Bug#991331: sendmail: CVE-2021-3618
Control: fixed -1 8.16.1-1
Control: tag -1 + help
On 20/07/2021 22.21, Moritz Mühlenhoff wrote:
https://alpaca-attack.com/ affects sendmail. It was fixed in
the latest 3.16.1 release:
https://bugzilla.redhat.com/show_bug.cgi?id=1975623#c13
Huzaifa S. Sidhpurwala 2021-06-29 05:11:36 UTC
Sendmail:
"Sendmail only detects HTTP requests at the very start of a connection.
If STARTTLS is used, the first command inside the connection can bensent
by the attacker, bypassing the detection"
Sendmail fixed a bug to detect HTTP requests when STARTTLS is used in 8.16
As per the release notes:
SECURITY: If sendmail tried to reuse an SMTP session which had
already been closed by the server, then the connection
cache could have invalid information about the session.
One possible consequence was that STARTTLS was not
used even if offered. This problem has been fixed
by clearing out all relevant status information
when a closed session is encountered.
(there are no specific references since sendmail 8.16.1 was released in
July 2020, long before alpaca-attack got disclosed to interested parties:
2020-10-20: Initial contact with [...] author of TLS standard [...]
...
2021-02-20: Initial contact with all affected application servers (FTP,
Email).
...
2021-06-09: Public disclosure.)
+help: I'm hoping that someone backports this fix to 8.15.x, possibly
https://bugzilla.redhat.com/show_bug.cgi?id=1975650
Andreas
Reply to: