Bug#1059386: marked as done (sendmail: CVE-2023-51765)
Your message dated Mon, 15 Jan 2024 13:05:25 +0000
with message-id <E1rPMeb-005GNU-T7@fasolo.debian.org>
and subject line Bug#1059386: fixed in sendmail 8.18.0.2-1
has caused the Debian Bug report #1059386,
regarding sendmail: CVE-2023-51765
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1059386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059386
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: sendmail: CVE-2023-51765
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 24 Dec 2023 09:40:39 +0100
- Message-id: <170340723968.3539370.9010092061020611827.reportbug@eldamar.lan>
Source: sendmail
Version: 8.17.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for sendmail.
CVE-2023-51765[0]:
| sendmail through at least 8.14.7 allows SMTP smuggling in certain
| configurations. Remote attackers can use a published exploitation
| technique to inject e-mail messages that appear to originate from
| the sendmail server, allowing bypass of an SPF protection mechanism.
| This occurs because sendmail supports <LF>.<CR><LF> but some other
| popular e-mail servers do not.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-51765
https://www.cve.org/CVERecord?id=CVE-2023-51765
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sendmail
Source-Version: 8.18.0.2-1
Done: Andreas Beckmann <anbe@debian.org>
We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated sendmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Jan 2024 13:35:18 +0100
Source: sendmail
Architecture: source
Version: 8.18.0.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Closes: 1039365 1059386
Changes:
sendmail (8.18.0.2-1) experimental; urgency=medium
.
* QA upload.
* New upstream snapshot.
* Refresh patches.
* Enable _FFR_REQ_CRLF and _FFR_BARE_LF. (Closes: #1059386)
* Add systemd unit (calling /etc/init.d/sendmail). (Closes: #1039365)
* Refresh upstream signing keys.
* salsa-ci: Use --vary=domain_host.use_sudo=1.
* Upload to experimental.
Checksums-Sha1:
b850c87238b5358775e051df915ad1681cb178dc 2842 sendmail_8.18.0.2-1.dsc
395596225b12e6cd86ef2ece796710c8ab3b4d55 2330539 sendmail_8.18.0.2.orig.tar.gz
e2f6bfaf287b834677dba2c8d2e008e4a7792777 801 sendmail_8.18.0.2.orig.tar.gz.asc
c0268176a5e7ace96c99bfbad728fbc8fb539e6c 247836 sendmail_8.18.0.2-1.debian.tar.xz
e74c4e1327353103eb016f3855f0a2a4bbb45e65 6414 sendmail_8.18.0.2-1_source.buildinfo
Checksums-Sha256:
bf3396aac18a3c9085db7325aa1c5d98e71d791b11cfc4128713ea28d7ff571a 2842 sendmail_8.18.0.2-1.dsc
b8f64c67f94dc6ff0f65498636f8f90b794e58ded15a05650a98115167b60773 2330539 sendmail_8.18.0.2.orig.tar.gz
c0e6b1eb0aac0b0d906db16f042c2bbee7dbc9a906e559a4257ec29fb2208f18 801 sendmail_8.18.0.2.orig.tar.gz.asc
c6063c0e0d139e20a4f86161d7f492d52475c0cfb49f19697c22bcb9929cc563 247836 sendmail_8.18.0.2-1.debian.tar.xz
e7dd8085ca23a47cad20b60c1a940883eb9150906062a40cde552a8889368086 6414 sendmail_8.18.0.2-1_source.buildinfo
Files:
25da333f494a69e2b80d567d5a938f39 2842 mail optional sendmail_8.18.0.2-1.dsc
e1e8892ea4c50c8107302e97fb2a3c80 2330539 mail optional sendmail_8.18.0.2.orig.tar.gz
940e0cea2371608de2cde41e9fa44ede 801 mail optional sendmail_8.18.0.2.orig.tar.gz.asc
7333ac0e3cd4db353e4ef20106938e41 247836 mail optional sendmail_8.18.0.2-1.debian.tar.xz
485cc359c43150b794fc91edc9bfc677 6414 mail optional sendmail_8.18.0.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAmWlKF4QHGFuYmVAZGVi
aWFuLm9yZwAKCRBfsz+TWentCDTUD/0e1OHXB3YErJ5jZ3hgsOJxp2dD2en5sCHK
oG3s2lT4jFZB+I0LgP+xU3gZO3vzWg49nkQ0HUEuHTBpoL32BDVDMpgM3ZGFKVJL
235SCAtwRxQFFhShXSw+aac5UV9mx3YNxGkFTbtKCWapRS4ijdRBkDxTu/FakLaV
Zl2UnR3uJhWSVnBx+g9sKySlIMIxMBns2SldkYwRbQ6T4FyKey56ORYtsuAKNyj2
VpCC9SEQtTuU2Rp32ZDxDy7KFuQHo1/uw0tqyG9Lp+4MgbckIIPPBEbrgU1tivuW
Uw0+/PTADWbMJ8x/PKuf6iUt/Env9yMn1E+4/D4G11TN4lolTmpPGl3x+OnNJrIw
hDszavuOiI94gQY0mzuA7MiIU2A8XDcD810KoikFW+WV9OS6lqyyaCGEnwei908f
96YInlEwLRIMoLIP+NxNsGDEoLQz2aIaIw6uqQzcj5YxyTorTgg+Q9sGgbKMvleK
yACu38M3r5u+JqFp1xVfEQdF6BM4PWmCZ3JfN/PpUcRuvFrdSzsT5sc6VnsSrx6+
c7owGSrxcjy7ATpkoC1gjzLJxWkOH3RRGkENs+VEjmDEVHRbtT93zbCPXgdizqXm
lN0+gV0wJ5z9RYfLUK/IAk20UNbIZUXy38fkYMCvKWoXaZ8h1c0GSypo9ME/3BMU
OSjLwd1u7A==
=j+Py
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: