmail news for non RFC conformant change
  - From: Andreas Beckmann <anbe@debian.org>

References:
- Sendmail news for non RFC conformant change
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Sendmail news for non RFC conformant change
Next by Date: Re: Sendmail news for non RFC conformant change
Previous by thread: Sendmail news for non RFC conformant change
Next by thread: Re: Sendmail news for non RFC conformant change
Index(es):
- Date
- Thread