Your message dated Mon, 13 May 2024 16:49:55 +0000 with message-id <E1s6Ys7-0052dj-4r@fasolo.debian.org> and subject line Bug#1070190: fixed in sendmail 8.18.1-3 has caused the Debian Bug report #1070190, regarding sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1070190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070190 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>, Andreas Beckmann <anbe@debian.org>
- Subject: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
- From: Bastien Roucariès <rouca@debian.org>
- Date: Wed, 01 May 2024 14:14:21 +0000
- Message-id: <[🔎] 3601049.ORoNexUt0l@portable-bastien>
Package: sendmail-bin Severity: important Tags: security help Forwarded: https://marc.info/?l=oss-security&m=171447187004229&w=2 Dear Maintainer, CVE-2023-51765 is not fully fixed at least for forwarding bad mail. We must reject NUL including mail as a stop gap method. I have patched sendmail in order to enable O RejectNUL=True directive, but I do not achieved the fact to enable it by default. It will need a NEWS.debian entry I suppose Andreas could you get a glimpse at how to render RejectNUL a default ? BastienAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: 1070190-close@bugs.debian.org
- Subject: Bug#1070190: fixed in sendmail 8.18.1-3
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 13 May 2024 16:49:55 +0000
- Message-id: <E1s6Ys7-0052dj-4r@fasolo.debian.org>
- Reply-to: Bastien Roucariès <rouca@debian.org>
Source: sendmail Source-Version: 8.18.1-3 Done: Bastien Roucariès <rouca@debian.org> We believe that the bug you reported is fixed in the latest version of sendmail, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1070190@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastien Roucariès <rouca@debian.org> (supplier of updated sendmail package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 13 May 2024 15:21:46 +0000 Source: sendmail Architecture: source Version: 8.18.1-3 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1070190 Changes: sendmail (8.18.1-3) unstable; urgency=medium . * QA upload * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. Checksums-Sha1: 444081ca4b1c34abb6da35e1fc66748593764e1a 2819 sendmail_8.18.1-3.dsc d47fb1a03ea6c9efecb09b591d3adffa12465639 248564 sendmail_8.18.1-3.debian.tar.xz b2edfff3185047689c9182ed4ad921b357b44247 10927 sendmail_8.18.1-3_amd64.buildinfo Checksums-Sha256: 2e5ca285cfd19a8ceaaf9b5645dbf5c9354eb4a07c828796e4435ccb4fd58d53 2819 sendmail_8.18.1-3.dsc e1ea385ea7c1c8547b9db7c361d452a903a7a6cdd4772bf84e5f95b84d818dd5 248564 sendmail_8.18.1-3.debian.tar.xz 419049e8f58ff6d59f5528a1a8137de4ff54802540b6f32dc897719d6c3d1ce3 10927 sendmail_8.18.1-3_amd64.buildinfo Files: 63bc50103d86af43125676428e8137be 2819 mail optional sendmail_8.18.1-3.dsc e2e58f40fa796dd52516710cd8eafac9 248564 mail optional sendmail_8.18.1-3.debian.tar.xz 4caf684c76b372c0ced82742bc220a7e 10927 mail optional sendmail_8.18.1-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZCQj8RHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF8NUxAAt5/Gqz/UAZnzeuhy0EghM4K4d6cigRng 7LTPFjr5o59ZkwtDtnnWkP80qfu+cKdnF5aFYxsJ7N3HQfXXoxkdH/70eL5gnWuk SATtsGcn1jKXBh9+XFTzln3acoMgxLao9xD2b/I9DV7+tnjD0Q5RYwc8IaF8bHyd QFrdWKd4iwS1lsGLz16cw6JYGIJhVRwntr/DVQFCJ18qrQxPcrM6ulhf/w23xZpP tpnMDbtlc3n1IO4JfNht996oSsZvRBgS+lGqsduFbKpXoww0/K7zyEo1J6zRWcVC 8L+cIBStEDAST9G7joyRNkwzhkh8p+WSjL2Uhezo9eHXRjeX/qDj5lFi8ev3i+++ p4t8ucwE+LicAaNCmKm3FtYXDSOwt4pRGINHdgGzPMzsN0WOE/IKEKi3nbQ4/NP1 25gOuL2w0J8xfHDi5U/GoRfYIumIO91eI5kuOnGA6wQi4kXxJSVGqHVJuXbJlsrJ QOh0rcyCoy4n+P++M8XFYWNrr0o1Zsno0vqlo6Ho7NgU/d0Uxh/sBwl27bAFcZ8h ZZyLnAtY8fR/K40wjyD3FXxCgfWktK05ErsV4Fb8IEQ4xGjg6utFPpHzIzwPbbrf ChYU4OePB/HZt9MZ5M+6q62FYpFq9CS08773jtUR27xQgkew9/jmj13KvtiuYaVS tLs5a4wUY9Q= =Ks4y -----END PGP SIGNATURE-----Attachment: pgpV6tAr3wknb.pgp
Description: PGP signature
--- End Message ---