[SECURITY] [DLA 3829-1] sendmail security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3829-1] sendmail security update
From: rouca@debian.org
Date: Sat, 15 Jun 2024 08:32:49 +0000
Message-id: <[🔎] 479290058b87cf48d7b1e96c8d448daa.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3829-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
June 15, 2024                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sendmail
Version        : 8.15.2-14~deb10u2
CVE ID         : CVE-2023-51765
Debian Bug     : 1059386

sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass
of an SPF protection mechanism. This occurs because sendmail supports
<LF>.<CR><LF> but some other popular e-mail servers do not.

This particular injection vulnerability has been closed,
unfortunatly full closure need to reject mail that
contain NUL (0x00 byte).

This is slighly non conformant with RFC and could
be opt-out by setting confREJECT_NUL to 'false'
in sendmail.mc file.

For Debian 10 buster, this problem has been fixed in version
8.15.2-14~deb10u2.

We recommend that you upgrade your sendmail packages.

For the detailed security status of sendmail please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sendmail

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZtUbARHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+HvA/+Mw7PEDlB2ZKWnJiKoJU7nVNuWyyBUSqV
bRVo4+FmMKiuBb9MvdWn10u2mydnZYDtzb9+d32axvOb9h1PAfQvPPnorpKQ08oa
Xy6tBakLRScnfp1sm2mFR3lpO0ySrF3uOT7dKGuSCF9qlcPvRQnjaFb2mTEo2TAF
20dNjhVgr5+BJ4RWGVJ/JsZRFvq+5kKJgdoz80LAByXrzOjrQ9K6Z9mXP1RjKXiw
qjNg7hV/YU9UDC8FOFjSMLp0qwIZVM1YaAyXdBR56nkqVNfWo3jrdcsEo6l4R7sQ
HbBBqTB3LhZXTIMBAbyiOFAtKfFo6Ah44HRrrXgs7dWOGBHzk1v/2rExCd7PbO2k
Lizt8W4ozev/e//vhe63U5rgZLeKzRZJvLuhRvgf63UW6G5joblIZJ0BZTNe/q8t
PTEPoGpVfazIkl5vEljK9IJkKidYI0V1BIyAhfuAeE/n0/5F7/6UktqiWwMwMzhg
ko54PB6NyV8oY8NseXpuV+qz4CpcL17Oa1gJeN8aSRUm8R8Fi0TSSLjJwXg/Mh7+
90fnip7XUAbDvVfg4MMESuaJuqGRnFGbbBgD0QTW0HgjO8DVDMyAY4D53G8Ucxti
KeS2vo7pbG+g+M2h2Ec/ExicDd5DuVLfLeEWzGycQooVyltn15hP7zmSflQCZ8FC
EZ3V+hBc8yc=
=KBz+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3828-1] atril security update
Next by Date: [SECURITY] [DLA 3830-1] libvpx security update
Previous by thread: [SECURITY] [DLA 3828-1] atril security update
Next by thread: [SECURITY] [DLA 3830-1] libvpx security update
Index(es):
- Date
- Thread