Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects

To: Debian Bug Tracking System <1086178@bugs.debian.org>
Subject: Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects
From: Bjørn Mork <bjorn@mork.no>
Date: Wed, 30 Oct 2024 09:45:41 +0100
Message-id: <[🔎] 173027794135.2856866.15315771180329647992.reportbug@canardo.mork.no>
Reply-to: Bjørn Mork <bjorn@mork.no>, 1086178@bugs.debian.org
References: <[🔎] 173011912931.1636362.5370593894554735578.reportbug@dilbert.mork.no>

Package: sendmail
Version: 8.17.1.9-2+deb12u2
Followup-For: Bug #1086178

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated patch from  Claus Aßmann. This bug turned out to be known by upstream
and will be fixed in 8.18.2.


Bjørn

-----BEGIN PGP SIGNATURE-----

iGwEARECACwWIQR3fjfc8EF8nPbC0aDXSuqSjBsiyQUCZyHyNQ4cYmpvcm5AbW9y
ay5ubwAKCRDXSuqSjBsiySB6AJwMr4U7LmyYtRPEZv6s44cg9rLWPACghkekM2Wr
dCE/wHDJepryeF37Skg=
=rQ+7
-----END PGP SIGNATURE-----

From d63509c8464e4edbc9e0ac657a00df7195b18109 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Claus=20A=C3=9Fmann?=
 <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
Date: Tue, 29 Oct 2024 13:32:07 +0100
Subject: [PATCH] Fix matching of wildcard SANs in MTA-STS feature
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

8.18.2/8.18.2	202x/xx/xx

Fix matching of wildcard SANs in the experimental support
for SMTP MTA Strict Transport Security (MTA-STS).
Problem reported by Dilyan Palauzo.

Link: https://www.novabbs.com/computers/article-flat.php?id=1125&group=comp.mail.sendmail#1125
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
 cf/m4/proto.m4 | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index ff7eb0bedc2a..2e079be59b92 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -2745,13 +2745,15 @@ dnl check SAN for STS
 SSTS_SAN
 ifdef(`_STS_SAN', `dnl
 R$*			$: $&{server_name}
+# {server_name} does not have a trailing dot
+# R$+.			$1
 dnl exact match
 R$={cert_altnames}	$@ ok
-# strip only one level (no recursion!)
-R$-.$+			$: $2
-dnl wildcard: *. or just .?
-R *.$={cert_altnames}	$@ ok
-dnl R .$={cert_altnames}	$@ ok
+# strip one level up to first dot
+R$~. . $+		.$2
+dnl wildcard: *. not just .
+R.$+			$: *.$1
+R $={cert_altnames}	$@ ok
 dnl always temporary error? make it an option (of the feature)?
 R$*			$#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')
 
-- 
2.39.5

Reply to:

References:
- Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects
  - From: BjÃ¸rn Mork <bjorn@mork.no>

Prev by Date: Processing of mstch_1.0.2-5_source.changes
Next by Date: Bug#1086390: mathtex FTCBFS: builds during make install for the build architecture
Previous by thread: Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects
Next by thread: Bug#1086290: log4c: FTBFS: psnup: page width and height must be set
Index(es):
- Date
- Thread