Bug#991331: sendmail: CVE-2021-3618

[Andreas Beckmann <anbe@debian.org>]

Control: fixed -1 8.16.1-1
Control: tag -1 + help

On 20/07/2021 22.21, Moritz Mühlenhoff wrote:
> https://alpaca-attack.com/ affects sendmail. It was fixed in
> the latest 3.16.1 release:

https://bugzilla.redhat.com/show_bug.cgi?id=1975623#c13

Huzaifa S. Sidhpurwala 2021-06-29 05:11:36 UTC

Sendmail:

"Sendmail only detects HTTP requests at the very start of a connection. 
If STARTTLS is used, the first command inside the connection can bensent 
by the attacker, bypassing the detection"
Sendmail fixed a bug to detect HTTP requests when STARTTLS is used in 8.16

As per the release notes:

	SECURITY: If sendmail tried to reuse an SMTP session which had
		already been closed by the server, then the connection
		cache could have invalid information about the session.
		One possible consequence was that STARTTLS was not
		used even if offered.  This problem has been fixed
		by clearing out all relevant status information
		when a closed session is encountered.

(there are no specific references since sendmail 8.16.1 was released in 
July 2020, long before alpaca-attack got disclosed to interested parties:
2020-10-20: Initial contact with [...] author of TLS standard [...]
...
2021-02-20: Initial contact with all affected application servers (FTP, 
Email).
...
2021-06-09: Public disclosure.)

+help: I'm hoping that someone backports this fix to 8.15.x, possibly
https://bugzilla.redhat.com/show_bug.cgi?id=1975650


Andreas